I was doing a bit of research around the Fair and Accurate Credit Transactions Act (FACTA), and ran across an interesting recent court decision…
15 U.S.C. § 1681c(g)(1) within FACTA, prohibits merchants from electronically printing receipts with a credit card’s expiration date, or more than the last five digits of any credit card number. It provides for violators to be punished by statutory damages from $100 to $1,000 per violation, and allows for punitive damages.
On February 12, 2009, U.S. District Court for the Northern District of Illinois held that the range of permissible statutory damages for credit card transaction receipt violations of FACTA are NOT unconstitutionally vague, rejecting a motion to dismiss a class action in Irvine v. 233 Skydeck LLC.
I know a lot of retailers and merchants, particularly small and medium sized businesses (SMBs), struggle with many compliance issues, particularly those related to FACTA and PCI DSS. The requirement to only electronically print the last 5 digits of credit card numbers was a huge change throughout all businesses who accept credit cards, and I still run across merchants who include the full credit card number on receipts. However, FACTA explicitly exempts from this prohibition “transactions in which the sole means of recording a credit card or debit card account number is by handwriting or by an imprint or copy of the card.”
So, all merchants can still handwrite full credit card numbers on receipts under FACTA.
The defendant, apparently trying to get around being charged a potentially large penalty sum of money, argued that FACTA’s range of possible statutory damages was too vague and violated the Due Process Clause.
The court, however, was not impressed. “[S]tatutory damage ranges like that enumerated in FACTA are commonplace and courts routinely uphold them,” Judge Harry D. Leinenweber wrote in the judgment.
The court quashed the defendant’s argument that the Fifth Amendment’s double jeopardy provisions prohibited “double punishment” for the alleged FACTA receipt rovision violations. The court said that double jeopardy protections apply only to criminal cases.
Seemed like a clever try, eh?
As the decision indicated, though, “[t]here is no general due process prohibition on double punishment for a single statutory violation.” Additionally, the possibility of “excessive damages” did not support a claim that FACTA is unconstitutional.
The court also rejected the defendant’s argument that FACTA’s distinction between merchants generating electronic receipts and those writing receipts by hand violated the Equal Protection Clause. Because this distinction does not involve “a suspect class or a fundamental right,” the court applied a the “rational basis test” to conclude that there were many rational bases for the statute’s distinction between how receipts were created.
The decision concluded that FACTA’s “exemption of handwritten and imprinted receipts bears a rational relation to the government’s interest in preventing identity theft and Defendant’s equal protection challenge fails.”
And so the FACTA compliance enforcement will continue…
Tags: awareness and training, credit card security, FACTA, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training