Fear FACTA: Beware the Truncation Requirement of the Fair and Accurate Credit Transactions Act

by Davis Wright Tremaine LLP

All businesses, large and small, that issue electronically generated credit or debit card receipts to consumers at the point of transaction are subject to the “truncation” requirement of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). This seemingly modest provision, which forbids credit and debit card receipts, whether for $1 or $100,000, from displaying more than the last five digits of the cardholder’s account number, unleashed a wave of class action litigation, no doubt due in large part to the Act’s establishment of statutory damages of up to $1,000 per violation regardless of the occurrence of actual injury. Promoted by an active plaintiffs’ bar, lawsuits have been filed against businesses of all types and sizes, ranging from small mom-and-pop stores to the likes of Federal Express, Southwest Airlines, Adidas, 1-800-Flowers.com and Avis Rent-A-Car. Even defendants who have dodged such claims through early motions to dismiss or by later defeating motions for class certification have had to bear the significant costs and risks of defending against class action litigation. Others, not so fortunate, who have failed to defeat class certification motions, generally have settled to avoid facing the risk of trial and potentially crippling damage awards. The lessons learned from the first decade of FACTA counsel that businesses should indeed fear the consequences of violating the Act’s truncation requirement and be diligent in following some simple but essential safeguards.

In 2003, to combat the growing problem of identity theft and credit and debit card fraud, Congress enacted FACTA, Pub. L. 108-159, 15 U.S.C. § 1681c(g), as an amendment to the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. (FCRA). FACTA includes, among other things, a “truncation” requirement that a person who ac¬cepts credit or debit cards for the transaction of business may not print more than the last five digits of the card number, or print the expiration date, on any electronically printed receipt given to a cardholder at the point of the sale or transaction; the requirement does not apply to transactions in which the credit or debit card account number is entered by handwriting or by an imprint or copy of the card. While the Act clearly applies to the issuance of paper receipts provided during face-to-face transactions, courts have disagreed over whether FACTA also applies when a business does not actually print the receipts, such as in Internet transactions where receipts are transmitted electronically to consumers.

The statute of limitations for bringing suit to remedy an alleged FACTA violation is two years from discovery of the violation, but not later than five years from the violation. 15 U.S.C. § 1681p. The truncation provision, which had a phased-in effective date depending on when registers were manufactured, became fully effective in December 2006, 15 U.S.C. § 1681c(g)(3), and was met with an almost overnight onslaught of class action lawsuits.

FACTA’s Damages Provisions
FACTA’s fear factor resides in its damages provisions. While Congress intended to stem the growth of identity theft and credit card fraud, it did not foresee that the damages provisions of the Act would result in potential damage awards of such magnitude as to be capable of causing the bankruptcy, and even the demise, of businesses held to have willfully violated its terms.

The Act provides that any person that negligently violates the truncation require¬ment is liable for actual damages, as well as attorneys' fees. 15 U.S.C. § 1681o(a). More significantly, in the case of “willful” violations, the Act provides for recovery of statutory damages of not less than $100 but not more than $1,000 per violation, as well as punitive damages and attorneys' fees. 15 U.S.C. § 1681n(a).

The meaning of “willful”, which is not defined in the Act, was an early battleground in FACTA litigation. However, in Safeco Ins. Co. of America v. Burr, 551 U.S. 47 (2007), the U.S. Supreme Court interpreted the willfulness requirement for statutory damages under FCRA as including not only a knowing violation, but also “reckless disregard” of the law’s requirements. “Recklessness” was explained as an action entailing “’an unjustifiably high risk of harm that is either known or so obvious that it should be known.’” Thus, the Court said, “a company subject to FCRA does not act in reckless disregard of it unless the action is not only a violation under a reasonable reading of the statute's terms, but shows that the company ran a risk of violating the law substantially greater than the risk associated with a reading that was merely careless.” In short, “recklessness” involves something more than negligence, but need not rise to the level of an intentional act. Lower courts have since applied Safeco in construing the willfulness element of FACTA, which was enacted as an amendment to FCRA.

Significantly, a class action plaintiff claiming statutory damages on account of a willful violation of FACTA is not required to prove that identity theft, or any other actual injury, resulted to it or any member of the putative class. The mere issuance of an improperly truncated receipt to a consumer is deemed to itself constitute injury for purposes of the statute and to confer standing to sue.

When claims are aggregated in a class action on behalf of all customers of a merchant that failed to properly truncate credit card numbers, the amount of damages can be massive. For example, a single credit/debit card terminal that is improperly programmed could spew more than 40,000 inadequately truncated receipts to customers in a single year. Should such a failure to have properly truncated the receipts be found to have resulted from reckless conduct, statutory damages could amount to as much as $40,000,000, and the defendant also could be subject to an award of punitive damages and attorneys’ fees. Where the failure to properly truncate receipts extends to scores or even hundreds of terminals, the number of unlawful receipts can rise into the hundreds of thousands or even millions, and the potential damages can be nothing short of catastrophic, with FACTA class actions against major retailers having been reported to involve potential damage claims amounting to billions of dollars (e.g., Costco–$17 billion; StubHub–$2 billion; Cost Plus World Market–$3.4 billion).

