Fear FACTA

This isn’t a new law. The Fair and Accurate Credit Transactions Act, or FACTA, was passed by Congress in 2003 in an effort to combat identity theft. It bars businesses that accept credit cards from printing any more than the last five digits of the card number or the expiration date on the receipt.

One problem for merchants is that many may not even be aware that their systems are printing receipts that violate FACTA. A worse problem: Consumers are starting to catch on that they can actually sue retailers over this, and potentially win big money. By most accounts, more than 200 FACTA related class-action lawsuits have been filed nationwide.

What’s more, an effort by Bose Corp. that would have helped protect mail order transactions from the recent spate of class-action lawsuits filed under the Act has been shot down.

As a result, a cottage industry of lawsuits continues to threaten with bankruptcy any merchant that issues credit card receipts displaying the customer’s expiration date.

Facts on FACTA

When FACTA was passed, the law gave businesses up to three years — or until Dec. 4, 2006 — to comply. Unfortunately for merchants, FACTA also includes a so-called private right of action giving individuals the right to sue. It allows for from $100 to $1,000 per violation with no cap, and it doesn’t require that the individual bringing the action suffer any actual harm.

The number of potential violations for national merchants is enormous. At just $100 per violation, 100,000 receipts carries a whopping $10 million in liabilities.

“In theory, the plaintiff could show that you’ve had a million transactions that were not in compliance, and that would be the basis of your liability,” says Thomas Hughes, a marketing and advertising lawyer with Hunton & Williams in Washington.

But much of the retail industry apparently interpreted the vaguely worded law to mean it was permissible to print up to the last five digits of the customer’s credit card number on the receipt and the expiration date, according to Ted Frank, director of the American Enterprise Institute’s Legal Center for the Public Interest.

But plaintiffs argue that printing the expiration date alone violates FACTA.

“Of course, absolutely no identity theft can possibly take place from an expiration date, and no one claims otherwise,” Frank wrote in an article for AEI. “But with no dispositive court or regulatory ruling on the meaning of ‘or,’ and millions of potential violations occurring every day in the first weeks after FACTA took effect, the entrepreneurial trial bar sensed an opportunity.”

Chicago law firm Edelman, Combs, Latturner & Goodwin, for example, began advertising for clients to bring class-action suits, he added.

FACTA related class-action lawsuits have included a who’s who list of retailers and restaurant chains, including Victoria’s Secret, IKEA, Costco, Bath & Body Works, Harry & David, Cost Plus, Barneys, International Coffee & Teas, Costco, Gymboree, and a slew of mom-and-pop stores and restaurants.

No one is arguing that anyone has had their identity stolen or suffered fraudulent credit card transactions as a result of the alleged violations. What the plaintiffs are arguing is that the merchants and restaurants willfully violated the law. Why would anyone willfully violate such a law? Good question.

But plaintiffs reportedly have claimed that violations occurring more than three years after the law was passed constitute willful violation of the law.

Enter Nichole Ehrheart. When Ehrheart bought a set of Bose headphones over the telephone, the receipt that came with her purchase reportedly had her credit card number truncated as required by law, but included the expiration date.

Ehrheart sued Bose using the law firm Carlson Lynch Ltd.

Bose tried to have the case dismissed by arguing that the law applies only to receipts given “at the point of sale or transaction.”

Ehrheart’s lawyers argued that the term “point of sale” in FACTA refers to the point in time when the exchange between the merchant and customer takes place. In January, the court ruled in Ehrheart’s favor, and the case continues.

“This is the first case that I’m aware of where the issue came up that the receipt was not presented to the consumer at the cash register,” says Hughes. “This is the first time the court has said that even though the merchant didn’t hand you the receipt at the time, the court still believes the receipt was provided at the point of sale and the merchant still has to comply with FACTA.”

Hughes adds that while the big brands are well aware of the FACTA lawsuit factory, he believes second-tier merchants may be the next target. “A lot of the big targets have already been hit or have fixed their systems,” he says. Plaintiffs are going to look for the next tier of potential, “and that’s going to be the regional providers — the regional restaurants, catalogers and retailers.”

He adds: “The cases are very easy to bring; they’re relatively inexpensive and, generally speaking the statute does not require any actual harm. That’s a tremendous incentive for plaintiffs to bring these lawsuits.”

Bob Botelle, vice president of merchant services for payment processing firm Litle & Co., says there is no excuse for merchants who continue to issue credit-card receipts with expiration dates on them, but some still do.

He adds that it is the payment processor’s responsibility to make sure its merchant customers are compliant with laws such as FACTA. His firm downloaded software to all its customers about five years ago to that end.

To be payment card industry (PCI) compliant, all card-not-present transactions must be encrypted so the customer’s card number can’t be seen within the organization, Botelle says.

Also, Visa and MasterCard are levying fines of thousands of dollars a month on companies that are non-PCI-compliant, he adds.

“I am surprised that any merchant with the knowledge of what Visa and MasterCard are doing with PCI and identity theft and credit card fraud, would put anything referencing a credit card on a statement,” he says.

Botelle says mail order packing slips should contain no reference whatsoever to customers’ credit cards. “There are phishing scams out there where people can make up cards using the last four digits and the expiration date,” he says. “Companies shouldn’t be putting the expiration date anywhere.”

So how, more than four years after it was passed, is it possible that merchants could be issuing credit card receipts in violation of FACTA?

In a large company, the credit card processing, which deals with all the PCI requirements, “is far removed from the fulfillment area,” says Botelle. “And a lot of these are old mainframe pick-and-pack systems. And if the people who are packing the product don’t know what to look for, they may not even know they’re in violation.”

He adds: “I can safely say that there are companies that should be PCI-compliant that are not, and there are still systems out there that are not compliant printing these sheets. They’re a target for lawsuits and they’re a target for Visa and MasterCard.” (For more on PCI, see “In praise of PCI,” on page 46.)

The good news

Last year, merchants scored some key victories over FACTA plaintiffs. In the case of Soualian V. International Coffee & Teas, for example, a district judge agreed with the defendant that the case did not meet the “superiority” test — meaning that a class action suit in this case was not the best way to remedy the situation — and refused to certify the case as a class action.

The court also ruled that certifying the suit as a class action might result in disastrous consequences to the company and put thousands of employees out of work, all over a mistake that didn’t hurt anybody.

The judge in the International Coffee & Teas case cited some of the reasoning in the Cost Plus case to reach the ruling. The plaintiff in that suit tried to certify and class 3.4 million people against a company whose net sales revenue is $20 million a year, according to the AEI’s Frank. Moreover, International Coffee & Teas helped its case by correcting the situation as soon as the company learned of it, the court said.

“By immediately remedying their misconduct upon receiving the plaintiff’s complaint, defendants demonstrated good faith and nullified any deterrence benefit that might have been derived from a class action,” the court said.

Though these decisions offer hope, Hughes warns not to get too excited. “You can’t take away from [the developments in California] that all the courts will follow those decisions.”

Meanwhile, if you haven’t, check those receipts and remove the expiration dates, says Hughes. “It’s just not worth the fight to argue that,” he says.