This note came in regarding "Receipts still reveal too much" by David Mertz, which we published Dec. 26, 2007, in issue 07:12:02. It is followed by Mr. Mertz's response:
I believe there's a little confusion on what the Fair and Accurate Transactions Act of 2003 (FACTA) requires. The merchant copy can still have full card number and expiration date, although it's not a good idea. FACTA states, "Except as otherwise provided in this subsection, no person that accepts credit cards or debit cards for the transaction of business shall print more than the last five digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction."
Additional information on FACTA is on the Web at www.ftc.gov/bcp/edu/pubs/business/alerts/alt007.shtm.
Lucas Zaichkowsky
Developer Support
Mercury Payment Systems
Lucas,
Someone else pointed this out as well. It has much to do with interpretation. Two types of receipts are printed at the POS. The first is the NCR receipt. No confusion there: Since both contain exactly the same information, neither can contain the full card number.
However, confusion comes in when two separate receipts are printed - one that the merchant keeps with the cardholders signature and one that the cardholder keeps. In this scenario, many POS systems print the full card number on the merchant receipt and a truncated PAN on the cardholder's receipt, and merchants believe this meets FACTA.
However, it comes down to the interpretation of the word "provided." If, in this second scenario, the POS system generates a receipt with a full PAN, which is then signed by the cardholder, I interpret this as providing the cardholder with a receipt - even if the receipt is given back to the merchant. It is still a merchant providing a receipt that has a full PAN to the consumer - even it if it is for a signature, and the receipt is being returned to the merchant for safekeeping. Further, there are many times when the receipt presented to the cardholder for signature does not get signed and is kept by the cardholder. This happens as a result of confusion, distraction or other circumstances at the POS. Again, this would be a clear violation of FACTA.
The other thing to look at is the next paragraph in the act. The exception. This is for handwritten or imprinted sale transactions only. The intent of the law, based on this paragraph, is to limit the presence of card numbers on receipts to systems where it is impossible to do otherwise - this pertains both to merchant and cardholder receipts.
For electronic POS systems, there is no business reason to justify the printing of card numbers on any receipt - whether it is maintained by the merchant or the cardholder. The continuing practice of doing so is exposing merchants to significant liabilities both under FACTA and the Payment Card Industry Data Security Standard.
With the numerous lawsuits pending regarding FACTA violations around the country, a complaint will be filed (if not done already) in federal court regarding merchant receipts. The merchant who receives the complaint will surely argue that the merchant copy of the receipt does not meet the definition of "provided" under FACTA. It will be interesting to see if the court agrees with this position. Thank you for writing to me. Please feel free to write me at any time.
David Mertz
Partner, Compliance Security Partners LLC
Would you like us to cover a particular topic? Is there someone you consider an Industry Leader? Did you like or dislike a recent article in The Green Sheet? What do you think of our latest GSQ? E-mail your comments and feedback to greensheet@greensheet.com or call us at 800-757-4441.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next