This is page 3 of:
Appeals Court: Online Receipts Exempt From FACTA
So, are electronically mailed receipts “printed”? The court relied on the definitions from three different dictionaries and concluded that those receipts were not printed. “The ordinary meaning of ‘print’ is clear: Printing involves a physical imprint onto paper or another tangible medium,” the court wrote. “A printed receipt is thus a receipt that exists in physical form, not one electronically displayed on a screen.”
The Court went on to say that a “printed” receipt was “electronically printed” if it is printed from some means other than “handwritten.” Under this reading, a typed receipt is “electronically printed” but an E-mailed .pdf is not.
I have a good deal of sympathy for retailers here. FACTA is not an easy statute to deal with, and it imposes civil fines for each receipt “printed” in violation of the statute. It was also never meant to deal with the problem of E-mailed receipts. Moreover, it does not define where the point of sale might be for E-Commerce.
The problem is complicated by things like the procedure at, say, the Apple Store, where a consumer makes a purchase in a physical store and is presented with the option of getting a paper receipt then and there or having the identical receipt E-mailed to them for printing at home. Under the Expedia rationale, the slip of paper must comply with FACTA, but the E-mail could contain the entire credit-card number (PCI-DSS notwithstanding).
What about an E-mail with a receipt that expressly says “print this E-mail for your records”? If a consumer prints a boarding pass, for example, is it no longer a “printed record,” because it was delivered electronically? If a retailer sets up a self-service kiosk for consumers to print their own receipts at the store, would this no longer be covered, because the retailer did not print the receipt? Is there a meaningful difference between the consumer printing the document at the store or at home?
In other contexts, like the IRS, which requires receipts for business expenses, no requirement exists that the receipt be in a particular form—ink on dead trees. But the regulation does not require an electronic “printing.”
What the court should do is look at not only the words of the statute but its overall purpose. In this case, FACTA was designed to protect consumers using credit cards at merchants from having the merchant’s actions unnecessarily expose their credit-card numbers to fraud and theft by ensuring that the receipts did not needlessly contain the un-truncated credit-card number. The “printing” requirement was intended to deal with a particular method of recording the number—and to distinguish the printing from the imprinting of the number through an imprint machine.
Ask yourself this: Which is worse, having a printed receipt with your credit-card number in your wallet (or on your kitchen table or in the trash) or having a .pdf or .html file of that same document floating around the Internet? Which is more secure? Which has more risk? Why just protect the dead tree?
Hopefully, retailers will not take this decision as a green light to print full credit-card numbers on electronically mailed receipts. Remember, FACTA is just one law, and there are many other laws, regulations and contractual agreements that require the protection of consumer data.
For now, consumers who suspect a FACTA violation by an online merchant may be out of luck. If they don’t like it, they can come to the store itself. Let’s hope they remember to bring their receipt.
If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
