The Green Sheet Online Edition
April 28, 2008 • Issue 08:04:02
Factors of FACTA compliance
The Fair and Accurate Credit Transactions Act (FACTA) is an expansive piece of legislation passed by Congress in 2003 to assist consumers in protecting themselves from identity theft. The effects of FACTA are becoming more apparent as the rules written by the Federal Trade Commission (FTC) are published in the Federal Register.
FACTA is an amendment to the Fair Credit Reporting Act. It was passed by Congress before the Payment Card Industry (PCI) Data Security Standard (DSS) was established. There are significant differences between them. Under PCI, if a business can justify a reason to print the full card number on a receipt, then it is allowed. Under Section 113 of FACTA, a business cannot electronically print more than the last five digits of a credit or debit card number on any receipt.
Specifically, FACTA covers the following:
Enabling consumers to block fraudulent information in their personal credit records after filing a police report
Increasing consumer awareness of their rights
Improving the accuracy of consumer credit information by discouraging the reintroduction of fraudulent data
Ensuring accuracy by giving consumers the right to request a free credit report and credit score annually
Simplifying consumer ability to limit unsolicited offers of credit
Requiring financial institutions to develop procedures to identify fraud, investigate changes in customer addresses, and truncate credit and debit card information
Directing regulators to determine how to increase prompt investigation and correction of disputed information
I wrote about data protection requirements required under FACTA and the truncation requirement for card numbers on receipts in "Pinpointing compliance issues," The Green Sheet, April 14, 2008, issue 08:04:01. This article reviews additional FACTA provisions that impact ISOs.
Consumer report protection
FACTA's significant focus is consumer reports. Consumer reports include credit reports, employment background checks, residential history, check writing history, employment history, and insurance applications or claims.
Under the legislation, the entity receiving the report must take reasonable and appropriate steps to protect data. If a consumer report includes protected health care information (PHI), then the ISO involved will need to meet the Health Insurance Portability and Accountability Act guidelines.
If the data includes credit or debit card numbers, the PCI DSS must be adhered to. If other personal identity information (PII) data is included, the ISO will need to implement a program based on the type and volume of data in its possession and the risk of identity theft.
Consumer reports covered by FACTA include data prepared by third parties and received by ISOs while performing the following legitimate business functions:
- Merchant due diligence review
- Employee or contractor pre-employment screening
- Health insurance applications
- Health insurance claim processing
- Employee investigations conducted by employers
The types of data which must be protected include:
- Background checks
- Check writing history
- Credit reports
- Credit scores
- Drug testing results
- Health insurance applications
- Health insurance claims
- Medical information bureau reports
In addition, FACTA gives employees standing to sue their employer in the event the employer does not take appropriate steps to protect consumer reports from unauthorized access.
Normally, when requesting consumer reports, the employer must first have written permission from the employee to do so. However, under FACTA, an exception can be made if the employer is conducting an internal investigation involving employee misconduct. In this instance, the employer may obtain this information without the employee's consent.
Should, as a result of the investigation, the employer decide to take disciplinary action against the employee, only then is the employer required to notify the employee that information was obtained. However, the employer is not required to inform the employee of the source of information, nor is the employee given the ability to contest the information on the reports for the purposes of avoiding disciplinary actions.
When the entity requesting the consumer report no longer has a business need for the document, the data must be destroyed by following the FTC's specific instructions.
According to the FTC, any papers containing consumer report information must be burned, pulverized or shredded so they cannot be read or reconstructed. Electronic files or media containing consumer report information must be destroyed or erased. The entity responsible must conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with these rules.
If a person or entity applies for a merchant account and uses a false identity to do so, the ISO is required under legislation to provide copies of the falsified paperwork to the person whose identity has been stolen. The ISO is also required to provide the same documents to law enforcement conducting investigations into the fraudulent activity. No fees can be collected for providing the information.
An individual or entity requesting fraudulently submitted information should be able to provide the ISO with proof of identity, a copy of the police report filed by the individual or entity and an identity theft affidavit from the FTC, which can be downloaded at www.ftc.gov. If the requesting party cannot provide appropriate identification or the request contains a misrepresentation of facts, the ISO shall not provide the information.
Merchant information collected by the ISO may be shared with affiliate organizations for purposes of marketing products and services. However, the merchant must be given the opportunity to opt out of the information sharing process (this is not required when the information being shared is exclusively for processing the information to board a merchant account).
Furthermore, the merchant notification needs to be broad enough to state that information will be shared, what information will be shared, what entities will share the report and for what purpose. Merchants and affiliates are obligated under the legislation to notify each other of data usage.
Failure and fines
Failure to protect consumer reports may result in federal fines up to $2,500 per report. In addition, state fines can run up to an additional $1,000 per consumer report. Federal law prevents states from imposing additional fees or penalties that haven't been established under FACTA.
Other penalties include the ability for consumers or businesses to bring action against the offending organization or actual damages, court costs and attorney fees. If willful misconduct is found, punitive damages may also be awarded to the consumer or business by the court.
Some companies will push for litigation, but most would rather settle. A partial amount of the funds collected from penalties will go toward attorney fees, while the rest will be distributed to the class of people named in the settlement.
There are two interpretations to the legislation regarding what should appear on card receipts. While some believe merchants can hold receipts with the full card number, others believe that is incorrect. I'm in the camp that believes it is not allowable. Why take the risk?
David Mertz is the founding partner of Compliance Security Partners LLC. He has spent the last four years working with merchants and service providers to meet Payment Card Industry Data Security Standard compliance. For more information, e-mail firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.