Court: Massachusetts stores can't make you provide your Zip code to complete a credit-card transaction

The Supreme Judicial Court ruled today that a chain of arts and craft stores violated a state consumer-privacy law when it used a woman's Zip code on her credit-card transaction to figure out where she lived and start bombarding her with circulars.

The opinion, however, does not mean Melissa Tyler gets anything, because her suit against Michaels is in federal court and the state's highest court was merely providing answers about state consumer-laws to a federal judge hearing her case - where the ultimate decision will come.

A US District Court judge in Boston originally agreed with Michaels to toss Tyler's class-action suit, based on junk mail she started getting after making several purchases at its Everett store, saying he was inclined to rule that that Massachusetts law was meant only to prevent identity theft, not protect the privacy of consumers. But he agreed to first ask the Supreme Judicial Court - the state's highest court - for its opinion on the questions raised under Massachusetts law.

The Supreme Judicial Court said today that the relevant state law says nothing about identity fraud and that, equally important, the original bill that led to the law specifically mentioned, in all capital letters, "CONSUMER PRIVACY IN COMMERCIAL TRANSACTIONS."

The court then turned to the question of whether a Zip code, by itself, was enough to be considered "personal identification information" that merchants aren't supposed to make consumers provide, since the law refers to "a credit card holder's address or telephone number" but doesn't mention Zip codes specifically.

The court ruled that modern data-mining technology makes it so:

[B]ecause, according to (and accepting for present purposes) the allegations of the complaint, a consumer's zip code, when combined with the consumer's name, provides the merchant with enough information to identify through publicly available databases the consumer's address or telephone number, the very information [the state law] expressly identifies as personal identification information. In other words, to conclude in those circumstances that zip codes are not "personal identification information" under the statute would render hollow the statute's explicit prohibition on the collection of customer addresses and telephone numbers, and undermine the statutory purpose of consumer protection.



Free tagging: 


Gas stations

By on

What about gas pumps that make you enter a ZIP code?

When was the last time you got a circular from Hess?

By on

I could be wrong, but I believe that's just an alternative to Pin Codes on CC purchases. Considering the rampant issue of CC skimmers, I'd rather punch in a zip code over a PIN out in the open any day.

Automated pump transactions

By on

Automated pump transactions can require the Zip Code to safeguard the card holder from fraud. Fraud at the pumps is huge since there are no signatures or humans to see the card and question it's authenticity (see: White cards).

Gas stations eat a lot of fraud dollars at the pump and providing the billing zip code at the pump can stop a good chunk. Why a cashier needs your zip code to complete a transaction (inside sale) is a mystery. AFD's and face to face sales are two completely different transactions.

I agree and am unsure why

By on

I agree and am unsure why Staples does this. This area coincides with what I do for a living and in my perfect world - no cashier ever touches your card. That's the whole point!

It's for the merchant's safety

By on

The credit processor can approve the transaction all day long, but if it's fraudulent, the merchant has to eat the cost of the restitution. Many POS systems have an option that retailers use that prompts the clerk to physically verify the card by punching in the last four digits. This is to prevent shoppers from using blank magstripe cards, and in theory to prevent someone from re-coding an existing card (so that it looks legitimate but carries someone else's info on it).

So basically it's a security measure.

Now, the signature blank on the back is something you can complain about, because that's supposed to be your signature acknowledging your agreement to the credit provisions of your bank/credit provider. It's not supposed to be a security check of any sort, and the complete lack of consistency/training by retail staff (Imagine that! Trained checkout operators!) means that it's been misused and misunderstood for decades. Hell, I even just checked my Discover card and it says "Authorized Signature ->".

Since the common application (which is rare in and of itself) is signature verification, I always write "SEE LICENSE", because honestly, it's not like I'm ever going to be called into court and asked to produce my credit card as positive proof that I agreed to contractual terms. The credit application itself is more than sufficient for that.

If Costco can print my photo on my Costco AMEX, then damn it, Discover can print my signature on my credit card and do away with this stupid "Sign the back of your card" nonsense. Or better yet, just leave it off entirely and make the standard to produce a government ID.

So, if the cashier

By on

has to physically verify the card, then what's the point of having electronic point of sale in the first place?

