The class-action lawsuits accuse about 50 retail chains of violating a provision of the Fair and Accurate Credit Transactions Act that makes it illegal for a retailer to print more than the last five digits of a credit/debit card number on a receipt as well as printing the cards expiration data. The rule took effect in phases, but by December 2006 the latest of its phases kicked in.
There is little dispute that the overwhelming majority of retailers are in full compliance, and theres little incentive for a retailer to resist complying. And yet attorneys say they have found many examples of receipts that still contain the forbidden data. Hence, the class-action lawsuits.
Many of the lawsuits were filed by a Los Angeles firm called Spiro Moss Barness. Two of the senior litigators with that firm involved in these lawsuits—J. Mark Moore and Greg Karasik—said their discussions with attorneys for the defendant retailers have turned up a wide array of defenses.
Those defenses range from pure statutory challenges (such as whether FACTA allows for class-action lawsuits and even whether the consumer plaintiffs named are entitled to sue at all) to absence-of-willfulness (in theory, conceding that the act was violated but that it was unintentional, either through lack of knowledge about the rule or that the chain believed the rule was being handled properly), Moore and Karasik said.
For quite a few reasons, this is a fascinating case for retail IT because it gets into true consistency issues. When a national—lets be kind here and not even get into global factors—retailer has to be responsible for how POS systems print receipts in thousands and sometimes tens of thousands of locations, its not difficult to be compliant with 99 percent and still get nailed for those handful of stores that never did upgrade.
Although the lawyers in these class-action cases are relying heavily on FACTA—specifically Section 1681c(g)—they are also pointing to similarly worded laws in various states as well as Visa/MasterCard policies (including PCI). The attorneys will argue that its not reasonable that IT managers at large retail chains could have been unaware of the requirement. Theyll also argue that the law allowed ample time—about three years from its 2003 signing—to address the requirement.
As a practical matter, though, this shouldnt have been much of an issue for most larger retailers, in the sense that POS vendors were handling it directly. Any POS upgrades within the last couple of years would have fixed the problem, and software patches for older units were not hard to find.
It seems to be a case of a few locations slipping through cyber-cash cracks. Indeed, Moore said that after talking with some unidentified retail defendants, "they switched over and started doing it right within a week or two," raising the question: Why didnt they do it in the previous three years? Thats not a timeframe that would allow for major new systems to be deployed. Those actions clearly suggest isolated cases of "Oops. They forgot."
Asked if the sudden compliance would make the case moot, Moore said that it wouldnt, but that it might cap the penalties involved. He quoted one retail defendant as thanking the lawyers for having served consumers by getting them to plug their truncation holes but added that if they want money, theyre going to get a fight.
Attorneys who are not involved in these lawsuits but who do track retail security issues point out that the cases raise issues beyond mere legal compliance.
Bradley Muro, a partner at New York law firm Danziger, Danziger & Muro, said that the pockets of non-compliance with truncation raises other—potentially more troubling—security concerns. "If they cant even get the credit card truncation issue correct, I cant imagine that they have adequate security of all of their other data," Muro said.
Former high-tech crimes federal prosecutor and current retail security consultant Mark Rasch said the fair notice issue is real ("Its not like these merchants didnt see the law coming"), but he sees the lack of compliance as just as much of a bad thing for retailers as for consumers.
"The merchant has liability for negligence if it fails to protect" a consumers private information and if something then goes wrong, Rasch said. "This helps protect the merchants from potential fraud. The merchants are ultimately protected" by complying with receipt truncation.
In some ways, this has a Y2K feel to it, in the sense that the incident was widely reported and IT had years to plan and prepare for it. But unlike Y2K, the fix for the truncation problem is much easier and smaller. And yet, almost 50 retailers have reportedly missed the deadline (for at least one location), and more lawsuits are likely pending.
Large chains have always suffered through challenges such as franchisees and new or unusual stores (outside the network range or blocked from satellite, etc.) that cant easily deploy systems identical to the rest of the chain. If a stores systems are functional—in that they allow customers to pay for products—upgrading to the latest specs can be easily overlooked.
POS vendors did everything they could to publicize the rules, although their reasons were far removed from consumer-oriented humanitarianism. Nothing like new federal rules to give a boost to upgrade sales.
To be fair, theres not a lot of good will and societal gain on either side. Although the receipt issue is intended to combat identity thefts, the plaintiffs are seeking somewhere between $100 and $1,000 for each and every violation. Thats a pretty good incentive for IT to do internal surveys to try to find noncompliant locations before they sell something to a lawyer and have to give them more than their change.
Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at Evan_Schuman@ziffdavis.com.
To read earlier retail technology opinion columns from Evan Schuman, please click here.