The facts on FACTA

Following is a special report submitted exclusively to The Green Sheet by Ross Federgreen, founder of CSRSI, The Payment Advisors:

I have read a number of recent articles in The Green Sheet on the Fair and Accurate Credit Transaction Act of 2003 (FACTA). Although the articles provide accurate information, I believe additional clarifications are needed, and further serious questions and issues must be raised.

Also, the Credit and Debit Card Receipt Clarification Act of 2007, HR 4008, passed May 14, 2008, in the U.S. House of Representatives. This will have a material effect on all of these discussions if it is enacted into law. I will discuss this legislation, but first some important background to frame the conversation.

The law trumps PCI

Several commentators have mentioned that FACTA was promulgated before the Payment Card Industry (PCI) Data Security Standard (DSS) version 1.0 was released. Although this is true, many of the basic tenets that are espoused in PCI DSS version 1.0 were obtained from the prior controlling documents:

• Visa Inc.'s Cardholder Information Security Program (CISP)
• MasterCard Wordwide's Site Data Protection (SDP) program
• American Express Co.'s Merchant Data Security Standards (MDSS)

The important point here is the PCI DSS states clearly that federal law takes precedence over the PCI DSS.

In addition, there has been a strong emphasis on cardholder primary account number (PAN) data, and the expiration date issue has been lost in the noise. In fact, a number of lawsuits have turned on the expiration date and not on the PAN.

Here are some salient points concerning the PCI DSS version 1.1; FACTA; and the Fair Credit Reporting Act of 1970 (FCRA), including its subsequent amendments and modifications (FCRA, regulates collection, dissemination and use of consumer credit information):

• Hundreds of lawsuits at the federal level have been filed; many seek class action status.

• The defendants are merchants who have "printed" cardholder receipts that show either more than the last five digits of the PAN or the card's expiration date. This is in violation of the FCRA, United States Code, Title 15, Section 1681c(g), which states, "No person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of sale of the transaction."
• The courts have held that "print" can mean both the display of data on a computer monitor and the physical marking on paper or another surface. Two recent rulings by federal courts in the South District of Florida and the Central District of California have led to the "print" interpretation and conclusion. The cases involved the merchant defendants 1-800 FLOWERS and Stubhub Inc.
• Plaintiffs are seeking statutory damages of between $100 and $1,000 for each "willful" violation under FCRA. (Statutory damages are pre-established damages for cases in which determining a correct sum is deemed difficult.)
• Page 2 of the PCI DSS version 1.1 (dated September 2006) contains a PAN graphic and associated cardholder data – which may be stored, or not – and indicates elements that must be protected if storage is allowed consistent with PCI DSS version 1.1, Regulation 3.4, "Protect stored cardholder data."
• The following quote is excerpted from the PCI DSS, version 1.1: "Additionally, other legislation (for example related to consumer personal data protection, privacy, identity theft or data security) may require specific protection of this data." The legislation this refers to are FACTA, FCRA, and other federal and state legislation.
• Federal law supercedes the PCI DSS.

Banning expiration date suits

Of immediate importance is that the House, by a vote of 407 to 0, passed HR 4008. If this becomes law, it will bar plaintiffs from filing claims against merchants who properly truncate card numbers on receipts but fail to eliminate the printing of card expiration dates.

Plaintiffs alleging willful breaches of the relevant FACTA provision are eligible for statutory damages, even in the absence of actual damages. FACTA prohibits anyone accepting credit and debit cards as means of payment from printing more than the last five digits of a card number or the card's expiration date on an electronic receipt.

The bill would apply retroactively to when the FACTA took effect in 2004 for all claims based on merchant failures to exclude card expiration dates on customer receipts. The bill would not affect the ability of consumers who allege actual harm – identity theft or credit card fraud, for example – from filing individual claims under FACTA's negligence provision.

HR 4008 still must be passed by the U.S. Senate and signed by the President to become the law of the land. The clear sentiment is for passage.

What can we conclude from this? No merchant should under any circumstance "print" any but the last five digits of the PAN or "print" the expiration date of a credit or debit card on a cardholder receipt. To do so means risking a federal lawsuit, which may be amalgamated into a class action under the Federal Rules of Civil Procedure.

Compliance with the PCI DSS offers protection against this, as it requires compliance with PCI itself and all pertinent law.

Finally, one must ask, "What about knuckle busters?"

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.