Merchant Billing & Payment

PCI DSSEarlier this week, the FTC issued orders to nine credit card and payment security auditors in an effort to gain insight into data security compliance auditing and its role in protecting consumers’ information and privacy.

The orders contain detailed questions concerning the assessment process for Payment Card Industry Data Security Standard (“PCI DSS”) compliance, including the policies and procedures in place to govern the assessment, and the percentage of clients that have been found to be non-compliant.  In addition, the orders request information on whether the auditors provide any data security forensic audit services, and the processes and procedures in place for doing so.  The Commission is also requesting information on whether the auditors have been the subject of any government or regulatory inquiry, private action, arbitration, or mediation related to any of its PCI DSS services.

So What Does This Mean? The Commission has not specified exactly what it plans to do with the data collected, other than to say that it “will be used to study the state of PCI DSS assessments.”  As a general matter, all merchants are bound to comply with PCI DSS through a merchant agreement executed between the merchant and its merchant bank.  Some states have also codified portions of the PCI DSS to require certain protections for PCI.  Nonetheless, a significant amount of data breaches still involve the compromise of payment card information, and some of these breaches have occurred by merchants that are certified as PCI-compliant at the time of the attack.

The auditors have been ordered to respond by mid-April, so be sure to stay tuned for next steps from the FTC.

On-line marketers that share their customers’ credit or payment card information with other business partners without the consumer’s knowledge or active consent – a practice referred to as a “data pass” – may wish to read a recently published BNA Privacy & Security Law Report titled “Scrutiny on Payment Card Data Pass: Raising the Profile of Personal Information Sharing Among Marketers.” Kelley Drye attorneys Alysa Z. Hutnik and Joseph D. Wilson co-authored this article, which:

  • explores a rule recently announced by VISA and legislation recently proposed by Senate Commerce Committee Chairman, Jay Rockefeller (D-W.Va.) entitled “The Restore Online Shoppers’ Confidence Act” (S. 3386), both of which restrict companies’ ability to share customer payment card information. (Visit Kelley Drye’s Advertising Law Blog for related articles on these topics);
  • reviews two recently filed class actions, Ferrington, et al. v. McAfee Inc., 5:10-cv-1455 (N.D. Cal.), and Van Tassell, et al. v. United Marketing Group Inc., et al., 1:10-cv-2675 (N.D. Ill.), alleging that the data pass practices of certain on-line marketers violated numerous state consumer protection laws;
  • advises on steps companies should consider taking to mitigate the risk that their data pass practices will come under FTC scrutiny; and
  • discusses considerations companies should make if they find themselves the subject of a class action relating to their data pass practices.

If you or your company collect zip codes in California as part of a loyalty program or otherwise, and reverse data mine for additional customer information, you should be aware that the California Supreme Court recently granted a petition to review the issue of whether a retailer violates California’s Song-Beverly Credit Card Act if, in connection with a credit card transaction, it records a customer’s zip code for the purpose of later using it and the customer’s name to obtain the customer’s address through a reverse search database.

The Song-Beverly Credit Card Act prohibits merchants that accept credit cards in transacting business from making requests that the cardholder provide “personal identification information” and from recording that information. (Cal. Civ Code § 1747.08, subd. (a)(2).) Under the Act, “personal identification information” means information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number. In Party City Corp. v. Superior Court, 169 Cal.App.4th 497 (Cal. App. Ct. 2008) (discussed previously on this blog), the California Court of Appeals considered the language of the Act and the legislative history and concluded, as a matter of law, that a zip code is not “personal identification information” within the meaning of section 1747.08, subdivision (b) because a zip code is not facially individualized information. Last year, in Pineda v. Williams-Sonoma Stores, Inc., 100 Cal.Rptr.3d 458 (Cal. App. Ct. 2009), the California Court of Appeals followed Party City and affirmed the decision below that Williams-Sonoma did not violate the Act by requesting and recording the customer’s zip code for the purpose of using it and the customer’s name to obtain the customer’s address through the use of reverse data mining. The Court of Appeals in Pineda also held that using a legally-obtained zip code to acquire and use an address that is public is not “a serious invasion of privacy,” which is a necessary element of a privacy claim. Pineda failed to allege facts showing that her home address was not otherwise publicly available or that she undertook efforts to keep it private.

While the Party City and Pineda decisions provided clarity for companies in California that collect customer zip codes and then reverse data mine, the California Supreme Court’s decision to review this issue again creates uncertainty as to whether the practice is permissible. Stay tuned for future posts on any developments.

With so much of the economy still struggling, credit harder to come by, and consumers being more conservative with their spending, various commentators have suggested that layaway programs are poised to make a comeback. However, retailers should be careful before implementing layaway programs, especially if they are doing so on a national basis.

Several states have statutes specifically regulating layaway transactions, setting forth the maximum service charges, the refund policies, and other terms required by law. In some cases, the penalties for noncompliance can be severe, including statutory penalties or multiples of actual damages. Maryland, Ohio, Rhode Island, and the District of Columbia, among others, have statutes which specify terms that must be included in all layaway transactions, and in some cases those terms may be such that it is no longer profitable for the retailer to offer layaways. In particular, retailers may be seriously restricted in their ability to charge service fees or impose penalties for noncompliance with the terms of the agreement. As a result, some retailers are specifically excluding certain jurisdictions, or providing for alternative contractual terms in those jurisdictions. For example, the layaway program for Toys ‘R Us and Babies ‘R Us stores is apparently not available in Maryland and is subject to different terms in Ohio and Rhode Island.

Layaway may very well prove to be a reliable business model for bringing consumers into stores (or onto websites) but its also an area where a patchwork of local laws can create dangerous legal minefields.

Which among the following businesses are potentially subject to consumer financial services laws, rules, and regulations?

A. a retail clothing chain
B. a bank or mortgage company
C. an internet retailer
D. a fast food franchisor
E. all of the above

If you answered E, “All of the above,” you are CORRECT. However, many companies do not realize their businesses are subject to consumer financial services laws. Consequently, their businesses may not be compliant and may be subject to litigation risk.

The focus of the Consumer Finance Law Blog is to keep – all on one site – traditional and non-traditional financial service providers subject to consumer financial services laws abreast of recent developments in:

  • State consumer protection statutes and regulations
  • State privacy statutes
  • Privacy and consumer protection litigation
  • Card Association Rules
  • Equal Credit Opportunity Act
  • Electronic Funds Transfer Act
  • Fair Credit Reporting Act
  • Fair Credit Transactions Act
  • Fair Debt Collection Practices Act
  • Payment Card Industry Data Security Standard
  • State Money Transmitter Statutes
  • State Retail Installment Sales Act
  • State and Federal Unfair and Deceptive Trade Practices Acts
  • TILA, RESPA, and related federal and state consumer disclosure and notice requirements
  • Insurance coverage issues
  • Legislation that may impact company compliance or create new litigation risk.

We welcome you and hope that you find our posts interesting, educational, and thought provoking. We also welcome your feedback and invite you to suggest topics or recent decisions of interest that you would like us to address.