Appeals Court: Online Receipts Exempt From FACTA
Written by Mark RaschAttorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.
What is “printing”? Late last month, a federal Court of Appeals in California redefined that word in a way that will have a great impact not only on retailers but on the privacy and security of payment-card information online. The California court, ruling in favor of online travel site Expedia, found that an electronically mailed receipt that contained certain payment-card information that the law prohibited from being “electronically printed” did not violate that statute, because an E-mailed receipt is not an “electronic printing.”
The ruling elevates language over substance, and it may leave consumer information at unnecessary risk if retailers take it as a green light to print full payment-card numbers on electronically mailed receipts. After all, which is more risky: having a printed receipt with your credit-card number in your wallet or having a electronic version of that same document floating around the Internet?
Dimitri Simonoff, like tens of thousands of other people, purchased travel reservations through the Expedia.com Web site. He provided his personal information, including his credit-card number, CVV number and expiration date, to Expedia, which made the reservation and E-mailed him confirmation of the reservation. Included in that confirmation was the credit-card expiration date.
Simonoff, through his lawyer, claimed that the inclusion of the expiration date alone was sufficient to make the E-mail violate what is called the “truncation” provisions of the Fair and Accurate Credit Transactions Act (FACTA). FACTA has repeatedly been challenged in various courts.
In 2003, Congress amended the Fair Credit Reporting Act (FCRA) to deal with the problem of theft of credit-card numbers. The particular provision mandated that retailers not print full credit-card numbers and expiration dates, because having these things floating around substantially increased the risk that they would be used to commit credit-card fraud, identity fraud and, to a lesser extent, identity theft.
The statute’s language says “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.”
This restriction covers only “receipts that are electronically printed, and [does] not apply to transactions in which the sole means of recording a credit card or debit card account number is by handwriting or by an imprint or copy of the card.”
For these purposes, let’s forget the question of whether an expiration date alone is enough to trigger the provisions of FACTA, especially because Congress has since clarified this point. The question for online retailers should be: How does this apply to me? Or, more accurately, does this apply to me?
The immediate harm FACTA was intended to prevent is POS terminals printing a consumer’s entire credit-card number and expiration date, along with the consumer’s name and purchases, making the slip of paper a veritable gold mine for fraudsters. Dumpster divers could get credit-card numbers either at the retailer (when consumers tossed out the receipts) or at the consumer’s home. Unscrupulous tellers and checkout people could supplement their income by selling numbers to hackers or others. Receipt rolls would also be subject to theft and copying, leading to massive credit-card fraud.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
