Credit card privacy laws: Are you compliant?

Credit card privacy laws: Are you compliant?

Merchants looking to collect customer information in the form of zip codes had better take note: The California Supreme Court recently ruled that zip codes are "personal identity information" and thus off-limits to merchants processing credit card transactions.

Business owners routinely ask for zip codes for a simple reason. It gives them a better idea where their customers live, and in what areas they're selling the most goods and services. But according to the California Supreme Court, it's also a breach of privacy. 

The judgment resulted from a class-action lawsuit against Williams-Sonoma stores by a woman named Jessica Pineda. She complained that the retailer asked for her zip code after she made a credit card purchase.

The woman charged that the company had used the zip code to obtain her address and that the store had the potential to sell that information to third parties. While two lower courts supported Williams-Sonoma, the California Supreme Court ruled that the woman's zip code was covered under the state's credit card privacy laws.

"The Legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction," Justice Carlos R. Moreno said in a ruling for the majority. "We hold that personal identification information ... includes the cardholder's ZIP code."

The case should serve as a wake-up call to business owners. The California ruling might be restricted to the Golden State, but other states could follow suit. There are also plenty of other privacy laws related to credit card purchases that merchants may want to know about. Here are some tips for making sure you're compliant with credit card privacy laws.

1. Read every ruling carefully. If you live in California, are you banned from ever asking for a customer's zip code? Not necessarily. Gas stations can still ask for a zip code for a credit card purchase. (They do so for security purposes and don't store the data). In addition, retailers can ask customers for their zip codes for shipping information purposes.

2. Always follow PCI DSS standards. Any retailer who uses credit cards must adhere to the Payment Card Industry Security Standards Council's Data Security Standard. PCI DSS is a set of standards forged by the major credit card providers, including Visa, MasterCard, Discover and American Express, that seeks to protect consumers from credit card theft. Failure to comply with PCI DSS could result in a merchant losing the ability to accept credit card transaction or face fines as high as $500,000.

3. Make sure you're compliant with federal laws. For example, under the Gramm-Leach-Bliley Act, passed into law in 1999, credit card companies (but not merchants) have to send consumers written notice on the personal financial information the card company collects. However, the law also states that consumers must be informed about any company or organization that receives their personal information.

4. Also check your state laws. There's little uniformity among individual states regarding credit card privacy laws. Illinois, for example, bans the provision of credit card numbers "as a condition of check cashing or acceptance prohibited." And Kansas prohibits "the taking of personal information when using a credit card."

The website PrivacyRights.org offers a complete, state-by-state list of privacy laws relating to credit card use. For merchants, it's a list worth checking out.

See related: Best privacy practices for businesses with merchant accounts; More states adding data breach notification laws 

Published: April 20,2023