Monday, May 19, 2008
Following is a special report submitted exclusively to The Green Sheet by Ross Federgreen, founder of CSRSI, The Payment Advisors:
I have read a number of recent articles in The Green Sheet on the Fair and Accurate Credit Transaction Act of 2003 (FACTA). Although the articles provide accurate information, I believe additional clarifications are needed, and further serious questions and issues must be raised.
Also, the Credit and Debit Card Receipt Clarification Act of 2007, HR 4008, passed May 14, 2008, in the U.S. House of Representatives. This will have a material effect on all of these discussions if it is enacted into law. I will discuss this legislation, but first some important background to frame the conversation.
Several commentators have mentioned that FACTA was promulgated before the Payment Card Industry (PCI) Data Security Standard (DSS) version 1.0 was released. Although this is true, many of the basic tenets that are espoused in PCI DSS version 1.0 were obtained from the prior controlling documents:
The important point here is the PCI DSS states clearly that federal law takes precedence over the PCI DSS.
In addition, there has been a strong emphasis on cardholder primary account number (PAN) data, and the expiration date issue has been lost in the noise. In fact, a number of lawsuits have turned on the expiration date and not on the PAN.
Here are some salient points concerning the PCI DSS version 1.1; FACTA; and the Fair Credit Reporting Act of 1970 (FCRA), including its subsequent amendments and modifications (FCRA, regulates collection, dissemination and use of consumer credit information):
Of immediate importance is that the House, by a vote of 407 to 0, passed HR 4008. If this becomes law, it will bar plaintiffs from filing claims against merchants who properly truncate card numbers on receipts but fail to eliminate the printing of card expiration dates.
Plaintiffs alleging willful breaches of the relevant FACTA provision are eligible for statutory damages, even in the absence of actual damages. FACTA prohibits anyone accepting credit and debit cards as means of payment from printing more than the last five digits of a card number or the card's expiration date on an electronic receipt.
The bill would apply retroactively to when the FACTA took effect in 2004 for all claims based on merchant failures to exclude card expiration dates on customer receipts. The bill would not affect the ability of consumers who allege actual harm – identity theft or credit card fraud, for example – from filing individual claims under FACTA's negligence provision.
HR 4008 still must be passed by the U.S. Senate and signed by the President to become the law of the land. The clear sentiment is for passage.
What can we conclude from this? No merchant should under any circumstance "print" any but the last five digits of the PAN or "print" the expiration date of a credit or debit card on a cardholder receipt. To do so means risking a federal lawsuit, which may be amalgamated into a class action under the Federal Rules of Civil Procedure.
Compliance with the PCI DSS offers protection against this, as it requires compliance with PCI itself and all pertinent law.
Finally, one must ask, "What about knuckle busters?"
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.