After hundreds of retailers and restaurants ran afoul of the law by printing expiration dates of credit and debit cards on receipts, a change protects them from frivolous lawsuits.
The bill says a business that printed an expiration date on a receipt over the past 18 months cannot be found in violation of the Fair Credit Reporting Act as long as the merchant printed no more than the last five digits of the card number and complied with other FCRA requirements.
In an update of the FCRA, the Fair and Accurate Credit Transactions Act (FACTA) that took effect at the end of 2006, merchants interpreted the new rules as meaning they could either print no more than the last five digits OR leave off the expiration date, say the National Retail Federation and the National Council of Chain Restaurants. Most shortened the card number, but some kept printing the expiration date with the idea that the date is of no value without the full card number.
The resulting class action lawsuits — estimated at more than 300 — led Congress to unanimously pass new legislation, the Credit and Debit Receipt Clarification Act on May 20. Lawsuits called for fines up to $1,000 per incident.
While retailers and restaurant groups hailed the change, some attorneys are dismayed by its retroactive nature.
"The cases are over. Congress says you don't have a cause of action anymore. There's nothing we can do," Miami attorney Matthew Sarelson told the Daily Business Review. Sarelson, who has filed a dozen FACTA lawsuits, said six of the lawsuits are now over due to the legislation. "It's a bailout plan, plain and simple, and it's worded in such a way that it doesn't change what the law says.”
Merchants are required to both truncate card numbers and leave off expiration dates going forward.
Dallas Morning News columnist Pamela Yip, who last month moderated a panel discussion on data security, wrote that companies need to pay closer attention to protecting consumers’ private information, with truncating credit card numbers and deleting expiration dates just one step that should be taken.
Businesses should inventory what sensitive information they have, where it’s stored and who has access. Provide training, keep only the information you need for your business, lock up offices, desks and shredders, and destroy unneeded documents in a timely way. Most important, plan ahead, Yip advises. Be ready to help consumers if a security breach occurs.
“I encourage businesses to be vigilant about data security, because not doing so could have too high a cost for them and their customers,” she wrote.