FACTA Class Action Litigation
Courts have shown varying degrees of receptiveness to FACTA class actions. Complaints often have been bare-bones, reciting little more than the basic elements of a FACTA claim and the federal class action rule, but alleging few facts to support claims of willfulness or recklessness. Some courts have dismissed such complaints, finding that they inadequately plead the required elements of a claim for a knowing violation of FACTA. Even partial dismissal of a complaint, striking the allegations of a knowing or reckless violation, can put an end to a putative FACTA class action, since absent access to statutory damages, each class member would be required to prove that he/she suffered actual damages from an improperly truncated receipt, which not only would be impossible for most class members but likely would render the case unsuitable for class action treatment. In such cases, most class action plaintiffs and their lawyers will elect to withdraw their case rather than proceed. Indeed, with willfulness as the key to FACTA class actions, it is no wonder that some plaintiffs disclaim any violation based on negligence, and that defendants focus their attack on a complaint’s allegations of willfulness. Unfortunately, many courts have failed to apply a discriminating eye to FACTA class action complaints, even when presented with little more than conclusory allegations of willfulness, deferring consideration of such issues to either the class certification hearing or trial, but not through an early motion to dismiss.

At the class certification stage, a number of courts have denied certification, focusing on the potentially annihilative amount of damages that a defendant could incur, and the disproportionate relationship of such damages to the absence of actual economic injury suffered by the plaintiff and class members. Those courts have expressed concern that the potentially enormous aggregation of statutory damages threatens to violate the due process rights of defendants, and to have an “in terrorem effect”, pressuring defendants to accept unfair settlements, even when meritorious defenses exist, to avoid facing the risk of ruinous liability. Additional factors that have influenced courts to deny class certification have included (1) expert testimony that printing the expiration date on an otherwise properly truncated receipt cannot possibly cause identity theft or other actual injury; (2) a defendant’s prompt efforts to properly truncate receipts after learning of the non-compliance; and (3) the fact that denial of class certification would not prevent persons who actually suffered injury from bringing individual claims for compensatory damages, or persons who suffered no actual injury from bringing individual actions to recover statutory damages plus attorneys’ fees. Other courts, however, have granted certification, either rejecting the annihilation defense and other attacks on certification, or deciding that such issues should be addressed after trial, if liability is found, in the damages phase of the case.

In many early FACTA cases, defendants took the position that they were unaware of the Act’s truncation requirement. With the Act now ten years old, and given the widespread publicity surrounding the law, including industry advisories and even the imposition of compliance requirements by the major credit and debit card companies, it has become increasingly difficult for a business to assert that it was unaware of FACTA’s existence or requirements, and more likely that disregard of the Act’s requirements could be deemed to be reckless, if not knowing. Likewise, whereas plaintiffs frequently sought to define as large a class as possible, some plaintiffs’ counsel have now taken to defining the putative class more narrowly, on geographic or other bases, in anticipation of the annihilation defense, to ensure that potential damages in the case, while substantial, will remain in the non-lethal zone.

FACTA Safeguards
There are a number of steps that a business can, and should, take to discover any current or past FACTA noncompliance, reduce the likelihood of future FACTA violations, lessen exposure from past, present or future violations, and be positioned to respond to class action FACTA litigation, should it arise. These steps not only will reduce the potential for future lawsuits and mitigate any potential damage award in such litigation—particularly by reducing the likelihood of a violation being found to have been willful or reckless—but also may assist defense lawyers in negotiating an early settlement of FACTA litigation by demonstrating the weakness of the plaintiff’s claim of a willful violation.

  • Review all current register and terminal supply, software and service contracts to determine whether vendors have been made responsible for FACTA compliance. If they have not, seek to amend the contracts (e.g., through contract extensions) to clearly (i) delegate responsibility to them for ensuring that terminals properly truncate receipts in compliance with FACTA requirements, (ii) impose liability and defense costs on vendors should they fail to do so, and (iii) be named as an additional insured on vendors’ insurance policies.
  • Prospectively, include similar provisions in all new contracts with vendors and service providers.
  • Review current insurance policies to determine whether they provide coverage for defense of FACTA claims and, if they do not, explore the availability and cost of securing such coverage.
  • Adopt a written FACTA compliance policy.
  • Routinely, and preferably on a quarterly basis, check all terminals to confirm that they are operating in compliance with FACTA truncation requirements.
  • Inform employees of FACTA’s truncation requirement and their responsibility to promptly inform management of any instance where they observe that receipts issued to consumers are not properly truncated.
  • If a potential FACTA violation is discovered, (i) take immediate action to determine the extent of noncompliance (i.e., how many registers are issuing non-compliant receipts, the reason for the noncompliance (e.g., intentional failure to correctly program registers, or error by the manufacturer or service provider), the time period during which noncompliant receipts were issued, and the number of noncompliant receipts that were issued to consumers); (ii) have vendors correct improperly programmed registers; (iii) verify that all other registers are properly truncating account numbers; (iv) review contracts of service providers to determine the scope of their responsibility for the violation and its consequences, and any notice requirements; and (v) review insurance policies to determine the extent of any coverage and applicable notification requirements. These actions should be taken under the supervision of counsel, in order to maintain all available privileges that may apply (e.g., attorney-client privilege, and privilege for voluntary self-corrective actions).

Identity theft is a significant, and growing, worldwide problem. In this environment, FACTA litigation shows no sign of abating. Please let us know if you have any questions regarding the applicability of, or compliance with, FACTA, or need assistance in reviewing your compliance with the Act’s requirements, preparing a FACTA truncation compliance policy, or responding to FACTA litigation.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.