Gets the facts on FACTA

... From Biz2Biz NWA February 2009

By Janie Pritchett-Clark

It’s newsworthy, confusing, and full of uncertainty, but the FACTA law provision has definitely established a higher level of responsibility for small businesses. Your business is now liable for identity theft under FACTA, and the liability could cause financial ruin for companies without a proactive measure in place. How can you hedge your liability? The gist: establish a privacy policy; someone to oversee it; train your employees about identity theft; and establish a mitigation plan.


FACTA stands for Fair and Accurate Credit Transaction Act. Its key component gives every consumer the right to his or her credit report free of charge every year. Its key impact on business is that it requires merchants to safeguard those credit card numbers and personal information. In effect, it means that:

• Purchase receipts must leave off all but the last five digits of a credit card number
• Companies must keep tight security on employee personnel files
• Businesses need to destroy private consumer data obtained from information providers, such as consumer reports and background checks
• Electronic files should be erased or destroyed, and other personal information burned, pulverized or shredded.

It also requires lenders and credit agencies to take action before a victim even knows a crime has occurred. According the major credit card companies, here are the most critical security aspects for merchants:

Storage of Cardholder Information
• Do not store the following under any circumstance: full contents of any track from the magnetic stripe on the back of the card or the card validation code.
• Store only that portion of the customer’s account information that is essential to your business, such as their name, account number, or expiration date.
• Store all material containing this information in a secure area limited to authorized personnel.
• Destroy or purge all media containing obsolete transaction data with cardholder information.
• Advise each merchant bank or processing contact of any agents that engage in, or propose to engage in, the processing or storage of transaction data on your behalf -- regardless of the manner or duration of such activities.
• Make sure these agents adhere to all rules and regulations governing cardholder information security. Any violation by your agent may result in unnecessary financial exposure and inconvenience to your business.
• In the event that transaction data is accessed or retrieved by any unauthorized entity, notify the merchant bank or processing contact for each card brand immediately.