And if the point is security and loss prevention, then why doesn't the (insert almost every other chain store except Staples here) employee who gets paid to sit around until the "self serve" lanes break down say "May I verify your card please?" when you run it through their machine? Now that I think about it, the regular cashiers at these stores don't ask to see your card either.

Sounds like a case of (as James Hacker used to say) "You can get away with almost anything if you blame security."

Market Basket verifies my

By on

Market Basket verifies my credit card by having me give it to the cashier, too.

Different strokes

By on

It's up to each merchant to choose if they want to do that, and if so, if there's a particular dollar-value threshold at which point they require it. I see this often in my grocery store - if my purchase is, say, $75, they'll usually ask to see the card. If it's $10, they don't bother.

It's a cost/tradeoff balancing act - If you inconvenience everyone, does the amount you save on fraud cover the number of shoppers who may go elsewhere?

As to the relevance of electronic POS - they're still doing the transaction electronically, but they're adding a brief physical check. You already have the card out, so it should only add five seconds to the transaction time. It shouldn't seriously impact the overall efficiency. The only thing it really impacts is a person's sensibilities.

Let's say I skimmed your card at a gas pump, and then recorded the data from the magstripe on a plain card (ISO 7813). That allows me to use your card for purchases with little fear of retribution anywhere that someone won't physically take my card. For example - McDonald's restaurants with credit kiosks in front of the register.

Now, an unpainted mag card will get any cashier's attention, so I should make it look more legitimate if I want to buy anything more than obesity, so I steal someone else's mail with a credit card mailer that includes a non-activated card. Or I go to a bank and open up a new account under a false alias, just long enough to get an ATM/debit card. I now have a legitimate-looking mag card that claims to have one account number/name on it, but actually has another. Unless the clerk notices that the name on the card doesn’t match the name on the receipt, or that the last-4 of the card number don’t match what the card actually says, then I can once again get away with buying stuff on your dime without issue (until you notice).

By having the clerk manually punch in the last four on the card, it’s giving a physical check that doesn’t necessarily infringe on your personal information. It’s only part of the card number, and it helps to prevent the scenarios I’ve outlined above.

Of course, any system that depends on the diligence of a high school student or any other menial worker is bound to have some holes in it. This is part of what the chip/pin system was supposed to help cover, but to call its adoption “glacial” would be generous.

At any rate, I didn't say any of it was legitimate. Just giving the background.

Credit card transactions

Where I work the credit card machine requires billing information -- the street number and ZIP code --to verify the validity of the card in the case of phone transactions. When a card is presented in person the card just needs to be swiped because it contains that information, but in that case the person handling the transaction can request a photo ID to verify the identity of the person using the card.

When someone at a store asks for my phone number, I refuse, because I don't want to be added to a calling list that is considered legitimate because I have done previous business with the seller. I don't mind providing a ZIP code however. In that case I think they are just trying to figure out what geographic area the customer is from (do they come from just the town, south of town, out of state, etc).

I'd avoid providing the zip code...

By on

According to some sources, stores can use the zip code plus your name from the credit card to look up your address and send you mail, or sell your buying information to other marketing information aggregators.


Lots of clerks and store managers are misinformed about this issue and inform customers that it's just to collect demographic information. It may be, but I don't trust it. I believe CA made this practice explicitly illegal when it was found that many stores used the info to look customers up and mail to them, or were selling their information to others.

I'm not sure why you think she will not get anything...

By on

She is most certainly suing for damages in federal court. Otherwise, there would be no incentive to bring it as a class action. If you read the link to the statute you provide, a violation of Ch. 93 Section 105 is equivalent to a violation of ch. 93A. This means that even if she cannot show actual damages, she and the class, could get statutory damages of $25, whichever is greater.

This amount is at least doubled and potentially trebled under the statute if the activity was willful and knowing. So, Michael's is potentially looking at $50-$75 per violation. Oh, and she would also get her attorneys' fees paid by Michael's as that is also included in the statute.

No, sorry, I didn't say that

By on

I said she won't get anything simply because of today's opinion, since it was issued by a state court and she's suing in federal court.

The federal judge could, of course, rule in her favor and then she'd make the case for penalties, but that's not what happened today.

I've added a line that hopefully makes that clearer.