Credit Card

A number of investigations and inquiries, including a call for a hearing in Congress on December 30, 2013, have been sparked by the announcement by Target Corp. that a massive security breach of approximately 40 million of its customers’ credit and debit card accounts used at brick-and-mortar Target stores occurred between November 27 and extending through at least December 15.

The retailer stated that hackers obtained information known as “track data”: customer names as well as debit or credit card numbers and card verification values (CVVs).  Armed with track data, hackers can create counterfeit cards by encoding the information onto any card with a magnetic strip. In recent weeks, the stolen track data has been flooding underground black markets, according to Brian Krebs, writing on Krebs on Security. The data is being sold in batches of one million cards for anywhere from $20 to more than $100 per card, with cards issued by foreign banks fetching the higher prices.Continue Reading Senators Call for Hearing on Data Security in Wake of Target Data Breach

As we previously blogged, in a case concerning retail chain Michaels Stores, the Supreme Judicial Court of Massachusetts (SJC) recently issued a broad ruling regarding the circumstances in which consumers may sue for collection of zip code information during credit card transactions under Massachusetts law.  Two separate putative class

Continue Reading Bed Bath & Beyond Sued Over Zip Code Data

In a recent decision, the Supreme Judicial Court of Massachusetts (“SJC”) broadly interpreted a statute that governs the personal information that may be collected by a merchant during a credit card transaction.  The decision, Tyler v. Michaels Stores, Inc., SJC-1145 (Mass. March 11, 2013), was issued in response to three questions that had been certified to the SJC by a federal district judge in Boston, in connection with a lawsuit alleging violation of Mass. Gen. Laws, ch. 93, §105(a), the Massachusetts analogue to California’s Song-Beverly Act. 

Section 105(a) provides that “[n]o business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form.”  “Personal identification information,” in turn, “shall include, but shall not be limited to, a credit card holder’s address or telephone number.”  Violations of Section 105(a) are treated as “unfair and deceptive trade practices” under Mass. Gen. Laws. ch. 93A, §§ 2, 9, which provides “injured” persons a private right of action against any entity that commits an unfair or deceptive trade practice.

The plaintiff in Tyler alleged that Michaels Stores violated §105(a) by requesting her ZIP code during a credit card transaction at one Michaels Stores retail location.  The district court agreed that the plaintiff had sufficiently pled a violation of that statute, but nonetheless dismissed the complaint because she had failed to allege a cognizable injury stemming from the violation, which is required to bring an action under Massachusetts’s unfair and deceptive trade practices statute.  The court explained that the purpose of §105(a) was to prevent identify fraud, and suggested a plaintiff would need to allege that fraud had occurred because of the alleged violation of §105(a).   Continue Reading Massachusetts Supreme Judicial Court Issues Broad Ruling on Point-of-Sale Data Collection

Nearly two years ago, the California Supreme Court held that requesting a customer’s ZIP code in connection with a credit card transaction violated the Song-Beverly Credit Card Act of 1971, a statute that prohibits businesses from recording a customer’s “personal identification information” (“PII”) as a condition of accepting a credit

Continue Reading Song-Beverly Act Returns to California Supreme Court

Yesterday, the Payment Card Industry Council issued guidance for merchants using smartphones or tablets to accept payments from customers.  The guidance follows up on the PCI Council Chairman’s pledge in February, as reported in this blog, to make mobile payments a top priority.  Payment card readers that can be

Continue Reading PCI Council Issues Guidance for Mobile Payment Acceptance

Just under a year has passed since the California Supreme Court ruled that asking for a customer’s ZIP code during a credit card transaction violates California’s Song-Beverly Credit Card Act.  According to media reports, the court’s decision in Pineda v. Williams-Sonoma Stores, Inc. has spurred more than 200 suits against California retailers.  A roundup of recent developments in Song-Beverly Act litigation:

  • A case against Brookstone had been dismissed in May 2010 on the ground that a ZIP code is not “personal identification information” within the meaning of Song-Beverly, but a state appellate court ruled [PDF] that the subsequent contrary decision in Pineda applied retroactively and that the suit against Brookstone could therefore proceed. 
  • Both state and federal courts in California have now reaffirmed that Song-Beverly does not apply to online transactions (Gonor v. Craigslist, Inc. [PDF]; Salmonson v. Microsoft Corp. [PDF]).  According to Mehrens v. Redbox Automated Retail LLC [PDF], Song-Beverly does not apply to transactions conducted at self-service kiosks either.  The courts recognized that fraud prevention justifies the collection of ZIP codes in online and kiosk transactions. 
  • A California federal court preliminarily approved a settlement under which Tiffany and Co. agreed to provide a voucher for either $10 off or free engraving to an estimated class of 90,000 customers; $142,000 in attorneys’ fees to class counsel; and $2,000 to the class representative.

Continue Reading Pineda One Year Later

On October 27, 2011, Senator John D. Rockefeller, chairman of the Senate Commerce, Science, and Transportation Committee, sent letters to Visa and Mastercard requesting information regarding the companies’ data collection and aggregation practices and proposals.  An October 25, 2011, Wall Street Journal article outlined various initiatives from the two companies pertaining

Continue Reading Senator Rockefeller Requests Information Regarding Visa and Mastercard Data Collection Practices and Proposals

In a report released on September 28, 2011, Verizon concluded that only 21 percent of organizations subject to the payment card industry’s data security standards (PCI-DSS) were fully compliant with PCI-DSS.  Verizon’s prior report found that 22 percent of organizations were fully compliant with PCI-DSS.  The PCI-DSS consist

Continue Reading Verizon Report Concludes that Industry’s Compliance with PCI Standards Remains Low

Earlier this month, the Payment Card Industry Council (“PCI”) unveiled the first set of point-to-point encryption (“P2PE”) standards designed for providers of P2PE hardware-based encryption and decryption solutions.  P2PE providers develop for merchants point-of-sale hardware such as payment card readers and electronic cash registers that completely encrypt payment card data

Continue Reading PCI Point-to-Point Encryption Standards May Simplify Compliance

In a decision with implications for all California retailers, the California Supreme Court ruled [PDF] yesterday that a customer may not be asked to provide his or her ZIP code during an in-person credit card transaction.  At issue in Pineda v. Williams-Sonoma Stores, Inc. was the scope of California’s Song-Beverly Credit

Continue Reading California Supreme Court: Retailers May Not Request ZIP Codes During Credit Card Transactions