Society of Payment Security Professionals - Payment Security Blog

What is FACTA? Does it apply to credit card numbers?

There is a lot of debate going on in the legal courthouses right now about FACTA and how it applies to identity theft. (Some precedent here.) So what is FACTA and how does it apply to PCI compliance?

Well, FACTA is not the Luigi Facta, the Italian politician and journalist. It is the Fair and Accurate Credit Transactions Act (FACTA). Most people know of FACTA in that it entitles them to a free copy of their credit report if they are ever denied credit for any reason. It also enables them to put a fraud warning on their credit account if they feel they are a victim of identity theft.

I want to stop here and remind everyone that credit card theft has NOTHING to do with identity theft. To say it is would be the equivalent of saying that by stealing cash from your wallet one could then re-create your monthly paycheck. Identity theft means stealing the basic building blocks that can be used to create more credit, debt, and identification sources. Examples would be stealing someones social security number, birth certificate, or other ID. Stealing an omelet does not enable me to make eggs!

But, there is another side of the FACTA law that addresses credit card security.

The FTC’s latest FACTA rule requires any business “that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose” to “properly dispose of such information or compilation.” Both FACTA and the new rule are supposed to cut down on the incidences of identity theft by, among other methods, restricting the ability of thieves to go “dumpster diving” for valuable consumer information contained in discarded business records.

According to the Privacy Rights Clearinghouse:

FACTA says credit and debit card receipts may not include more than the last five digits of the card number. Nor may the card’s expiration date be printed on the cardholder’s receipt.However, the effective date of this provision is a long way off, and there are a couple of loopholes:

• This section does not apply to receipts for which the sole means of recording a credit or debt card number is by handwriting or by an imprint or copy of the card.
• For machines in use before January 1, 2005, the merchant has three (3) years to comply.
• For machines in use after January 1, 2005, the merchant has one (1) year to comply.

So what do we do now? Well, the consumer sue the merchants, who in turn sue the POS vendors. When the reality of the matter is that monetary loss due to thrown out credit card numbers come no where near the numbers and actionable-volume seen in cases such as the TJX breach. How many dumpsters would you have to dive into to obtain (and then manually enter) the 40 million card numbers rumored to be compromised as part of the TJX breach? Why would any self respecting hacker dive into a dumpster when they can compromise a non-compliant merchant or service provider?

And, please oh please, do not label credit card theft as identity theft. It is nothing of the sort. *sigh*