Appeals Court: Online Receipts Exempt From FACTA

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

What is "printing"? Late last month, a federal Court of Appeals in California redefined that word in a way that will have a great impact not only on retailers but on the privacy and security of payment-card information online. The California court, ruling in favor of online travel site Expedia, found that an electronically mailed receipt that contained certain payment-card information that the law prohibited from being "electronically printed" did not violate that statute, because an E-mailed receipt is not an "electronic printing."

The ruling elevates language over substance, and it may leave consumer information at unnecessary risk if retailers take it as a green light to print full payment-card numbers on electronically mailed receipts. After all, which is more risky: having a printed receipt with your credit-card number in your wallet or having a electronic version of that same document floating around the Internet?

Dimitri Simonoff, like tens of thousands of other people, purchased travel reservations through the Web site. He provided his personal information, including his credit-card number, CVV number and expiration date, to Expedia, which made the reservation and E-mailed him confirmation of the reservation. Included in that confirmation was the credit-card expiration date.

Simonoff, through his lawyer, claimed that the inclusion of the expiration date alone was sufficient to make the E-mail violate what is called the "truncation" provisions of the Fair and Accurate Credit Transactions Act (FACTA). FACTA has repeatedly been challenged in various courts.

In 2003, Congress amended the Fair Credit Reporting Act (FCRA) to deal with the problem of theft of credit-card numbers. The particular provision mandated that retailers not print full credit-card numbers and expiration dates, because having these things floating around substantially increased the risk that they would be used to commit credit-card fraud, identity fraud and, to a lesser extent, identity theft.

The statute's language says "no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction."

This restriction covers only "receipts that are electronically printed, and [does] not apply to transactions in which the sole means of recording a credit card or debit card account number is by handwriting or by an imprint or copy of the card."

For these purposes, let's forget the question of whether an expiration date alone is enough to trigger the provisions of FACTA, especially because Congress has since clarified this point. The question for online retailers should be: How does this apply to me? Or, more accurately, does this apply to me?

The immediate harm FACTA was intended to prevent is POS terminals printing a consumer's entire credit-card number and expiration date, along with the consumer's name and purchases, making the slip of paper a veritable gold mine for fraudsters. Dumpster divers could get credit-card numbers either at the retailer (when consumers tossed out the receipts) or at the consumer's home. Unscrupulous tellers and checkout people could supplement their income by selling numbers to hackers or others. Receipt rolls would also be subject to theft and copying, leading to massive credit-card fraud.The statute exempted the old-style credit-card imprint devices ("ca-CHUNK, ca-CHUNK"), because there was no practical way to "truncate" the imprint. Same thing for a handwritten number called in by the merchant for verification. So Congress was trying to protect the consumer at the "point of sale."

What happens when we try to apply this to E-Commerce? Where is the "point of sale"? What is a "printed receipt"? Does FACTA even apply to E-Commerce at all? And, most importantly, what ruling is most consistent with the language and intent of Congress in passing FACTA? These are not easy questions.

On May 24, the United States Court of Appeals for the Ninth Circuit, which includes California, Oregon and Washington State, decided that the E-mailed receipt was not a "writing" under FACTA. It noted:

"The question we consider under FACTA is the meaning of the words 'print' and 'electronically printed' in connection with an E-mailed receipt. 'Print' refers to many different technologies—from Mesopotamian cuneiform writing on clay cylinders to the Gutenberg press in the 15th Century, Xerography in the early 20th Century and modern digital printing—but all of those technologies involve the making of a tangible impression on paper or other tangible medium."

The court continued: "Although computer technology has significantly advanced in recent years, we commonly still speak of printing to paper and not to, say, iPad screens. Nobody says, 'Turn on your Droid [or iPhone or iPad or BlackBerry] and print a map of downtown San Francisco on your screen.' We conclude that under FACTA, a receipt that is transmitted to the consumer via E-mail and then digitally displayed on the consumer's screen is not an 'electronically printed' receipt."

