Nasir and Matt discuss when businesses can display a customer’s social security number and what to do if your social security number is shown on a letter or credit card receipt.
Full Podcast Transcript
NASIR: All right. Welcome to our business podcast where we cover business in the news and add our legal twist to those business news items. My name is Nasir Pasha.
MATT: And I’m Matt Staub.
NASIR: And welcome to the best episode ever of Legally Sound Smart Business. Matt and I were just discussing prior that this is probably going to be our best so congratulations everyone, you’ve made it.
MATT: That’s also what we discuss before every episode though.
NASIR: That is true. I’m hoping this time we’ll make it. Or is every episode better than the next? So, the latest episode is always the best episode, is that what’s been going on?
MATT: It’s possible. I’d have to go back and listen.
NASIR: Okay. Let’s just do that now.
MATT: I’ll pause.
NASIR: And we’re back! So, what did we decide?
MATT: It was true.
NASIR: It was true, yeah. So, this one has to be the best one. Hopefully it’s not as good as the last one then.
MATT: Even the clip show episodes were somehow better than the previous versions of that.
NASIR: The previous ones? I think that makes sense. That really makes sense, yeah.
MATT: So, we’re going a talk about a couple of things here – one of which is social security numbers. I guess we’ve talked long enough that hopefully people aren’t going to turn off the rest of the episode, I guess. If we’re gotten them this far… well, I guess I’ll probably end up putting social security in the title so maybe that will turn people off as well but…
NASIR: Well, credit cards, too. We’ll talk about basically private information that you’re holding of your customers.
MATT: Well, I mean, there’s a couple of things. There’s getting something in the mail, getting a letter in the mail and, you know, what are the guidelines of when – if at all – can be your social security number on there? And then, two, using a credit card and you get the receipt back. I bet most people probably don’t even look for this every time that it comes up but, you know, we’ll discuss the laws in place with that as well. I guess we’ll start with the getting something in the mail and I guess this came up recently because the California EDD – Employment Development Department – was sending out letters in the mail and I guess people’s social security numbers were listed on there which, I’m trying to think, I mean, I deal with a lot of IRS stuff. I know there’s been social security numbers on there in the past which is fine if it falls under the exception that they’re allowed to put on that is, well, this is for California but California prohibits the printing of an individual’s social security number on any materials that are mailed out to the individual unless state or federal law requires a social security number to be on the document to be mailed. EDD’s argument here was it was a necessity for the social security number to be on there so we can ensure that the information is correct for the person it was sent to.
NASIR: And this California law is actually in many other states. I don’t know how many but it’s not atypical. But this whole EDD’s position that it’s somehow necessary, even if it is necessary now, why is it necessary? You know, there are ways to protect your identity and so forth. In fact, I was just reading this basically interview of this guy – and I think he was in Russia or maybe some Eastern European country – where his job was to basically make phone calls to these credit card companies posing as these victims of identity theft because the people that actually stole their credit card had needed further verification so his job was to basically take on the identity and pretend that they’re that individual. Of course, they do that by finding the social security number, other information, pulling the credit report somehow, and so, I mean, this is all obvious stuff but why is it necessary at all to have your social security number on this communication? It just seems silly.
MATT: Yeah, I agree with you on that. I think there’s a pretty weak argument on their part but I don’t think it was a mistake. I think they truly just thought they could do that. When I first saw this story, I thought it was an intentional attempt to try to get identity theft or identity thieves – is that what they would be called? Identity thieves?
NASIR: I think identity theftists would be the correct word.
MATT: I thought it was some sort of ploy to get them to try to steal the information then they would get caught assuming that the name didn’t match up with the social security number.
NASIR: Actually, yeah, reading the article, it almost seems that way but, yeah, it ended up not being and apparently, you know, this is a big deal. Okay, EDD is one thing, but there’s a lot of businesses that may have access to not only social security numbers but other very private data. A good example is credit card information and even that, I mean, when was the last time you got a receipt where the full credit card number was on there? The reason it’s not is that, by law, they can’t do that. I do remember a time where that wasn’t the case – where you would have the credit card information on there.
MATT: I had heard something – someone I’d talked to that used to do payment processing for credit cards, it could be the system that they use as well because I know they were telling me – and this was a few years ago – they were telling me that they were able to convert, you know, they went in and purchased something somewhere and they got the receipt and noticed the whole credit card was on there and this was a person that is in sales with credit card processing and they told the business owner, “I think you have a big problem here. You’re breaking the law and you need to change over.” I think they got a client and they informed that they were breaking the law.
