FACTA Guidelines for Customer Credit Card Information

July 8, 2010

A while back, I wrote an article called FACTA Guidelines for Disposing Client Information. This article discussed how the Fair and Accurate Credit Transactions Act of 2003 (FACTA) requires businesses to dispose of records and documents containing consumer information. Since then, some of my business clients have asked for clarification on issues relating to customer credit card information.

It doesn’t seem that long ago that, when paying with a credit card, your card was placed in an awkward contraption that imprinted your card information onto several receipts. Many of you will also remember ripping out the carbon paper or having the clerk call an 800 number to authorize the transaction. These days, with internet shopping and machines that instantly authorize cards, it is much more difficult to stay on top of who has the ability to track your credit card information. FACTA is a response to that uncertainty.

The credit card information commonly used by identity thieves include not only account numbers, but also expiration dates. In general, if it is necessary for businesses to keep the credit card information of their customers, proper security procedures should be followed to prevent access by unauthorized individuals. When the information is ready to be disposed of, it should not merely be placed in the trash. Instead it should be destroyed in such a fashion that it cannot practicably be read or reconstructed. Burning, shredding and pulverizing are considered to be acceptable methods of destruction.

Have you noticed that, upon receiving a receipt after using a credit or debit card, only the last four or five digits of the account number are printed on the receipt? This is because FACTA states that credit and debit card receipts may not include more than the last five digits of the card number. FACTA also bars businesses from including expiration dates on the receipt. However, those restrictions do not generally apply to handwritten or card-imprinted receipts.

Because the leaking of a customer’s credit card information can lead to a public relations nightmare, in addition to subjecting a business to other liabilities, it is important for businesses to comply with FACTA’s requirements. For more information please visit the Privacy Clearing House website.