Natalie VAN STRAATEN, on behalf of herself and a class, Plaintiff–Respondent, v. SHELL OIL PRODUCTS COMPANY LLC, Equilon Enterprises LLC, and Shell Oil Company, Defendants–Petitioners.
The Fair and Accurate Credit Transactions Act, 15 U.S.C. § 1681c(g), requires the truncation of credit-card numbers on electronically printed receipts. The receipt must not display “more than the last 5 digits of the card number”. The statute does not define the phrase “card number”. This interlocutory appeal—which the district court authorized under 28 U.S.C. § 1292(b), see 2011 U.S. Dist. Lexis 142894 (N.D.Ill.Dec. 8, 2011)—presents the question whether “card number” and “primary account number” are interchangeable. Shell Oil printed on receipts at its gas pumps the last four digits of what Shell calls the customer's “account number”. Natalie van Straaten contends that Shell printed the wrong four digits—that it should have printed the final four numbers that are electronically encoded on the card's magnetic stripe, a number the industry calls the “primary account number” or PAN. She does not contend that the digits Shell chose to print would have allowed identity theft, prevention of which is the goal behind the Act. (The parties call the statute “FACTA,” but we prefer simple words to awkward initialisms.)
A Shell Card designates nine digits as the “account number” and five as the “card number”. Here is an illustration:
If someone had used this sample Shell Card at a Shell station, the electronically printed receipt would have displayed “6789”, one fewer digit than the statute allows—but, the district judge held, the wrong digits. The sequence “0000” should have been printed for this sample card, the judge concluded when denying Shell's motion for summary judgment. 2011 U.S. Dist. Lexis 110108 (N.D.Ill. Sept. 26, 2011). Shell's receipts looked like this:
The district court held that they should have looked like this:
A Shell Card has 14 digits embossed on the front and 18 digits encoded on the magnetic stripe. This 18–digit primary account number could be rendered 123456789ABCDEFGHI. According to van Straaten and the district court, only “FGHI” or “EFGHI” on an electronic receipt complies with the Act—no matter what sequence is accessible to the eyes or a machine that takes a physical imprint of the card. If the number visible to a customer were ABCDE 123 456 789 (reversing the order of “account number” and “card number” on the sample above, while still having 14 embossed digits), still the only permissible sequence on the receipt would be the last four or five digits of the machine-readable primary account number.
The Act does not define “card number”. The Federal Trade Commission and the Consumer Financial Protection Bureau, which have some authority to interpret the Fair Credit Reporting Act (§ 1681c is part of that statute), also have not defined the term. The FTC's staff did issue a “bulletin” alerting businesses to the statutory requirement soon after its enactment, but this publication not only lacks a definition but also has no authoritative effect; it is neither an exercise in notice-and-comment rulemaking nor the outcome of administrative adjudication. (The bulletin, and much of the Commission's other advice issued before it handed enforcement over to the Bureau, is recapped in 40 Years of Experience with the Fair Credit Reporting Act, an FTC Staff Report with Summary of Interpretations (July 2011).) But we need not essay a definition of “card number” as an original matter, because we can't see why anyone should care how the term is defined. A precise definition does not matter as long as the receipt contains too few digits to allow identity theft. The Act does its work by limiting the number of exposed digits, and Shell Oil printed one fewer digit than the Act allows.
Van Straaten and the class she represents do not contend that Shell's choice of digits left them at risk of identity theft. They have not claimed to suffer injury and do not want compensatory damages. Instead they seek the penalty provided by 15 U.S.C. § 1681n(a)(l)(A), which says that a person who “willfully fails to comply” with any requirement in the Fair Credit Reporting Act is liable in the amount of “any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $1,000”. An award of $100 to everyone who has used a Shell Card at a Shell station would exceed $1 billion, despite the absence of a penny's worth of injury.
Penalties under § 1681n depend on a violation being “willful”. The Supreme Court defined that term, as § 1681n uses it, in Safeco Insurance Co. v. Burr, 551 U.S. 47, 69, 127 S.Ct. 2201, 167 L.Ed.2d 1045 (2007), concluding that a practice is willful when “the action is not only a violation under a reasonable reading of the statute's terms, but shows that the company ran a risk of violating the law substantially greater than the risk associated with a reading that was merely careless.” In other words, the Justices wrote, only a reading that is “objectively unreasonable” can be deemed a “willful” violation. Ibid. The absence of a statutory or regulatory definition of the phrase “card number”—and the fact that the four digits Shell exposed on the receipt created no greater risk for its customers than printing the last four digits of the primary account number—means that Shell's decision cannot be called “objectively unreasonable”. See also Long v. Tommy Hilfiger U.S.A., Inc., 671 F.3d 371 (3d Cir.2012) (printing on a receipt the month of a credit card's expiration date, but not the year, is not a willful violation, even though § 1681c(g) prohibits printing any portion of a card's expiration date).