Applying this rationale, the Court concluded that E-mailing a document containing even a full credit-card number and expiration date does not constitute an "electronically printed" document. That finding has some intellectual appeal. I mean, we all know what it means to "print" something—ink on dead trees, right? But methinks the court is a bit too literal here.

The court goes into a discourse about what it means to "print." Cuneiform on wet clay? Hieroglyphics on granite? An imprint on wax? Charcoal on papyrus? Is a typewritten record "printed," or must it be typeset and "pressed" on paper? Does it matter if the final document is created by dot matrix, daisy wheel, thermal imprint, inkjet, laser or otherwise? Are the words "Surrender Dorothy" really "printed"? It is this type of esoterica from which the law is made and unmade.

This is not the first time we have struggled with applying old-world concepts of "writing" and "written" and "printed" to the new Internet-based technology. Is a fax a "writing" for the purposes of a contract? Is an E-mail message? Congress mostly solved this problem when it enacted the E-Sign law, providing that electronic signatures (whatever those are) are deemed legally sufficient for anything that requires something be signed.

So, are electronically mailed receipts "printed"?So, are electronically mailed receipts "printed"? The court relied on the definitions from three different dictionaries and concluded that those receipts were not printed. "The ordinary meaning of 'print' is clear: Printing involves a physical imprint onto paper or another tangible medium," the court wrote. "A printed receipt is thus a receipt that exists in physical form, not one electronically displayed on a screen."

The Court went on to say that a "printed" receipt was "electronically printed" if it is printed from some means other than "handwritten." Under this reading, a typed receipt is "electronically printed" but an E-mailed .pdf is not.

I have a good deal of sympathy for retailers here. FACTA is not an easy statute to deal with, and it imposes civil fines for each receipt "printed" in violation of the statute. It was also never meant to deal with the problem of E-mailed receipts. Moreover, it does not define where the point of sale might be for E-Commerce.

The problem is complicated by things like the procedure at, say, the Apple Store, where a consumer makes a purchase in a physical store and is presented with the option of getting a paper receipt then and there or having the identical receipt E-mailed to them for printing at home. Under the Expedia rationale, the slip of paper must comply with FACTA, but the E-mail could contain the entire credit-card number (PCI-DSS notwithstanding).

What about an E-mail with a receipt that expressly says "print this E-mail for your records"? If a consumer prints a boarding pass, for example, is it no longer a "printed record," because it was delivered electronically? If a retailer sets up a self-service kiosk for consumers to print their own receipts at the store, would this no longer be covered, because the retailer did not print the receipt? Is there a meaningful difference between the consumer printing the document at the store or at home?

In other contexts, like the IRS, which requires receipts for business expenses, no requirement exists that the receipt be in a particular form—ink on dead trees. But the regulation does not require an electronic "printing."

What the court should do is look at not only the words of the statute but its overall purpose. In this case, FACTA was designed to protect consumers using credit cards at merchants from having the merchant's actions unnecessarily expose their credit-card numbers to fraud and theft by ensuring that the receipts did not needlessly contain the un-truncated credit-card number. The "printing" requirement was intended to deal with a particular method of recording the number—and to distinguish the printing from the imprinting of the number through an imprint machine.

Ask yourself this: Which is worse, having a printed receipt with your credit-card number in your wallet (or on your kitchen table or in the trash) or having a .pdf or .html file of that same document floating around the Internet? Which is more secure? Which has more risk? Why just protect the dead tree?

Hopefully, retailers will not take this decision as a green light to print full credit-card numbers on electronically mailed receipts. Remember, FACTA is just one law, and there are many other laws, regulations and contractual agreements that require the protection of consumer data.

For now, consumers who suspect a FACTA violation by an online merchant may be out of luck. If they don't like it, they can come to the store itself. Let's hope they remember to bring their receipt.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.