<P> Issuing banks are not required to go through PCI DSS validation although they still have to secure the sensitive data in a PCI DSS compliant manner . Acquiring banks are required to comply with PCI DSS as well as to have their compliance validated by means of an audit . </P> <P> In the event of a security breach, any compromised entity which was not PCI DSS compliant at the time of breach will be subject to additional card scheme penalties, such as fines . </P> <P> Compliance with PCI DSS is not required by federal law in the United States . However, the laws of some U.S. states either refer to PCI DSS directly, or make equivalent provisions . </P> <P> In 2007, Minnesota enacted a law prohibiting the retention of payment card data . </P>

How pci dss is a standard and not a law
find me the text answering this question