I have a client who produces the full PAN on the merchant copy of the receipt... I explained this is not acceptable in Visa's eyes and there isn't really a valid business reason to do so.

My client responded with a copy of an article where the author states the merchant banks don't care if it is displayed on the merchant copy (see below)

Anyone know Visa's official position?

"Dear Liz: I read your comments regarding merchants' obligation to truncate
credit card numbers on electronically produced receipts. The next day, I ate
lunch at a locally owned restaurant and noticed that my entire credit card
number was on the merchant copy. I told the owner, "This is against the
law." He replied, "I've talked to my bank and they continue to tell me it's
just fine. We have gone around and around with them and they won't change
it." I am hesitant to file a complaint against the restaurant because it
seems to be trying to rectify this potential identity-theft problem for
customers. If I want to pursue this, whom should I make the complaint
against? The restaurant or the bank?


Answer: Neither. The federal law that requires merchants to mask all but the
last few digits of credit card accounts applies only to customers' receipts,
not the receipts the merchants keep."

Under FACTA only the last 5 or the expir can be shown on the customer receipt. In CA there is a law that will require similar truncation on the merchant receipt. Currently under the card brand rules, merchants are allowed to retain the entire PAN on the merchant copy although they are required o protect in accordance with the PCI DSS.

Which I seriously doubt happens. I have become more observant of the merchant receipt recently and found two in the last week who print the full PAN on the merchant copy. Thanks for the response.

In the vast majority of instances they CAN print the entire account number on the Merchant's copy. In many cases, it is needed. Merchants do have na obligation to protect the receipts in their posession. In some instances this may violate some laws but it is not against the card brand rules.

It is on the customers' copy that they cannot print the full number.

Is their any information posted online to provide a status of particular states that at this time are required to truncate the merchant copy?

It's pretty difficult to find a comprehensive information source about such things. I don't believe that, other than California, states will be requiring truncation on the merchant copy. Many retailers are moving to that practice as a pre-emptive strategy, though.

I'm working currently with a client trying to get their acquirer to re-program their POS terminals to truncate the PAN on both merchant and cardholder receipts. They have a number of remote POS locations, and we view this action to be good security, aside from any PCI implications. Stay tuned...

WCONWAY:

Has there been any additional info on the full PAN on merchant copies with your client?

I should know more in a couple of weeks at the latest. I'll post what we accomplish/learn here.

Here is what I've learned about modifying POS terminals to truncate (ie, print only last 4 digits of the PAN) on both customer and merchant receipts.

The Hypercom T7 Plus with 1 meg memory option can be programmed to print only last 4 digits on both copies. A couple of my clients are implementing this option. From what I can tell, the key is the upgraded memory, which has necessitated replacing/upgrading some POS terminals. While the basic T7 Plus sells for around $200+/-, the 1 meg version costs twice that.

Hopefully the terminal manufacturers out there will read this and we'll learn about other POS devices that can truncate the PAN on both copies for those merchants who want this option. Maybe they'll even put this feature on their spec sheets...!

wconway makes a great point on this follow-up.
Terminals with a larger memory do provide the option of reciept
truncation, masking expiration date, and other PCI measures to come.

As an acquirer in 2008 we are no longer accepting merchants that process with terminals that are unable to be truncated. Similiar to the T7+, Hypercom
has many additional models that are currently labeled as non-compliant machines. (T77, T7P, T77-F)

If we are able to completely take a merchant out of scope by truncating
both receipts our risk department sleeps much easier at night. It has become
a huge goal for us regarding business's processing via dial-up.

In a perfect world manufacturers would jump on this issue and understand
its importance, but in my experience that is not the norm. Hopefully our
approach will be duplicated in the near future and non-compliant terminals will become modern day paperweights!

As far as other terminals that truncate both the merchant copy of the receipt as well as the customer copy, First Data Merchant Services' FD-100s have this capability. Another issue to be aware of is that the settlement reports printed off of POS terminals often list the full acoount number. I was first told by FDMS that it was impossible for the FD-100s to truncate the card data on the settlement reports, but after further investigation found that they can easily do a programming upload to all of our FD-100s to truncate the card number on the settlement reports as well.

I had dinner a week ago at a restaurant in the Orlando, Florida area while on a business trip. I'd never heard of the restaurant before, so it's obviously not a chain, but could be a local chain.

When the check arrived, I gave the wait person my credit card. When the receipt came back I noticed that my card number had been 'masked' with a large magic marker to the last four digits. Based on the receipt, I'm guessing that this restaurant's POS is also probably storing cardholder data (CHD) and that the CHD is unencrypted.

The good news is that during my numerous business travels, this is the first instance of this that I've run across in the last two to three years. However, I have to admit that I do not frequent a lot of local restaurants, so I'm not so sure that this problem isn't more prevalent.

While Visa publishes statistics that indicate that the PCI compliance program is gaining traction, unfortunately, it still seems that merchants are not willing or are not able to upgrade their POS to meet even the federal PAN masking standard, let alone the PCI standard.

@Jeff,
Wowsers. It sounds like your restaurant is using an ISO that needs some serious professional help. BTW, I was at a restaurant in San Francisco last week, and I noticed that both copies were truncated...go figure.

I have a client who produces the full PAN on the merchant copy of the receipt... I explained this is not acceptable in Visa's eyes and there isn't really a valid business reason to do so.

It is acceptable in Visa's eyes;

http://usa.visa.com/download/merchants/rules_for_visa_merchants.pdf?it=r|/merchants/operations/op_regulations.html|Rules%20for%20Visa%20Merchants .pdf

Truncated Account Number:

Visa requires that all new and existing electronic POS terminals provide account number truncation on transaction receipts. This means that only the last four digits of an account number should be printed on the customer’s copy of the receipt.

