The class-action lawsuits accuse about 50 retail chains of violating a provision of the Fair and Accurate Credit Transactions Act (FACTA) that makes it illegal for a retailer to print more than the last five digits or a credit/debit card number and it also forbids printing the card's expiration data on that receipt. The rule took effect in phases, but by December 2006, the latest of its phases kicked in.
There is little dispute that the overwhelming majority of retailers are in full compliance and there's little incentive for a retailer to resist complying. And yet, attorneys say they have found many examples of receipts that still contain the forbidden data. Hence, the class-action lawsuits.
Many of the lawsuits were filed by a Los Angeles firm called Spiro Moss Barness. Two of the senior litigators with that firm involved in these lawsuits?J. Mark Moore and Greg Karasik?said their discussions with attorneys for the defendant retailers have turned up a wide array of defenses.
Those defenses ranged from pure statutory challenges (such as whether FACTA allows for class-action lawsuits and even whether the consumer plaintiffs named are entitled to sue at all) to absence-of-willfulness (in theory, conceding that the act was violated but that it was unintentional, either through lack-of-knowledge about the rule or that the chain believed it was being handled properly), Moore and Karasik said.
For quite a few reasons, this is a truly fascinating case for retail IT because it gets into true consistency issues. When a national?let's be kind here and not even get into global factors?retailer has to be responsible for how POS systems print receipts in thousands and sometimes tens of thousands of locations, it's not difficult to be compliant with 99 percent and still get nailed for those handful of stores that never did upgrade.
Although the lawyers in these class action cases are relying heavily on FACTA?specifically, Section 1681c(g)?they also pointing to similarly-worded laws in various states as well as VISA/MasterCard policies (including PCI). The attorneys will argue that it's not reasonable that IT managers at large retail chains could have been unaware of the requirement. They'll also argue that the law allowed ample time?about three years from its 2003 signing--to address the requirement.
As a practical matter, though, this shouldn't have been much of an issue for most larger retailers, in the sense that POS vendors were handling it directly. Any POS upgrades within the last couple of years would have fixed the problem and software patches for older units were not hard to find.
The credit-card companies have also been doing what they can?with bribes and threats?to push retailers to fall into line.
It seems to be a case of a few locations slipping through cyber-cash cracks. Indeed, Moore said that after talking with some unidentified retail defendants, "they switched over and started doing it right within a week or two" raising the question of "Why didn't they do it in the previous three years?" That's not a timeframe that would allow for major new systems to be deployed. Those actions clearly suggest isolated cases of "Oops. They forgot."
Asked if the sudden compliance would make the case moot, Moore said that it wouldn't, but that it might cap the penalties involved. He quoted one retail defendant as thanking the lawyers for having served consumers by getting them to plug their truncation holes but added that if they want money, they're going to get a fight.
Attorneys who are not involved in these lawsuits but who do track retail security issues point out that the case raises issues beyond mere legal compliance.
Bradley Muro, a partner at New York City law firm Danziger, Danziger & Muro, said that the pockets of non-compliance with truncation raises other?potentially more troubling?security concerns. "If they can't even get the credit card truncation issue correct, I can?t imagine that they have adequate security of all of their other data," Muro said.
Former high-tech crimes federal prosecutor and current retail security consultant Mark Rasch said the fair notice issue is real ("it's not like these merchants didn't see the law coming") but he sees the lack of compliance as just as much of a bad thing for retailers as for consumers.
"The merchant has liability for negligence if it fails to protect" a consumer's private information and if something then goes wrong, Rasch said. "This helps protect the merchants from potential fraud. The merchants are ultimately protected" by complying with receipt truncation.
In some ways, this has a Y2K feel to it, in the sense that the incident was widely reported and IT had years to plan and prepare for it. But unlike Y2K, the fix for the truncation problem is much easier and smaller. And yet, almost 50 retailers have reportedly missed the deadline (for at least one location) and more lawsuits are likely pending.
Large chains have always suffered through challenges such as franchisees and new or unusual stores (outside network range or blocked from satellite, etc.) that can't easily deploy systems identical to the rest of the chain. If a store's systems are functional?in that they allow customers to pay for products?upgrading to the latest specs can be easily overlooked.
POS vendors did everything they could to publicize the rules, although their reasons were far removed from consumer-oriented humanitarianism . Nothing like new federal rules to give a boost to upgrade sales.
To be fair, there's not a lot of good will and societal gain on either side. Although the receipt issue is intended to combat identity thefts, the plaintiffs are seeking somewhere between $100 and $1,000 for each and every violation. That's a pretty good incentive for IT to do internal surveys to try and find non-compliant locations before they sell something to a lawyer and have to give them more than their change.