Do you consider your ZIP code "personal identification information" ?

The California Supreme Court does.  In a recent decision, the California Supreme Court ruled that a ZIP code is "personal identification information" for purposes of California Civil Code §1747.08. As a provision of the Song-Beverly Credit Card act of 1971, California Civil Code §1747.08 prohibits prohibits businesses, as a condition to accepting a credit card as payment for goods or services, from requesting and recording personal identification from credit card holders during credit card transactions. Personal identification is further defined in the statute as:

"information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number."

The lawsuit was filed by a private citizen against retailer Williams-Sonoma after a ZIP code was requested at checkout and was later used in conjunction with other information to determine the customer's address for marketing purposes.

This decision comes as a further reminder to credit card processing retailers of the increasing complexity of credit card compliance. With the new Payment Card Industry Data Security Standards (PCI-DSS) and decisions such as this one, non-compliance is becoming more costly than ever. 

Does your organization process credit cards? Would your business be hurt by losing the ability to process credit cards? If you answered yes it is time to discover your compliance requirements and start working towards meeting the standards put in place by credit card companies and the courts. A great place to start is Attevo's DLP Toolkit where you can search a database of compliance regulations tailored to your business.