Check out the Wiki link. It can vary by state,
here’s part of it
Compliance with PCI DSS is not required by federal law in the United States. However, the laws of some U.S. states either refer to PCI DSS directly, or make equivalent provisions.
In 2007, Minnesota enacted a law prohibiting the retention of payment card data.
In 2009, Nevada incorporated the standard into state law, requiring compliance of merchants doing business in that state with the current PCI DSS, and shields compliant entities from liability.
In 2010, Washington also incorporated the standard into state law. Unlike Nevada’s law, entities are not required to be compliant to PCI DSS, but compliant entities are shielded from liability in the event of a data breach.