What Dimitriy Simonoffs v. Expedia tells us about printed receipts
There's been some discussion recently about exactly what a recent court ruling means about merchants' ability to send credit card numbers over email. Like in most of these cases, lots of what's being said isn't supported by the facts. Here's what really happened and what it probably means.
Dimitriy Simonoffs received an email receipt from travel web site Expedia that contained the expiration date of the credit card that he used for a purchase. Believing that this violated the Fair and Accurate Credit Transactions Act of 2003 (FACTA) (PDF), he filed a suit against Expedia. This suit eventually made its way to the United States Court of Appeals for the Ninth Circuit, which issued an Opinion on Simonoffs v. Expedia on May 24, 2011. Simonoffs claimed that FACTA's provision that
no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.
applied to email receipts as well as physical receipts. The court disagreed, finding that the wording of FACTA clearly does not apply to electronic receipts:
In enacting FACTA, Congress did not use language that would have clearly extended FACTA’s protection to electronically mailed receipts. For example, Congress could have applied FACTA to "electronically printed or transmitted" receipts, to "electronically printable" receipts, or to "electronically displayed" receipts. See Simonoff v. Kaplan, Inc., No. 10 Civ. 2923, 2010 WL 4823597, at *7 (S.D.N.Y. Nov. 29. 2010). Congress, however, chose not to do so, even though it has referred to digital methods of communication and commerce in numerous other statutes. See Shlahtichman, 615 F.3d at 801-02 (canvassing various other federal statutes that use terms such as "Internet," "Internet websites," "electronic mail," and "online service," among others). We can’t fill in the blanks with words that Congress didn’t supply.
In other words, it looks like Congress probably wasn't very careful when they wrote FACTA, and this is reflected in the fact that the wording that they used omitted coverage of electronic receipts even though other laws have addressed them.
That seems fairly straightforward.
Does this mean that merchants can't print credit card numbers but are now free to send credit card numbers over email?
No. Not even close.
The PCI DSS clearly says that that's not allowed. So even if there's an oversight in the wording of FACTA that makes it legal, merchants still can't do this. So if anyone tells you that Simonoffs v. Expedia means that merchants are now free to send credit numbers over email, they probably either haven't thought about it very carefully or are hoping to get their 15 minutes of fame by misrepresenting the facts.