*note this is a requirement on the customer receipt.

The Business reason to do so is when your dial terminal bricks, or your processor screws up, and you haven't batched out yet :)
you can reenter the transactions from the receipts so you don't lose sales. I've seen it happen a few times.


But I found a good link here: http://www.globalpaymentsinc.com/myglobal/industry_initiatives/card_trancation_requir.html

New State Requirements and Deadlines

Effective January 1, 2007, a new provision of the Tennessee Consumer Protection Act went into effect. The new consumer law (Tennessee Code Annotated § 47-18-126) makes it illegal to electronically print more than the last 5 digits of a credit card number and the card expiration date on receipts. This applies to both the receipt retained by merchants and the receipt provided to customers. The Attorney General for the State of Tennessee has the authority to enforce any violations of this law.

Effective January 1, 2009, revised California Civil Code § 1747.09 takes effect, requiring that no more than the last 5 digits of a credit or debit card number be printed on both the electronically-printed card receipt retained by merchants as well as the receipt provided to customers, thus modifying the current law which applies only to customer copies.

I wrote an article for the GreenSheet which addressed this very topic. And, it generated a significant amount of comment and more phone calls than from any other article I published.

FACTA says the receipt "provided to" the consumer. The next paragraph gives an exception - imprinted or hand written tickets.

There are two types or reciepts which are generated - the first uses no carbon required paper - so both the merchant copy and the consumer copy are the same. No card number may be printed under FACTA.

The second type is where there are two different receipts - one for the consumer and one for the merchant. The merchant copy will often have the full card number and the cardholder will have truncated.

There is a problem with the second type of the receipt. The merchant copy of the receipt is provided to the consumer - for signature. It is still provided to the consumer even though it is returned to the merchant. If the consumer walks out without signing - and this happens on more than a few occasions during the confusion at the sales counter - it is a FACTA violation. The customer could do this willfuly and it would cost the merchant more to litigate than it would to pay off the customer.

Is it a FACTA violation for the merchant to present a receipt to the consumer with a full card number. In the instance where there is a potential for loss of the transaction with the batch - probably not.

This is because of the exception listed in FACTA. The exception is for handwritten or imprinted receipt.

However, if there are alternatives which the merchant could purchase for processing transactions, then it could be interpreted the merchant had time to replace/upgrade the equipment to meet the Act. Since the ACT passed in 2004, it would be difficult for a merchant to claim they did not have time.

FACTA litigation is being initiated all over the country. And this issue is going to be litigated. When it does it is not going to be VISA which makes the call, it will be the courts. And, with the possibility of $1000 fine plus legal costs for each receipt, until this is fully litigated - merchants may be risking their businesses by continuing to print full card numbers on their copy of the receipt.

David Mertz
Compliance Management Partners
816 256-2125

Very Interesting...

I think that this is based upon the interpretation of "provided to" -- Is the customer "provided" the receipt -- or are they "presented the receipt" for signature -- or do these mean the same thing :)

From the White House Fact Sheet (http://www.whitehouse.gov/news/releases/2003/12/20031204-3.html) -- it looks like the intent was for the customer receipt:

Helping prevent identity theft before it occurs by requiring merchants to leave all but the last five digits of a credit card number off store receipts. This law will make sure that slips of paper that most people throw away do not contain their credit card number, a key to their financial identities.

"Most people" Cardholders/Customers? or Merchants ?

From the law (http://www.treasury.gov/offices/domestic-finance/financial-institution/cip/pdf/fact-act.pdf) :

no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.

Also see the FTC website: (http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt007.shtm)


And it applies only to receipts you give your customer at point of sale, not to any transaction record you retain. Be aware, however, that when you keep your customers’ personal information — including account data — you have an obligation to keep it safe.

Do you give the merchant receipt to the customer at the point of sale ?


Looks like the intent is different then the written law, or that US government agencies.... [fill in the blank here _____________________] :)


BTW, I'd be fine if the merchant never had my account number, only a reference number, and approval code (http://www.securityfocus.com/print/news/11491)

2nd BTW: These are two funny links related to Credit Card Receipts: http://www.zug.com/pranks/credit/ (http://www.zug.com/pranks/credit/) & http://www.zug.com/pranks/credit_card/

Since this thread started, I have been doing some informal research when paying with my credit card. It seems a lot of merchants are truncating the PAN on both copies.

In the last 10 days my travels have taken me to North Carolina, Nashville, Savannah, and back home to San Francisco. In all cases, many merchants -- from my local pizza shop to the butcher at the farmers' market to restaurants -- truncate on both copies. I asked them whether it was their idea or their acquirer's, they unanimously said it was their idea (one said he had to insist on it before the acquirer would re-program the terminal).

I think we may have an emerging merchant/POS best practice here.

Is anyone aware of a specific finding by a court of law that FACTA does NOT require truncation on the merchant copy?

FACTA was amended by Congress to dismiss all of the class actions where a merchant truncated the PAN, but printed expiry. An exp data with a truncated PAN doesn't get you much, and isn't even considered sensitve data under the PCI rules, because there is no PAN stored in conjunction.

The issue you run into in the field is the way POS service is outsourced locally, because the vendors do not have service techs everywhere. Joe's Computer Service has the contract in your area, and Joe has been doing this for 15 years. He's made himself a cheat sheet and when he reprograms that pos, he looks at his cheat sheat and for options enters Y,N,N.N,Y,Y,Y just as he's always done. The problem is, his cheat sheet hasn't been updated to account for truncation and the next thing the merchant knows he's getting a letter inviting him to a court hearing.