By Brendan W. Walsh, email@example.com
It is no secret that the use of credit and debit cards has exploded in the past decade. Indeed, recent data indicates that credit and debit card payments now account for a combined 60% of all sales volume, and that number is expected to rise by four percentage points in the next five years as new technologies make it easier for businesses and individuals to process such payments. But all individuals and businesses, large or small, who accept credit and/or debit card payments should carefully review their point-of-sale practices to confirm that they are not unwittingly opening themselves up to substantial liability under federal law for including too much information on their customers’ electronically printed receipts.
In 2003, Congress passed the Fair and Accurate Credit Transactions Act (“FACTA”) in an effort to combat identity theft. Among many other things, FACTA provides that “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” Importantly, this restriction applies only to receipts that are electronically printed, and does not apply when the sole means of recording a card number is by handwriting or by an imprint or copy of the card.
FACTA imposes civil liability for violations of this provision, but the amount depends on whether the violation is determined to be “willful” or merely “negligent.” If the violation of the statute is merely negligent, liability is limited to “actual damages” suffered as a result of the violation, which in the vast majority of cases is zero. However, if the violation is willful — which courts have defined to mean “objectively unreasonable” — FACTA allows the recovery of statutory damages ranging from $100-$1,000 per violation, as well as the recovery of attorneys’ fees. Punitive damages — damages designed to punish the violator and deter future violations by others — may also be awarded for willful violations.
The U.S. Court of Appeals for the Third Circuit — a federal appellate court that has jurisdiction to hear appeals from federal district courts in Delaware, New Jersey, and Pennsylvania — considered the meaning of this provision of FACTA earlier this year and issued a decision that should serve as a wake-up call to all merchants who accept credit and/or debit card payments.
The plaintiff in the case, Long v. Tommy Hilfiger U.S.A., Inc., purchased a $25 necktie from a Tommy Hilfiger outlet store in Grove City, Pa. The electronically printed receipt provided to the plaintiff included the last four digits of the plaintiff’s credit card number (which is permissible under FACTA) and the month, but not the year, of the card’s expiration date. More specifically, the receipt identified the credit card number as “############9802” and the card’s expiration date as “EXPIRY: 04/##.” Two months later, the plaintiff brought suit on behalf of a nationwide class of consumers seeking statutory damages, punitive damages, and attorneys’ fees as a result of the Hilfiger store’s failure to fully remove his credit card’s expiration date.
The trial court dismissed the plaintiff’s case, holding that Hilfiger did not violate FACTA because the statute only prohibits the printing of the “expiration date” and, the trial court concluded, Hilfiger did not print the “expiration date,” just the month of the card’s expiration date.
The plaintiff appealed the trial court’s dismissal of his case and the appellate court reversed, concluding that FACTA prohibits merchants from printing any portion of a card’s expiration date on the receipt. The appellate panel noted that the trial court’s interpretation of the statute was inconsistent with the statute’s objective of reducing identity theft, reasoning that if merchants could pick and choose what portions of the expiration date to display on the receipt, “different merchants could each choose to redact different portions of the expiration date, making it possible to ascertain the entire expiration date from multiple receipts.”
Nevertheless, the appellate court declined to reinstate the plaintiff’s case because it determined that Hilfiger had not “willfully” violated the statute and it was undisputed that the plaintiff had not suffered any actual damages as a result of Hilfiger’s conduct. To this end, the court noted Hilfiger’s interpretation of the statute was not “objectively unreasonable” under the circumstances because no other federal appellate court had previously considered this precise issue and the few trial court opinions that addressed similar FACTA violations were not directly on-point.
But now that the U.S. Court of Appeals for the Third Circuit has clarified this issue, it is reasonable to believe that merchants — and especially merchants in Delaware, New Jersey, and Pennsylvania — who continue to include any portion of a credit or debit card’s expiration date (or more than the last five digits of the card number) on electronically printed receipts following this decision may be opening themselves up to claims for willful violations of FACTA.
Accordingly, if you accept credit and/or debit card payments and provide customers with electronically printed receipts, you should immediately review the information on your customers’ receipts in order to ensure that you are complying with the Third Circuit’s interpretation of FACTA by confirming that no portion of a card’s expiration date is visible on your receipts.
While federal courts outside of Delaware, New Jersey, and Pennsylvania are not technically bound by this decision, all businesses would be well advised to completely remove expiration dates from customers’ electronically printed receipts given the low cost of compliance and the potentially disastrous financial impact that a judgment for a willful violation of FACTA could have on your business.
Brendan W. Walsh is an attorney in the litigation practice at Pashman Stein, P.C. in Hackensack, N.J. He can be reached at firstname.lastname@example.org.