The use of credit and debit cards and electronic payments has become a way of life for public and private businesses and their customers. With this, vulnerabilities to credit card fraud and identity theft have increased. To help improve credit and debit card security, the credit card industry and federal and state governments have set standards and regulations.
Fair and Accurate Credit Transactions Act and Receipt Requirements
Congress passed the Fair and Accurate Credit Transactions Act of 2003 (FACTA), significantly amending the Fair Credit Reporting Act (FCRA). Effective Dec. 4, 2006, 15 U.S.C. §1681c amended the act to require any “person* that accepts credit cards or debit cards to transact business” to:
• Truncate card numbers so not more than five digits print on customer receipts;
• Eliminate the card’s expiration date from customer receipts.
* “Person” includes any public (including government entities) or private business that accepts credit or debit cards to transact business.
Key Events Following Dec. 4, 2006
While the majority of businesses truncated card numbers printed on transaction receipts, some did not eliminate expiration dates. A number of plaintiff attorneys filed class action lawsuits alleging that companies who continued to print expiration dates were in willful violation of FACTA. Merchants responded that the provision as written did not mandate both a truncation of card numbers and
deletion of expiration dates, pointing out that no injury or harm had come to the class as a consequence. Congress reviewed the language of the provision, and, modified it in May, 2008, passing H.R.4008, The Credit and Debit Receipt Clarification Act (CDRC) of 2007. On June 3, 2008, President George Bush signed H.R.4008 into public law – P.L.110-241.
Clarifying Business’ Responsibility under FACTA
The effect of CDRC clarifies the responsibilities and liabilities of merchants. Congress said that companies who truncated credit/debit card numbers on transaction receipts between Dec. 4, 2006 and June 3, 2008 but who had not eliminated the card’s expiration date were not in willful violation of 1681c (g) and cannot be sued for statutory damages.
• Effective June 4, 2008, businesses must comply with the FACTA clarification as follows:
> Credit and debit card numbers must be truncated on receipts to include not more than the last five digits of the card number; and
> Expiration dates must not be printed on receipts.
Businesses who fail to comply with both requirements may face statutory damages of between $100 and $1,000 per receipt. With regard to the clarifications, companies should:
• Conduct an immediate review of “point of sale” receipts issued to consumers to ensure compliance with both truncation and redaction of expiration date. Some courts have determined that “point of sale” and “print” in FACTA applies also to online sale receipts. Experts urge companies to ensure that receipts generated from online sales also comply with FACTA’s truncation and redaction rules. Contact equipment providers if the credit card processing equipment is outdated and not in compliance with CDRC and have machines updated or replaced.
FACTA Disposal Rule
To further protect against identity theft, FACTA also includes a provision for proper disposal of sensitive and confidential information, including consumer information, reports and records and employment information and records. Under the “Disposal Rule,” effective June 1, 2005, businesses are required to take “reasonable measures” to protect against unauthorized access to or use of the information in connection with its disposal. This rule impacts the means of disposal, retention and documentation of shredded materials.
Going Beyond FACTA: Other Considerations
In addition to complying with federal and state laws, companies should follow best data security practices for data operations.
Payment Card Industry Data Security Standard (PCI DSS)
The credit card industry has set data security requirements for merchants, to help protect consumers against identity theft. The Payment Card Industry Data Security Standard (PCI DSS) identifies six standards with 12 requirements for merchants. In summary, these include:
• Build and maintain secure networks, including firewalls and system passwords;
• Protect stored cardholder data through encryption;
• Maintain a vulnerability management program, including routine updating of anti-virus software and maintenance of secure networks and applications;
• Implement strong access control measures;
• Regularly monitor access to network resources and cardholder data and test networks
• Maintain an information security policy that is understood by all employees. Some companies roll this into a compliance practice.
While FACTA requires receipts contain no more than the last five digits of a credit/debit card account number, PCI DSS requires that no more than the last four digits appear on the receipt.
Managing Your Risk
Companies that engage in the use of credit and debit card transactions or possess consumer reports should have a risk management program for data security to help prevent identity fraud and theft, including:
• Be familiar with and comply with all provisions of FACTA, FCRA and related state laws.
• Be familiar with and implement the credit card industry’s PCI DSS requirements.
• Include protecting consumer credit and credit card information as a part of the company’s privacy and ethics compliance policies and program for all employees.
• Seek legal counsel for additional information on compliance requirements involving consumer information.
The information provided in this document is intended for use as a guideline and is not intended as, nor does it constitute, legal or professional advice. This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy, nor is it a representation that coverage does or does not exist for any particular claim or loss under any such policy or bond. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law.
• Helping Businesses Fight Identity Theft (Federal Trade Commission): http://www.ftc.gov/bcp/edu/microsites/idtheft/business/index.html
• Federal Trade Commission Alert: Disposing of Consumer Information: http://business.ftc.gov/documents/alt152-disposing-consumer-report-information-new-rule-tells-how
• PCI DSS for Merchants Payment Card Industry Data Security Standard: https://www.pcisecuritystandards.org/security_standards/index.php