Online Display of Credit Card Numbers – Legal or Maybe Not, But Just Don’t Do It!
September 28, 2009
by Michael Fleming
Is the output of an online shopping cart's check-out web page, which is displayed on the end-user's computer monitor, a "printed" copy of a receipt? That may seem like the perfect argument for law students to debate over lunch or at the pub, since many would find that in the absence of more information the question is impossible to answer. But, the question becomes one of great importance when an online business is displaying a customer's credit card number on a web page that is arguably a "receipt" for a transaction, since whether or not that is a "printed receipt" makes all the difference on whether that business has violated the Fair and Accurate Credit Transaction Act (FACTA) restrictions on printing credit card numbers and expiration dates. A series of class action lawsuits against online retailers has made this more than a law school debate.
Unfortunately, the courts are not doing much to settle this argument. There are a number of decisions, and they break out into two camps almost completely at odds with each other. Some courts have held that FACTA's prohibitions only apply to traditional paper receipts. Others have held that, without a more concise definition from Congress on what it meant by "printed," the output of a computer screen is just as much a printed matter as would be a piece of paper. Just this month, a federal court in Illinois joined the "screen equals printing" camp. The consequences of non-compliance for the business can be expensive, as the law allows for direct consumer actions seeking up to $1000 per harmed consumer as well as attorney fees. Most of the complaints in this area come in as class actions, which greatly multiplies the risks for an online operator who is targeted in these claims.
The good news is that avoiding the risk is very easy for a web site operator. If an online operator simply presumes that its web pages are "printed" matter, and that all of those pages it transmits which might contain a reference to a credit card number are "receipts," the operator will then design its pages and systems with FACTA compliance in mind. The cost to do this up front is essentially zero over costs that are already being incurred to design the pages: just set up all screens or other output that comes from the site to never display more than the last five digits of a credit card or a credit card expiration date.
For the web operator that designs with FACTA compliance in mind, it will not matter which side of the ongoing debate is right and which is wrong. The rare exceptions (if there are any!) where a fuller display of credit card numbers may be necessary should certainly be addressed with an attorney before implementation. But, for nearly everybody, the cost to avoid the problem is effectively zero with but a bit of advance planning.
Thus, leave the burning question of what is "printing" to those who have plenty of time to sit around the pub tables, or to those who have plenty of money to burn in court.
- Michael Fleming is a member of the Larkin Hoffman Daly & Lindgren Ltd. Intellectual Property, Technology and Internet Practice.