California merchants beware of ZIP code ruling
In California a ZIP code is personal identification information
In the case, Pineda v. Williams-Sonoma Stores, Inc., the California Supreme Court recently ruled that a ZIP code constitutes ‘personal identification information' as that phrase is used in California Civil Code section 1747.08 and that requesting and recording a cardholder's ZIP code is prohibited if it is requested as part of a credit card transaction.
The California Civil Code Section 1747.08 does indicate exceptions which would allow the ZIP code to be requested, including:
- When the credit card is being used as a deposit to secure payment in the event of default, loss, damage, or other similar occurrence;
- Cash advance transactions;
- When the person, firm, partnership, association or corporation accepting the credit card is contractually obligated to provide personal identification information in order to complete the credit card transaction or is obligated to collect and record the personal identification information by federal law or regulation;
- When personal identification information is required for a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders. E-Commerce and mail/telephone order (MOTO) merchants asking for ZIP today are covered under this exception in the legislation.
Unfortunately the AVS fraud tools built for the credit card processing arena are an innocent victim to the interpretation of California law.
For example, Pay-at-the-Pump is a high card testing arena for card theft. However, it is our understanding that Pay-at-the-Pump unattended solutions requesting ZIP to prevent card fraud would not be an exception to the ruling, as it is written, today.
Also, currently Visa’s Interchange requires retail merchants to use AVS (matching ZIP) as an additional fraud tool for transactions that do not swipe at the POS in order to obtain the best merchant Interchange rate. The concept is that since there is no way for the card issuing bank to know if the card was present, it helps ensure the cardholder is present. Most payment applications will prompt the clerk on a key entered retail transaction “Is the Card Present” and if they respond “Yes”, the clerk will be prompted to ask for the cardholders ZIP. Since the cardholder is present, the assumption is that there would be no reason to give anything other than their matching Zip Code. This provides more security and thus a better Interchange rate, CPS Retail Key Entry verse EIRF Interchange.
We assume Visa is looking at this requirement in light of this recent California decision since the legislation doesn’t consider this situation as an exception. In the meantime, retailers in California must weigh the cost of fraud and the small Visa qualification downgrade in Interchange in these instances vs. possible fines and legal bills which would likely be much higher if imposed.