A federal district court in Massachusetts found that a ZIP Code is personal identification information for purposes of a statute that restricts the type of information a retailer can collect when processing a credit card. Tyler v. Michaels Stores, Inc., 2012 WL 32208 (D. Mass.; Jan. 6, 2012)
Section 105(a) of Massachusetts General Laws provides:
No person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form. Personal identification information shall include, but shall not be limited to, a credit card holder’s address or telephone number.
The plaintiff complained that Michaels illegally requested her zip code to process her credit card payment. The complaint also alleged that (1) the card issuer did not require her zip code to process the transaction, (2) defendant did not require the zip code to prevent fraud, and (3) the defendant used the zip code to determine the plaintiff’s address to send “unsolicited marketing materials.” The defendant moved to dismiss the complaint, which means the judge had to take all these allegations as true in its decision.
The court looked to the purpose of the Massachusetts statute to determine whether a zip code is “personal identification information.” “The issue becomes whether the ZIP code can be used, either alone or in conjunction with other information, as personal identification information in the context of credit card transactions, and whether recording this information may pose a risk of identity fraud.” The court looked to Massachusetts’ identity theft statute to answer this question. Mass. Gen. Laws ch. 266, § 37E(a) defines personal identifying information as [A]ny name or number that may be used, alone or in conjunction with any other information, to assume the identity of an individual….” The listed examples does not include ZIP code.
Nonetheless, the court concluded that inputting a ZIP code is sometimes required in the context of a credit card transaction; it is similar to inputting a PIN number in the context of a debit card transaction. A ZIP code thus can be used along with other card holder information to commit identity theft and criminal fraud. As a result, the court found that the ZIP code is personal identification information for purposes of the statute.
Massachusetts is not the first venue to find a ZIP Code to be personal identification information. A California court did so in the context of a claimed violation of Song-Beverly Credit Card Act. Pineda v. Williams-Sonoma, S178241 (Cal. Supreme Court; Feb. 10, 2011).
The California Act prohibits a store that accepts credit cards from “request[ing], or requir[ing] as a condition to accepting the credit card as payment…the cardholder to provide personal identification information, which the [store] records upon the credit card transaction form or otherwise.” The statutes defines personal identification information as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” In Pineda, the ZIP code was personal identification information because it could be used to locate the consumer for marketing purposes.
While the Massachusetts court attempted to distinguish Pineda as dealing with locating the consumer rather than security, in fact the two are intertwined. Authentication is often based on something you know or something you have. The problem with the Massachusetts law is that only the credit card issuer can create security-related rules. In other words, the retailer cannot independently determine that additional information should be required to verify the identity of the person presenting the card for payment. The court’s decision compounded the problem by extending the application of the statute to information electronically stored on a machine. Does this mean the statute applies to web-initiated transactions? If so, the consequence of the law is to restrict the retailer’s ability to protect consumers and itself from fraudulent activity. An unfortunate result since retailers often can incur substantial fees and expenses as a result of a security incident.
However, the court dismissed the claim for lack of damages. Following Katz v. Pershing, LLC, Civil Action No. 10–12227-RGS (D. Mass. Aug. 23, 2011), the court concluded that “where there were no instances of actual data loss or misappropriation, the failure to comply with minimum statutory security standards did not cause cognizable injury because the added risk of identity fraud did not actually cause.” Nonetheless, we can expect to see other lawsuits for violation of this statute just as we did after Pineda. The court left unresolved whether a claim for damages would exist if the plaintiff alleged the information was sold or somehow otherwise used to increase the risk of identity theft.
Retailes need to carefully review their merchant agreements and PCI DSS compliance plans to determine the information being collected at the point of sale from consumers. This list needs to be carefully compared against the general operating procedures and functional specification of their point of sale process. This includes web-based operations. If there is a gap, cessation is one option. Another is option is to get the consumers consent to obtain the needed information after clear and conspicuous disclosures. The time to act is now, before a suit is filed.