A wide-ranging data security law in New York State places several important expectations on payment providers, regardless of where they are based, and opens such companies to potential investigatory scrutiny from one of the most aggressive state attorney general’s offices in the U.S.