POS Inconsistency Proving Costly In Truncation Lawsuit

Written by Evan Schuman
February 1st, 2007

Some of the nation’s top retailers?including Rite Aid, Harry & David, Ikea, KB Toys, Disney, Regal Cinemas and AMC Theaters?are named as defendants in a lawsuit stemming from inconsistent Point-of-Sale (POS) deployment.

The class-action lawsuits accuse about 50 retail chains of violating a provision of the Fair and Accurate Credit Transactions Act (FACTA) that makes it illegal for a retailer to print more than the last five digits or a credit/debit card number and it also forbids printing the card’s expiration data on that receipt. The rule took effect in phases, but by December 2006, the latest of its phases kicked in.

There is little dispute that the overwhelming majority of retailers are in full compliance and there’s little incentive for a retailer to resist complying. And yet, attorneys say they have found many examples of receipts that still contain the forbidden data. Hence, the class-action lawsuits.

Many of the lawsuits were filed by a Los Angeles firm called Spiro Moss Barness. Two of the senior litigators with that firm involved in these lawsuits?J. Mark Moore and Greg Karasik?said their discussions with attorneys for the defendant retailers have turned up a wide array of defenses.

Those defenses ranged from pure statutory challenges (such as whether FACTA allows for class-action lawsuits and even whether the consumer plaintiffs named are entitled to sue at all) to absence-of-willfulness (in theory, conceding that the act was violated but that it was unintentional, either through lack-of-knowledge about the rule or that the chain believed it was being handled properly), Moore and Karasik said.

For quite a few reasons, this is a truly fascinating case for retail IT because it gets into true consistency issues. When a national?let’s be kind here and not even get into global factors?retailer has to be responsible for how POS systems print receipts in thousands and sometimes tens of thousands of locations, it’s not difficult to be compliant with 99 percent and still get nailed for those handful of stores that never did upgrade.

Although the lawyers in these class action cases are relying heavily on FACTA?specifically, Section 1681c(g)?they also pointing to similarly-worded laws in various states as well as VISA/MasterCard policies (including PCI). The attorneys will argue that it’s not reasonable that IT managers at large retail chains could have been unaware of the requirement. They’ll also argue that the law allowed ample time?about three years from its 2003 signing–to address the requirement.

As a practical matter, though, this shouldn’t have been much of an issue for most larger retailers, in the sense that POS vendors were handling it directly. Any POS upgrades within the last couple of years would have fixed the problem and software patches for older units were not hard to find.

The credit-card companies have also been doing what they can?with bribes and threats?to push retailers to fall into line.

It seems to be a case of a few locations slipping through cyber-cash cracks. Indeed, Moore said that after talking with some unidentified retail defendants, “they switched over and started doing it right within a week or two” raising the question of “Why didn’t they do it in the previous three years?” That’s not a timeframe that would allow for major new systems to be deployed. Those actions clearly suggest isolated cases of “Oops. They forgot.”

Asked if the sudden compliance would make the case moot, Moore said that it wouldn’t, but that it might cap the penalties involved. He quoted one retail defendant as thanking the lawyers for having served consumers by getting them to plug their truncation holes but added that if they want money, they’re going to get a fight.

Attorneys who are not involved in these lawsuits but who do track retail security issues point out that the case raises issues beyond mere legal compliance.

Bradley Muro, a partner at New York City law firm Danziger, Danziger & Muro, said that the pockets of non-compliance with truncation raises other?potentially more troubling?security concerns. “If they can’t even get the credit card truncation issue correct, I can?t imagine that they have adequate security of all of their other data,” Muro said.

Former high-tech crimes federal prosecutor and current retail security consultant Mark Rasch said the fair notice issue is real (“it’s not like these merchants didn’t see the law coming”) but he sees the lack of compliance as just as much of a bad thing for retailers as for consumers.

“The merchant has liability for negligence if it fails to protect” a consumer’s private information and if something then goes wrong, Rasch said. “This helps protect the merchants from potential fraud. The merchants are ultimately protected” by complying with receipt truncation.

In some ways, this has a Y2K feel to it, in the sense that the incident was widely reported and IT had years to plan and prepare for it. But unlike Y2K, the fix for the truncation problem is much easier and smaller. And yet, almost 50 retailers have reportedly missed the deadline (for at least one location) and more lawsuits are likely pending.

Large chains have always suffered through challenges such as franchisees and new or unusual stores (outside network range or blocked from satellite, etc.) that can’t easily deploy systems identical to the rest of the chain. If a store’s systems are functional?in that they allow customers to pay for products?upgrading to the latest specs can be easily overlooked.

POS vendors did everything they could to publicize the rules, although their reasons were far removed from consumer-oriented humanitarianism . Nothing like new federal rules to give a boost to upgrade sales.

To be fair, there’s not a lot of good will and societal gain on either side. Although the receipt issue is intended to combat identity thefts, the plaintiffs are seeking somewhere between $100 and $1,000 for each and every violation. That’s a pretty good incentive for IT to do internal surveys to try and find non-compliant locations before they sell something to a lawyer and have to give them more than their change.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.