NASIR: Yeah. “First, you’re using a very old system that’s outdated and, oh, by the way, you’re also breaking the law on that.” Actually, it’s called PCI compliance which PCI stands for… Payment Card Industry Data Security Standard. So, apparently, it’s PCIDSS is the full acronym but PCI compliance is what I know it as and I think most people do, and that actually has a whole huge standard of how you even process or handle credit card numbers itself. All the new systems, they’ll say – if you see in the fine print – it will say PCI compliant and so forth but you should be wary, if you’re doing a lot of credit card transactions, then the standards are actually different and some payment processors, most of the basic ones or the common ones will have this but, if they’re a little bit old or sometimes you’ll have a payment processing system that is customized for your shopping cart or something that you’re doing online or for some kind of software that you have in-house, it may not be as compliant because, depending on how much you do, I think the number of transactions per year, you’re on different levels and the regulations apply differently to you.
MATT: This applies to this electronically printed receipts and I guess, if I’m understanding this correctly, the law of these credit cards, the information has to be truncated. The law doesn’t necessarily apply to handwritten receipts which you actually will see. You’ll see them from time to time, typically at old shops or places that had their system go down.
NASIR: Yeah, or the power goes out.
MATT: Yeah, power goes out.
NASIR: You know, something like that, exactly.
MATT: Yeah. So, you will see that.
NASIR: And the thing is I always worry about not having enough cash on hand because I remember – and I think we’ve talked about this – one time, the power went out in San Diego. It was the great blackout of 2013 or ’12?
NASIR: Maybe ’11. I remember it was very dark that day in the middle of 2 p.m. But it was concerning because I had maybe less than a quarter – not quite an empty tank – but none of the gas stations had their machines working and none of them had those manual machines to even take my credit card even if they wanted to.
MATT: There’s not much you can do about that, I guess.
NASIR: Yeah, exactly. Back on the PCI compliance, just to kind of give you guys an example, again, most of this stuff should be already taken care of. For example, for virtual terminals, you have a card reader that is connected to your computer that reads the card information and enters it into the virtual terminal as opposed to doing it manually or it will have it so that, in the shopping cart structure, how the information is sent to a third party, that it’s encrypted and so forth, all of these little things are probably basic but the point is that it’s very easy if you’re doing it yourself to not be compliant with that. Of course, if you have a system that’s actually producing credit card numbers on your receipts, I don’t know, you should revisit that.
MATT: And so, most businesses have changed over to these systems with electronically printed receipts. That’s why you’ll see something that’s more popular these days which is the little sign on there saying, “Credit card minimum $10.00 for a purchase.” You’ll see a couple of different things. You’ll see the sign on – well, I guess you’ll see people that don’t care at all which is fine. You’ll see the businesses that have that thing on there – the policy of “in order to pay with a credit card, it has to be a minimum of $10.00,” and then you’ll see the businesses that have a sign saying, “Anything under $10.00,” or whatever amount they choose,”…is a 50 cent surcharge on top of it. We’re going to charge you 50 cents for the processing.” The main reason behind that, despite the fact that they can’t do it, the main reason behind that is because they lose a cut of what they bring in by doing the credit card processing so that’s kind of I guess, if you haven’t really thought about it, that’s kind of the back story on why that exists but, yeah, the 50 cent part, I don’t think people know. Businesses can’t really do that.
NASIR: I’m trying to remember if it is law or basically the credit card agreements don’t allow that. I think it’s the latter. I think the credit card agreements don’t allow it. Because it used to be that credit card companies – Visa, MasterCard, and American Express – they didn’t allow the merchants to set a minimum and people did it anyway as you probably know but, if they got caught, they would be penalized and they would lose their merchant account. But there was a federal law I think passed – I don’t know, when was it? A few years ago. It’s a federal law that basically allowed a $10.00 minimum was okay. Anything above that, $10.00 and above was fine for setting a minimum.
MATT: Yeah. I mean, really, I guess how often are you… well, I take that back. I guess there’s plenty of times where I spend under $10.00 on a transaction.
NASIR: I find it most common when I’m going to mom-and-pop cafes. There’s this one in Houston that I tend to go to and they have a $10.00 minimum and most of the time I’m over $10.00 but every once in a while I go in there and I get a muffin or something like that and they’re like, “Oh, I need cash.” So, then I just buy $10.00 worth of muffins.
MATT: That’s why I have my debit card that I have has no ATM transaction fees worldwide so I can use that little ATM in there and not get dinged for it.
NASIR: Oh, why don’t you just advertise for them and be their sponsor?
MATT: They do advertise in a lot of legal magazines?
NASIR: What is it?
MATT: Hold on… First Republic Bank.
NASIR: You didn’t remember what the bank was called? It’s your card.
MATT: There’s like five or six or seven words that are in every bank’s name – obviously, “bank.” First Republic Bank – it’s tough.
NASIR: Yeah, that’s true. Well, okay, that’s how you handle private data, folks. If you make a mistake, we’re going to go after you.
MATT: I don’t know if we are, but…
NASIR: Somebody is. All right. Thanks for joining us everyone.
MATT: Yeah, keep it sound and keep it smart.