FoxPointe Security Hub

Topics

Check Your Organization’s Sales Receipts (Or It Could Cost You Millions)

This article was written by Ryan Bigelow, Director at FoxPointe Solutions

Background

In the class action lawsuit Martin v. Safeway Inc., the plaintiff (Martin) alleged that Safeway printed receipts for credit or debit card transactions at its gas stations displaying first six (6) and last four (4) digits of payment cards.

Consumers who made a purchase using a credit or debit card at any Safeway gas station (including affiliate banners such as Albertsons, Acme, Carrs, Randalls, Jewel, Tom Thumb, Vons) between Sep. 12, 2017, and Feb. 26, 2019, were eligible to participate.¹

Fair and Accurate Credit Transactions Act (FACTA)

According to the case, the display of first six and last four on receipts is in direct violation of the Fair and Accurate Credit Transactions Act, 15 U.S.C. § 1681c(g)(1) et seq. (“FACTA”). The law states,

“Except as otherwise provided in this subsection, no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.”²

FACTA protects consumer information by standardizing the amount of payment card data that can be printed on receipts. Under the law, only the last five digits of a payment card number can be included on a receipt while no expiration data information can be included. Businesses must comply with FACTA by truncating — replacing digits with symbols — card information on electronically printed receipts.³

PCI Requirements for Receipts

PCI DSS Requirement 3.3 states that PAN must be masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see the full PAN. This requirement covers all displays of PAN, including those on paper reports, computer screens and payment card receipts.

Requirement 3.3 also includes the following note: “This requirement does not supersede stricter requirements in place for displays of cardholder data – for example, legal or payment card brand requirements for point-of-sale (POS) receipts.” It should be noted that the maximum digits allowed per PCI DSS may be different than what is specified in existing regulations. PCI DSS does not override laws, government regulations, or other legal requirements that govern what can be printed on receipts. Entities are encouraged to contact their acquirer or the applicable payment brand to determine if any such regulations apply.⁴

Outcome

The class action lawsuit Martin v. Safeway Inc. was originally filed in 2020. Ultimately Safeway agreed to pay a $20 million settlement to resolve the claims that it violated the Fair and Accurate Credit Transactions Act. Safeway said it desires “to avoid further expense in this litigation,” but said it “denies all claims as to liability, damages, losses, penalties, interest, fees, restitution, and all other forms of relief, as well as the class action allegations, asserted in the litigation.”⁶ The Court granted final approval for this settlement May 4, 2022.

The Cheesecake Factory

The Cheesecake Factory also had a similar suit (Muransky, et al. v The Cheesecake Factory Inc., et al.) brought against it for violating FACTA and printing point-of-sale receipts that displayed first six and last four of payment card numbers.⁷ With a similar result, The Cheesecake Factory agreed to pay a settlement of $4.75 million. The court granted final approval for this settlement September 9, 2022.

Implications for Merchants

PCI DSS was first introduced in 2006 and FACTA was enacted by congress⁵ in 2010. So how and why are these kinds of violations still happening? The following are just a few examples that may result in an oversight by the organization:

Multiple payment channels producing receipts (e.g., store countertop, fuel pump, car wash, unattended kiosk, back-office, etc.)
Multiple point-of-sale solutions in use (different make/model payment capture devices)
Legacy point-of-sale solutions
Misconfiguration of a new point-of-sale implementation
Personnel may not be aware of relevant laws and regulations (e.g. FACTA, PCI DSS)
Outsourced point-of-sale management
Mergers and acquisitions

If your organization produces any kind of sales receipts, with the exception of handwritten and manual imprint receipts, FoxPointe Solutions recommends interviewing business process owners, reviewing cardholder data flows, and documenting the results in detailed network and data flow diagrams, business process narratives, inventories, etc.

How FoxPointe Solutions Can Help

FoxPointe Solutions, a division of the Bonadio Group, specializes in Information Risk Management. To learn more about how FoxPointe Solutions can help your organization with security and compliance, please do not hesitate to contact me directly at rbigelow@foxpointesolutions.com or visit www.foxpointesolutions.com or contact us today.

Sources: