Receipts that show full credit card number

[Mal]

I had a feeling in the back of my mind that receipts must not show the full credit card number and expiry date for security/privacy reasons.

Went to a merchant recently and used my Amex (non-offline eftpos type transaction), with their merchant facilities provided by a semi-major Australian bank.

The customer receipt had my full CC number and expiry date on it.

Did a little searching, and it appears that this is discouraged under the "Electronic Funds Transfer Code of Conduct" (Electronic Funds Transfer (EFT) Code of Conduct - Australian Securities and Investments Commission )

{Part C)
21.2 The following guidelines are provided to assist in interpreting the National Privacy Principles and any approved Code referred to in sub-clause 21.1 and in applying them to EFT transactions under Part A:
<snip>
(c) transaction receipts should not disclose information which would reveal the full account number, name or address of the account holder; and

Does anyone know if Amex in particular has any merchant regulations, or any other references I can use to bring this to the attention of the bank/vendor involved?

 

[oz_mark]

Not 100% on how mandatory it is, but it is against section 3.3 of the payment card industry data security standard. See the website https://www.pcisecuritystandards.org/

Mask PAN when displayed
(the first six and last four digits are
the maximum number of digits to be​

displayed).

 

[Mal]

Not 100% on how mandatory it is, but it is against section 3.3 of the payment card industry data security standard. See the website https://www.pcisecuritystandards.org/

Thanks. Logged appropriate feedback with the bank involved requesting that they sort the issue. Will post back if/when I get feedback.

 

[Dave Noble]

I had a feeling in the back of my mind that receipts must not show the full credit card number and expiry date for security/privacy reasons.

I would doubt that there is such a generic rule since that would make all zip zap transactions invalid

Dave

 

[Mal]

I would doubt that there is such a generic rule since that would make all zip zap transactions invalid

Dave

I have been advised that this should not have occurred, and the bank is investigating why it happened.

There is a reasoning behind why every electronic receipt has the numbers masked. For zip/zap transactions, obviously they are an exception - but to be honest, I havn't seen a carbon one for years, and wouldn't be surprised if they now don't transfer all digits onto the customer receipt copy of the form.

 

[oz_mark]

I have been advised that this should not have occurred, and the bank is investigating why it happened.

There is a reasoning behind why every electronic receipt has the numbers masked. For zip/zap transactions, obviously they are an exception - but to be honest, I havn't seen a carbon one for years, and wouldn't be surprised if they now don't transfer all digits onto the customer receipt copy of the form.

The PCI DSS applied to electronic transactions (zip zap machines aren't really an electronic system!), and in any case there are exceptions allowes where there are business reasons for requiring the full number to be displayed. One would guess on a zip zap machine there is a significant business reason for the whole number to appear.

Actually saw such a machine Christmas Day when a POS terminal failed to connect to the bank. Took them a little while to find it and the forms

 

[JohnK]

I make a note to look at all credit card receipts and do not remember ever seeing the full credit card number on a receipt. Generally the receipt will only show part of the number or the whole number with the middle digits replaced by asterisks. I would be really diasppointed if there were mercants giging reeceipts with the full credit card number and expiry date....

 

[moa999]

I average 20-30 taxi trips a month in Syd/Mel and would say 5% still use the zip/zap method.

Interestingly I just came across a Cabcharge receipt on 22-Dec that had my full Credit Card details and expiry on it (personal card as well!)

 

[vilemerchant]

I used to work at a petrol station that showed the entire card number and expiry date. It really is extremely unsecure, all a dodgy cashier would have to remember is your 3 digit number on the signature panel to begin making fraudulent transactions online. Luckily for my customers I wasn't a thief.