This week, in Siglin v. Sixt Rent A Car, LLC, 18-cv-62536, a proposed class action was filed against Sixt Rent A Car, LLC (“Sixt”) for its alleged failure to properly conceal consumers’ card and identification information on its receipts.
Debit and credit cards generally contain 16 digit numbers. 15 U.S.C. § 1681c(g)(1) requires that no person that accepts credit cards or debit cards to transact business shall print more than the last 5 digits of the card number or the expiration date on any receipt provided to the cardholder at the point of sale or transaction.
Plaintiff states that he rented a car from a Sixt and paid with his personal visa. In addition to his name and address, plaintiff alleges that his receipt displayed the first 6 and last 4 digits of his credit card number and the full expiration date. Allegedly, Sixt printed 10 digits on the receipt – double what the statute allows.
Plaintiff argues that by printing the first 6 digits on the receipt, Sixt also revealed where plaintiff banks because each card’s first 6 digits are directly associated with the issuing bank.
Plaintiff also alleges that Sixt should have known better because major credit card companies, i.e. Visa, Mastercard and American Express require all merchants that accept their cards to print no more than the last 4 digits of an account number on the customer’s copy of the receipt. Further, the plaintiff claims that this issue could have been avoided because Sixt’s point of sale equipment was programmable.
The suit alleges that Sixt’s receipts make it much easier for a fraudster to “guess” the correct account number, reverse engineer the account number or engage in a social engineering attack by impersonating bank officials to trick consumers into voluntarily disclosing more personal information (i.e. over the telephone).
We haven’t checked the math, but plaintiff alleges that truncating the first 11 digits on a transaction receipt ensures that there are at least 10 billion possible account number possibilities for any 16-digit credit card. Plaintiff also alleges that Sixt’s method cut the possibilities down to 1 million.
Those 5 little digits might have major consequences for Sixt, particularly if the class is certified.