The Green Sheet Online Edition
April 14, 2008 • Issue 08:04:01
Pinpointing compliance issues
The focus of my contributions to The Green Sheet is regulatory and industry requirements for protection of confidential data. Previously I discussed the roles assumed in this regard by the Federal Trade Commission and the Gramm-Leach-Bliley Act (GLBA). The FTC demands protection of personal identity information; GLBA enforces protection of cardholder transaction data.
PII versus PHI
Before we delve further into the federal regulatory landscape, let's reexamine what is meant by personal identity information (PII) and protected health care information (PHI).
PII includes any combination of a person's name and the following data:
- Credit card numbers
- Date of birth
- Social Security number
- Driver's license number
- Biometric identity data
- Financial account numbers
Phone numbers and e-mail addresses are excluded from this list because of their presence in the public domain, although some federal and state legislation include one or both in their definition of PII.
In addition, the following two subsets are considered PII:
PHI includes any combination of a person's name or other identifiable information - such as PII data - and health care records. This includes any type of medical treatment, diagnosis or equipment that has been prescribed for, or purchased or received by the individual.
FACTA versus GLBA
Passed by Congress in 2003, the Fair and Accurate Credit Transactions Act (FACTA) was designed to assist consumers in protecting themselves from identity theft. The act is far reaching legislation, and several sections impact ISOs.
The section that has caught the attention of ISOs restricts the full disclosure of cardholder data on printed receipts. (For more information, see "Receipts still reveal too much," by David Mertz, The Green Sheet, Dec. 26, 2007, issue 07:12:02.) Fines range up to $1,000 per receipt plus attorney's fees. No actual harm (for example, identity theft) needs to be documented for the merchant to be liable for the fines allowed under FACTA.
Second only to the credit card numbers on receipts is another FACTA provision that impacts ISOs. GLBA does not affect the information that appears on applications provided by the merchant for the purposes of obtaining a merchant account, but FACTA does.
The information contained on the application, whether provided by a company or an individual, or for business and consumer purposes, is covered under FACTA.
The FTC, empowered under FACTA to implement this legislation, relied on the definitions of creditor and financial institutions declared in the GLBA.
These descriptions are expansive. As a result, entities that receive applications for merchant accounts - even if those applications are received on behalf of another entity - are covered under FACTA.
For an example outside of the payments industry, car dealers are not lending institutions, but they collect applications on behalf of consumers to submit to lending institutions. Under the GLBA, car dealers are considered financial institutions and are required to be FACTA compliant.
While GLBA only applies to consumer activity, the FTC has determined both business and consumer activity are included in the intent of FACTA. And, as a result, any PII data on the merchant application is considered confidential - including a merchant tax identification number.
Under FACTA, any application for a merchant account containing PII from a consumer or a business - this includes the business tax identification number - that is received by any entity is considered confidential.
ISOs and MLSs should take reasonable and appropriate steps to protect the data contained in any form (electronic, paper, removable media, fixed media and so forth) on merchant applications in their possession. These include creation of an identity theft protection program that meets the following guidelines:
- Program implementation must be documented in writing and appropriate to the organization's size, transaction volume, and level of risk. This includes PCI compliance if the merchant application contains cardholder data. If not, a lesser standard based on risk of identity theft, including the FTC's red flag requirements, may be implemented.
- An ISO's partners in handling merchant applications must be FACTA compliant. FTC rules based on FACTA require "appropriate and effective" oversight throughout this process. A service provider is any entity from which an ISO receives merchant applications (except merchants) and any entity that receives merchant applications from ISOs.
- The program must clearly define steps the ISO will take to monitor the data for fraudulent activity, including identity theft and money laundering used to facilitate terrorism.
- The program must be updated at least once a year to reflect changes in risk to protected data.
- If the data is compromised or there is a risk of identity theft, the ISO shall notify law enforcement and the individuals or businesses whose data is at risk.
Also, ISOs and MLSs should implement a monitoring program and provide reports on the effectiveness of the program to protect data and monitor for attempted identity theft to the ISO's executive management. If the ISO is publicly traded, this will include its board of directors. For private firms, this would apply to the organization's officers.
Failure to truncate card numbers on receipts can result in fines and penalties up to $1,000 per receipt plus court costs and attorney's fees. But there are two important issues ISOs and merchants need to be aware of:
- No harm needs to be shown by the consumer when bringing a claim against a merchant
- Printing the card number on the receipt is the only requirement
Some courts have been reticent to move forward with class action lawsuits based on FACTA because of the size of the fines involved and the lack of proven harm to the consumer. A lawsuit could easily contain hundreds or thousands of consumers in a class.
Multiplying the class by $1,000 per member transaction could potentially force a merchant out of business or into bankruptcy. However, some class action suits are currently active and moving through the legal process.
Other penalties include the ability for consumers or businesses to bring action against an offending organization for actual damages, court costs and attorney fees. If willful misconduct is found, then punitive damages may also be awarded to the consumer or business by the court.
ISOs and MLSs should review with their merchants the regulations and acts put into place to protect consumer information. Too many penalty factors - fines, lawsuits or losing a business - could damage everyone involved. Plus, having a reputation of not following data regulations won't attract merchants.
David Mertz is the founding partner of Compliance Security Partners LLC. He has spent the last four years working with merchants and service providers to meet Payment Card Industry Data Security Standard compliance. For more information, e-mail firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.