Appeals Court: Online Receipts Exempt From FACTA

Written by Mark Rasch
June 8th, 2011

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

What is “printing”? Late last month, a federal Court of Appeals in California redefined that word in a way that will have a great impact not only on retailers but on the privacy and security of payment-card information online. The California court, ruling in favor of online travel site Expedia, found that an electronically mailed receipt that contained certain payment-card information that the law prohibited from being “electronically printed” did not violate that statute, because an E-mailed receipt is not an “electronic printing.”

The ruling elevates language over substance, and it may leave consumer information at unnecessary risk if retailers take it as a green light to print full payment-card numbers on electronically mailed receipts. After all, which is more risky: having a printed receipt with your credit-card number in your wallet or having a electronic version of that same document floating around the Internet?

Dimitri Simonoff, like tens of thousands of other people, purchased travel reservations through the Web site. He provided his personal information, including his credit-card number, CVV number and expiration date, to Expedia, which made the reservation and E-mailed him confirmation of the reservation. Included in that confirmation was the credit-card expiration date.

Simonoff, through his lawyer, claimed that the inclusion of the expiration date alone was sufficient to make the E-mail violate what is called the “truncation” provisions of the Fair and Accurate Credit Transactions Act (FACTA). FACTA has repeatedly been challenged in various courts.

In 2003, Congress amended the Fair Credit Reporting Act (FCRA) to deal with the problem of theft of credit-card numbers. The particular provision mandated that retailers not print full credit-card numbers and expiration dates, because having these things floating around substantially increased the risk that they would be used to commit credit-card fraud, identity fraud and, to a lesser extent, identity theft.

The statute’s language says “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.”

This restriction covers only “receipts that are electronically printed, and [does] not apply to transactions in which the sole means of recording a credit card or debit card account number is by handwriting or by an imprint or copy of the card.”

For these purposes, let’s forget the question of whether an expiration date alone is enough to trigger the provisions of FACTA, especially because Congress has since clarified this point. The question for online retailers should be: How does this apply to me? Or, more accurately, does this apply to me?

The immediate harm FACTA was intended to prevent is POS terminals printing a consumer’s entire credit-card number and expiration date, along with the consumer’s name and purchases, making the slip of paper a veritable gold mine for fraudsters. Dumpster divers could get credit-card numbers either at the retailer (when consumers tossed out the receipts) or at the consumer’s home. Unscrupulous tellers and checkout people could supplement their income by selling numbers to hackers or others. Receipt rolls would also be subject to theft and copying, leading to massive credit-card fraud.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.