By David Mertz
Compliance Security Partners LLC
The focus of my contributions to The Green Sheet is regulatory and industry requirements for protection of confidential data. Previously I discussed the roles assumed in this regard by the Federal Trade Commission and the Gramm-Leach-Bliley Act (GLBA). The FTC demands protection of personal identity information; GLBA enforces protection of cardholder transaction data.
Before we delve further into the federal regulatory landscape, let's reexamine what is meant by personal identity information (PII) and protected health care information (PHI).
PII includes any combination of a person's name and the following data:
Phone numbers and e-mail addresses are excluded from this list because of their presence in the public domain, although some federal and state legislation include one or both in their definition of PII.
In addition, the following two subsets are considered PII:
PHI includes any combination of a person's name or other identifiable information - such as PII data - and health care records. This includes any type of medical treatment, diagnosis or equipment that has been prescribed for, or purchased or received by the individual.
Passed by Congress in 2003, the Fair and Accurate Credit Transactions Act (FACTA) was designed to assist consumers in protecting themselves from identity theft. The act is far reaching legislation, and several sections impact ISOs.
The section that has caught the attention of ISOs restricts the full disclosure of cardholder data on printed receipts. (For more information, see "Receipts still reveal too much," by David Mertz, The Green Sheet, Dec. 26, 2007, issue 07:12:02.) Fines range up to $1,000 per receipt plus attorney's fees. No actual harm (for example, identity theft) needs to be documented for the merchant to be liable for the fines allowed under FACTA.
Second only to the credit card numbers on receipts is another FACTA provision that impacts ISOs. GLBA does not affect the information that appears on applications provided by the merchant for the purposes of obtaining a merchant account, but FACTA does.
The information contained on the application, whether provided by a company or an individual, or for business and consumer purposes, is covered under FACTA.
The FTC, empowered under FACTA to implement this legislation, relied on the definitions of creditor and financial institutions declared in the GLBA.
These descriptions are expansive. As a result, entities that receive applications for merchant accounts - even if those applications are received on behalf of another entity - are covered under FACTA.
For an example outside of the payments industry, car dealers are not lending institutions, but they collect applications on behalf of consumers to submit to lending institutions. Under the GLBA, car dealers are considered financial institutions and are required to be FACTA compliant.
While GLBA only applies to consumer activity, the FTC has determined both business and consumer activity are included in the intent of FACTA. And, as a result, any PII data on the merchant application is considered confidential - including a merchant tax identification number.
Under FACTA, any application for a merchant account containing PII from a consumer or a business - this includes the business tax identification number - that is received by any entity is considered confidential.
ISOs and MLSs should take reasonable and appropriate steps to protect the data contained in any form (electronic, paper, removable media, fixed media and so forth) on merchant applications in their possession. These include creation of an identity theft protection program that meets the following guidelines:
Also, ISOs and MLSs should implement a monitoring program and provide reports on the effectiveness of the program to protect data and monitor for attempted identity theft to the ISO's executive management. If the ISO is publicly traded, this will include its board of directors. For private firms, this would apply to the organization's officers.
Failure to truncate card numbers on receipts can result in fines and penalties up to $1,000 per receipt plus court costs and attorney's fees. But there are two important issues ISOs and merchants need to be aware of:
Some courts have been reticent to move forward with class action lawsuits based on FACTA because of the size of the fines involved and the lack of proven harm to the consumer. A lawsuit could easily contain hundreds or thousands of consumers in a class.
Multiplying the class by $1,000 per member transaction could potentially force a merchant out of business or into bankruptcy. However, some class action suits are currently active and moving through the legal process. Other penalties include the ability for consumers or businesses to bring action against an offending organization for actual damages, court costs and attorney fees. If willful misconduct is found, then punitive damages may also be awarded to the consumer or business by the court.
ISOs and MLSs should review with their merchants the regulations and acts put into place to protect consumer information. Too many penalty factors - fines, lawsuits or losing a business - could damage everyone involved. Plus, having a reputation of not following data regulations won't attract merchants.
David Mertz is the founding partner of Compliance Security Partners LLC. He has spent the last four years working with merchants and service providers to meet Payment Card Industry Data Security Standard compliance. For more information, e-mail firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next