GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Up with DCC in down economy


Industry Update

One platform, one processor

Processing giants go separate ways

No advance for AdvanceMe appeal

Phoenix rising from MPI ashes

2008 Calendar of events

Association roll call - Part II


Brazilian banks look to Linux for ATMs

Ulric Rindebro

Perfecting the art of portfolio sales

Tourist tracker


The facts on FACTA

Ross Federgreen


Street SmartsSM:
Make low price low priority

Jason Felts
Advanced Merchant Services

Great branding on zero budget

Curt Hensley
CSH Consulting

Shop before you sign

Adam Atlas
Attorney at Law

Thriving in a secure payments world

Scott Henry

Bets are on in evolving payments space

Ken Musante
Humboldt Merchant Services

Allies in accountability

Jeff Fortney
Clearent LLC

Company Profile

International Bancard Corp.

New Products

PCI compliance and beyond

Merchant Warehouse

Fight shrinkage with small footprint

NCR RealScan 74 OFX
NCR Corp. and ADT Security Services Inc.


Prioritize with purpose



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

June 09, 2008  •  Issue 08:06:01

previous next

The facts on FACTA

By Ross Federgreen

I have read a number of recent articles in The Green Sheet on the Fair and Accurate Credit Transaction Act of 2003 (FACTA). Although the articles provide accurate information, I believe additional clarifications are needed, and further serious questions and issues must be raised.

Also, the Credit and Debit Card Receipt Clarification Act of 2007, H.R. 4008, passed May 14, 2008, in the U.S. House of Representatives. This will have a material effect on all of these discussions if it is enacted into law. I will discuss this legislation, but first some important background to frame the conversation.

The law trumps PCI

Several commentators have mentioned that FACTA was promulgated before the Payment Card Industry (PCI) Data Security Standard (DSS) version 1.0 was released. Although this is true, many of the basic tenets that are espoused in PCI DSS version 1.0 were obtained from the prior controlling documents:

The important point here is the PCI DSS states clearly that law takes precedence over the PCI DSS.

In addition, there has been a strong emphasis on cardholder primary account number (PAN) data, and the expiration date has been lost in the noise. In fact, a number of lawsuits have turned on the expiration date and not on the PAN.

Here are some salient points concerning the PCI DSS version 1.1; FACTA; and the Fair Credit Reporting Act of 1970 (FCRA), including its subsequent amendments and modifications (FCRA, enacted in 1970, regulates collection, dissemination and use of consumer credit information):

Chance to ban expiration date suits

Of immediate importance is that the House of Representatives, by a vote of 407 to 0, passed H.R. 4008. If this becomes law, it will bar plaintiffs from filing claims against merchants who properly truncate card numbers on receipts but fail to eliminate the printing of card expiration dates.

Plaintiffs alleging willful breaches of the relevant FACTA provision are eligible for statutory damages, even in the absence of actual damages.

FACTA prohibits anyone accepting credit and debit cards as means of payment from printing more than the last five digits of a card number or the card's expiration date on an electronic receipt.

The bill would apply retroactively to when the FACTA took effect in 2004 for all claims based on merchant failures to exclude card expiration dates on customer receipts.

The bill would not affect the ability of consumers who allege actual harm - identity theft or credit card fraud, for example - from filing individual claims under FACTA's negligence provision.

H.R. 4008 still must be passed by the U.S. Senate and signed by the President to become the law of the land. The clear sentiment is for passage.

What can we conclude from this? No merchant should under any circumstance "print" any but the last five digits of the PAN or "print" the expiration date of a credit or debit card on a cardholder receipt.

To do so means risking a federal lawsuit, which may be amalgamated into a class action under the rules of Federal Procedure.

Compliance with the PCI DSS offers protection against this, as it requires compliance with PCI itself and all pertinent law.

Finally, one must ask, "What about knuckle busters?"

Ross Federgreen is founder of CSRSI, The Payment Advisors, a leading electronic payment consultancy specifically focused on the merchant. He can be reached at 866-462-7774, ext. 1, or

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios