Slashdot Mirror
Court Says California Stores Can't Ask Customers For ZIP Codes
Hugh Pickens writes writes "CNN reports that the California Supreme Court has ruled that retailers in California don't have the right to ask customers for their ZIP code while completing credit card transactions, saying that doing so violates a cardholders' right to protect his or her personal information, pointing to a 1971 state law that prohibits businesses from asking credit cardholders for 'personal identification information' that could be used to track them down. 'The legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction,' the decision states. 'We hold that personal identification information ... includes the cardholder's ZIP code.' In her lawsuit, Jessica Pineda claimed that a cashier at Williams-Sonoma had asked for her ZIP code during a purchase — information that was recorded and later used, along with her name, to figure out her home address by tapping a database that the company uses to market products to customers and sell its compiled consumer information to other businesses."
Worse is O'Reilly auto parts. They want your name, address and phone number.
They told me it was for "warranty information". I was buying a quart of oil.
I walked out and went and bought it at Walmart instead.
The law provides for the collection of personally identifying information that's necessary for the transaction. Online, this includes the billing zip code. This ruling apples to card-present retail transactions. FYI. Here's the entire decision: http://www.courtinfo.ca.gov/opinions/documents/S178241.PDF
geek. lawyer.
I have noticed many gas stations around here now require you to enter your zip code when you pay at the pump. I assume it's an extra validation against the zip code on your credit card.
The law provides for the collection of personally identifying information that's necessary for the transaction. Online, this includes the billing zip code. This ruling apples to card-present retail transactions. FYI. Here's the entire decision: http://www.courtinfo.ca.gov/opinions/documents/S178241.PDF
Except the billing zip code happens to be a very important (though not the only) piece of AVS (Address Verification System), which is used to combat fraud. In a nutshell, the merchant submits the customer's address along with their card info, and (depending on the merchant's arrangement) the credit card processor checks to make sure certain parts of that address match what's associated with that card number. Zip code happens to be one of the most reliable.
read an actual merchant agreement some time
(the one between the business and visa)
merchants are FORBIDDEN to ask for ID as a condition of using a credit card...
if the signature is good, and the card is present, you may NOT ask for ID just because its a credit card.
if you require ID of all purchasers say, for a hotel, you can ask for ID.. but not just because it is a credit card.....
doing so violates CC agreements.
(merchants aren't even supposed to accept cards that say CID or SEE ID)
if it is UNSIGNED, we are to request ID, then get the card holder to sign the card before accepting.
(I have a merchant agreement, I've read it, and I've read the merchant operations PDF's at the major sites)
every day http://en.wikipedia.org/wiki/Special:Random
As a business owner, I can tell you with 100% certainty that the day I am unable to validate the identity of a card holder and protect myself against fraud will be the day I stop accepting credit cards. While some of you think that fraud only falls on the shoulders of the credit card company, it is often the merchant that ends up on the losing end. Instead of restricting the ability of a merchant to request personal information, the legislation should be designed to penalize those who improperly use that information such as the company cited in the case above.
Do they? Why should they? The transaction is between the merchant and the credit card company.
You are exactly wrong. If a fraudulent purchase is made with a credit card and it is recognized and reversed, it is the merchant that takes the hit. Not the bank, not the customer, the merchant. They charge back the merchant the full amount of the purchase and then it is primarily up to the merchant to identify the suspect and prosecute the theft.
merchants do have the right to verify the identity of a customer attempting to use a credit card.
Do they? Why should they? The transaction is between the merchant and the credit card company. The identity of the person holding the card is irrelevant to the merchant. It is the responsibility of the credit card company and the person to whom the card was issued that only a valid person has access to use the card. Granted, the merchant may act on behalf of the credit card company to validate the user, however it really is none of the merchant's business.
It is in the merchant's best interest to ensure that the person who is presenting the card is authorized to do so (if the transaction is not authorized, guess who gets stuck with the bill... the merchant not only loses the money from the sale and transaction fees and the loss of the goods, but is usually also charged an additional fee for the chargeback). One way of doing that is by requiring "something you know" (i.e. The zip code for credit transactions, the PIN for debit transactions). This goes along with "something you have" (the card itself)
As everyone that is security minded knows, this is commonly known as two-factor authentication.
If someone steals your wallet, they have your credit card, and they have your zip code. Not very secure.
In her suit, Pineda claimed that a cashier had asked for her ZIP code during a purchase -- information that was recorded and later used, along with her name, to figure out her home address. Williams-Sonoma did this tapping a database that it uses to market products to customers and sell its compiled consumer information to other businesses.
Note that it is still legal for a business to ask your ZIP code and possibly other information. What is made illegal:
1. conditioning the sale on obtaining data which are not necessary for completing the sale transaction
2. recoding a data which is not absolutely required for completing a sale transaction.
At least this is how I interpret:
It is not illegal in California for a retailer to see a person's ZIP code or address, the ruling notes: For instance, one can request a customer's driver's license to verify his or her identity. What makes it wrong is when a business records that information, according to the ruling, especially when the practice is "unnecessary to the sales transaction."
Questions raise, answers kill. Raise questions to stay alive.
It is not illegal in California for a retailer to see a person's ZIP code or address, the ruling notes: For instance, one can request a customer's driver's license to verify his or her identity. What makes it wrong is when a business records that information, according to the ruling, especially when the practice is "unnecessary to the sales transaction."
Meaning (on the line of "what can possibly go wrong" and other /. memes):
1. show them the CC and the driver license if they request it.
2. Make sure their CCTV camera records it
3. sue them for recoding the data (if you can prove the CCTV is working and they are maintaining the recordings)
4. profit
Questions raise, answers kill. Raise questions to stay alive.
Sounds to me like the law is only treating symptoms. How about a law that makes it illegal to sell customer info without their express written consent?
What?
The credit card company is assuming the risk, not you. Since when did Master Card have the power to deputize you and turn you into a mini police detective? They set up a system, it's their responsibility to ensure that their business model works. For that they earn billions of dollars, and you don't.
While it would be nice if that was the case, it isn't. If someone walks out of my store with a $500 laptop computer paid for with a stolen credit card, I'm out the merchandise and the revenue when the actual card owner issues a chargeback. Think all I have to do is provide a signed charge slip to get my money back? Then you probably have never experienced the joys of attempting to do battle with a credit card company. Part of the reason that they earn billions of dollars and I don't is because they have entire departments dedicated to putting the burden of risk on the merchant and not the card issuer.
It's even more fun when you don't actually live in the US and are just visiting. They typically get very confused when you start saying letters.
Your zip code is a very poor choice for authentication.
Stores ask for your zip code because they're interested in customer demographics, not authentication.
I know one of the stores here in Australia, use the Zip (Post Code here) to decide whether it's worthwhile building stores in new areas. If enough people are willing to travel 50ks to shop there, then more will shop local if it's available.
# cat
Damn, my RAM is full of cats. MEOW!!
No thank you.
"You want to know how to help your kids? Leave them the fuck alone." -George Carlin
For instance, one can request a customer's driver's license to verify his or her identity.
They can ask, but not require it for most credit cards. Some Credit Card agreements actually prohibit the merchant from asking to see ID.
http://www.privacyrights.org/ar/Alert-FS15.htm
'Most people are sheep though. You can ask for their name, DOB, SSN, CC number and PIN, email address, and even their email password, and they'll hand it over for the "discount".'
I will submit that most people aren't sheep in this regard. It is simply that decent people have to generally prepare themselves to lie ahead of time. When asked a straightforward question that might even surprise them they do the thing they are conditioned to do. Tell the truth. I find myself time after time spitting out my zip code even as my brain is saying "bullshit!"
http://www.rootstrikers.org/
I have - right after a move, I forgot whether or not I had updated that particular card and guessed wrong. The machine bounced the card and locked into a "See attendant to complete transaction" mode. I drove up to the next machine and swapped cards just to be sure.
Why is fraud such a problem in the US? Is it because credit card companies are lax with their security? I'm being devil's advocate a little here because I have been a victim of fraud an identity theft in N. American, and now having moved to Europe, I see how pathetic standards and security is in N. America.
It's a pain in the arse visiting the US and not being able to use my credit card easily to fill up my rental car because the pump requires a zip code to accept the card. Nowhere else I've been does this. Why?
It is not illegal in California for a retailer to see a person's ZIP code or address, the ruling notes: For instance, one can request a customer's driver's license to verify his or her identity. What makes it wrong is when a business records that information, according to the ruling, especially when the practice is "unnecessary to the sales transaction."
So, ASKING for the zip code itself was not wrong, using it for marketing was the wrong bit. Had they kept the zip purely for the transaction (as proof for later challenges making it necessary for the sales transaction) and NOT used it for marketing, then everything would have been okay.
Once again, slashdot fails to read the full article and jumps all over the place with its conclusions.
The company would have been just as wrong if they had used their credit card information they get back from the CC company for marketing purposes. This is about using information from one set of data in another set of data without permission being given.
And it is ALSO okay for shops to ask you for your zip code for marketing purposes as long as it is clear that is what it is for. You can just say no. In Holland at least companies put up a sign telling you what the request is for.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.