Plaintiff insists that Shell's position can be revealed as unreasonable by analysis of industry practices. When businesses started to read credit-card numbers electronically in the 1980s, transmitting them to financial institutions for each purchase's approval, they needed a uniform format—both the sequence of numbers and a standard of encoding (and potentially encrypting) so that computers could understand and work with them. The International Organization for Standardization (ISO) came up with a format that can be read when a card is “swiped” through a terminal, or a radio-frequency identification (RFID) tag in the card is brought close to a near-field-communications reader. In this standard some of the 18 or 19 digits designate the industry in which the card's issuer participates, some the individual account, and at least one is a check digit; it is also possible to encode whether the card is the original or a replacement for one that was lost or stolen. Plaintiff's expert witnesses testified by reports and depositions that the payment-card industry understands “account number” and the ISO's “primary account number” to be the same thing, and that lobbyists informed congressional staff of this in 2003 when Congress was considering proposals that led to § 1681c(g). On this view, since “everyone knows” that § 1681c(g) refers to the last four or five digits of the primary account number, it was unreasonable for Shell to print the last four digits of its self-defined “account number,” digits that occur somewhere in the middle of a “primary account number” that meets the ISO's standards.
“Everyone knows” is no substitute for support in the text. Legislative history may help decode ambiguous statutory text, but what lobbyists told the staff is not legislative history. If the information made its way to a committee report, telling readers that the statutory phrase “card number” means the same as the ISO's primary account number, that could help flesh out the statute—though we're not at all sure that it is automatically unreasonable to read a statute in a way that departs from a committee report. See, e.g., American Hospital Ass'n v. NLRB, 499 U.S. 606, 111 S.Ct. 1539, 113 L.Ed.2d 675 (1991), where a federal agency rejected the meaning assigned to a statutory phrase by a committee report and was unanimously sustained by the Supreme Court. But what the lobbyists may have told the staff in private never appears in a committee report, and for all we know never reached the ears of a single Member of Congress. It certainly did not enter the statutory text—which, recall, is “card number” rather than “account number” or “primary account number.” If everyone who is anyone knew that merchants are supposed to print only the last four or five digits of the ISO-defined “primary account number,” why didn't that phrase and a reference to ISO make it into the enacted text?
The “everyone knows” approach is further confounded by the difference between the language of paragraphs (1) and (2). Here are the first two paragraphs in full:
(g) Truncation of credit card and debit card numbers
(1) In general
Except as otherwise provided in this subsection, no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.
This subsection shall apply only to receipts that are electronically printed, and shall not apply to transactions in which the sole means of recording a credit card or debit card account number is by handwriting or by an imprint or copy of the card.
Paragraph (1) uses the phrase “card number” and paragraph (2) the phrase “account number”. Why the difference? Van Straaten and her experts don't have an explanation. Worse for them, the phrase “account number” in paragraph (2) does not mean the ISO's “primary account number.” That number is encoded on a magnetic stripe or RFID chip. Some credit and debit cards emboss the primary account number on the front, but many don't. A Shell Card has only 14 of the ISO standard's 18 or 19 digits on the card's front. So when paragraph (2) says that an “imprint or copy of the card” can record the whole “account number,” it means that the imprint can contain all of the embossed digits, which are not necessarily the same as the “primary account number.” Likewise, we conclude, “card number” in paragraph (1) is not necessarily the same as the “primary account number.” Maybe all “card number” means is “number appearing on the card.” Then the merchant may print any of the digits in that number, provided only that it prints no more than five. Printing any small subset of the digits on a card enables the customer to know which card was used for a particular purpose (that's why merchants want to print some of the digits), without enabling a stranger to learn the full number.
Plaintiff wraps up her presentation in this court with the assertion that “the law is settled” that willfulness cannot be decided on summary judgment but must be submitted to a jury. She then cites three opinions issued by district courts. Yet decisions of district courts are not authoritative even within the rendering district. They cannot “settle” any proposition. Plaintiff does not mention Safeco Insurance, in which the Supreme Court of the United States treated willfulness as a question of law and directed that judgment be entered in a defendant's favor without a trial. The principal district-court decision that van Straaten invokes rests its conclusion on Whitfield v. Radian Guaranty, Inc., 501 F.3d 262, 270–71 (3d Cir.2007), which it reads for the proposition that disputes about willfulness must be submitted to a jury. See Searcy v. eFunds Corp., 2010 U.S. Dist. Lexis 104557 at *18–19 (N.D.Ill. Sept. 30, 2010). But Whitfield not only did not discuss the fact that Safeco Insurance treated the subject as one of law (the statutory standard concerns objective reasonableness, not anyone's state of mind), but also has been vacated as moot. 553 U.S. 1091, 128 S.Ct. 2901, 171 L.Ed.2d 839 (2008). The point of vacatur is to ensure that a decision carries no precedential force after mootness prevents further review. See United States v. Munsingwear, Inc., 340 U.S. 36, 71 S.Ct. 104, 95 L.Ed. 36 (1950). When the third circuit held in Long, as a matter of law, that printing part of a card's expiration date is not a willful violation of § 1681c(g)(l), it did not cite Whitfield. That decision is defunct; it has no force in or out of the third circuit.
We hold that Shell Oil did not willfully violate the Act by printing the last four digits of the “account number” designated on the face of its cards. This means that it cannot be held liable under § 1681n. This also makes it unnecessary for us to decide whether Shell violated the Act at all. Shell tells us that it has changed its practice and now prints zero digits, and plaintiff tells us that every other firm in the industry prints the last four or five digits of the ISO-defined primary account number, if it prints any at all. Thus the substantive question in this litigation will not recur for Shell or anyone else; it need never be answered.
We grant the petition for leave to appeal. The decision of the district court is reversed, and the case is remanded with instructions to enter judgment for defendants.
I join without reservation the comprehensive majority opinion and write separately only to comment briefly on the issue of willfulness that is the sole basis of decision here. “Willfulness” may include recklessness, and that is specifically the question here. See Safeco Ins. Co. v. Burr, 551 U.S. 47, 69, 127 S.Ct. 2201, 167 L.Ed.2d 1045 (2007); see also Long v. Tommy Hilfiger U.S.A., Inc., 671 F.3d 371 (3d Cir.2012). According to Safeco, at least with unclear text and in the absence of authoritative guidance or case law, the appropriate and sole measure of recklessness is objective reasonableness. Safeco, 551 U.S. at 70 n. 20. Following Safeco, this may be determined as a matter of law and without trial. See id. at 71. Such a course is consistent with the nature of the test, which presumably establishes that the risk of harm has not been increased by any objectively reasonable interpretation of the statute. Here, the majority opinion reasonably hypothesizes that the risk of identity theft is not affected by which series of numbers is blocked, so long as no more than five are visible.
In the present case, the district court found that Shell's interpretation of the statute was incorrect but did not rule on the interpretation's objective reasonableness. The district court discussed willfulness-recklessness in terms of state-of-mind evidence reflected in Shell's procedure in evaluating its conformity with the statute—an approach which the plaintiff also urged. There is much discussion of Shell's use of non-lawyers (and non-college graduates) to evaluate its compliance with the statute. It is not clear whether Shell ever submitted the question of compliance to counsel, since, at one point, communications with counsel were ruled inadmissible on grounds of privilege. Van Straaten v. Shell Oil Prods. Co., 813 F.Supp.2d 1005, 1017 (N.D.Ill.2011). Simply as a matter of normal procedure, it is hard to imagine the issue of compliance not being submitted to counsel. Had Shell sought the advice of counsel in conforming with the statute, Shell might have claimed immunity on that basis (although Safeco leaves undecided whether such a claim could succeed in the context of that case). Safeco, 551 U.S. at 70 n. 20. However, the issue pursued in the case before us is not related to immunity but to whether assigning the matter of statutory compliance to non-lawyers might be evidence of recklessness. Of course, that question rests with the objective reasonableness of the interpretation, which is demonstrated by the majority opinion, and the credentials of Shell's evaluators are irrelevant.
Because the district court pursued these various threads of allegedly deficient procedure by Shell—and thereby created issues of fact—it is not surprising that the district court erroneously denied summary judgment and prescribed jury trial to determine willfulness. However, in the absence of increase in risk of harm as demonstrated by the finding of objective reasonableness, the latter is dispositive as a matter of law.
EASTERBROOK, Chief Judge.