HOME > Chowhound > Not About Food >

Discussion

Credit card security on receipts?

  • p

I got some soup at the Jason's Deli in Hancock shopping center last night, and noticed that on the merchant's copy of the receipt, they had printed my entire credit card number.

Has anyone else noticed this at any other restaurants in the area? Is this something we can convince a proprietor or manager to change?

  1. Click to Upload a photo (10 MB limit)
Delete
  1. My sister who is in the credit card business told me the machines are supposed to be set up so they don't do that. Whenever she gets a merchant's copy like that when we are eating out, she scratches it out so it is unreadable.

    1. Most likely not but you have the jurisdiction to cross it out. If you'll notice many have stopped printing the entire thing.
      I cross mine out after becoming the victim from someone simply copying that number and using it.

      1. I brought this issue up some time ago (can't find the thread) but it seems to be OK for the number to be on the Merchants copy but not the customers. This seemed counter intuitive to me but some knowledgeable posters said this was within the law. Go figure.

        4 Replies
        1. re: Sinicle

          If this is the case then the law needs to be changed.
          There are many merchants who have employs who are stealing the numbers and committing fraud against unknowing customers.
          I simply scratch out my number on the merchant's copy and that's that.

          1. re: latindancer

            Laws won't eliminate all risk. Neither will scratching the number out. Someone could always write down the number first before you scratch it out.

            The only sure way to catch this stuff is to log in to your bank regularly and check the activity on your credit card. It only takes a minute and it will give you peace of mind. In the rare instance where you do see something bad you can contact the bank and they'll immediately remove the charge.

            BTW, this is a good procedure to follow above and beyond any issues in restaurants. If you use your credit card for Internet purchases you're also open to the same risks. The convenience of using a card for these purchases makes it worthwhile to me but along with that comes the responsibility to keep on top of things.

            1. re: Bob Martinez

              >>The only sure way to catch this stuff is to log in to your bank regularly and check the activity on your credit card. It only takes a minute and it will give you peace of mind. In the rare instance where you do see something bad you can contact the bank and they'll immediately remove the charge.

              You are right on- on account activity part. But as far as removing the charge, it MAY take weeks, or months to fully recover the loss. Granted, you may get a "provisional" removal of the disputed amount, till they fully research the matter. If they feel that the customer was negligent it can be charged back with back dated fees.

              1. re: RShea78

                I've been using my debit card for regular purchases for over 10 years. During that time I've had only 2 issues. In both instances they involved duplicate charges. A restaurant charged me twice for the same meal. An appliance store charged me twice for the same crock pot. I'm convinced that both were accidental.

                In both instances I reported it to my bank, Chase, within a few days and they immediately removed the charge.

                It really does pay to keep on top of your account activity each week rather than wait until the end of the month when you receive a paper statement. The Internet makes it easy.

        2. I'm with sooeygun, i've seen it, and I scratch it out .

          1 Reply
          1. re: im_nomad

            Definitely scratch it out. We had that happen at a bar and someone from the establishment charged $9200 ordering from an internet website. Naturally the credit card company reversed the charge but it was a complete hassle as we were traveling and the fraudulent charge put us over our limit.

          2. It is federal law that the number be truncated on the customer copy, but it doesn't have to be on the merchant copy.

            http://www.ftc.gov/opa/2007/05/slipsh...

            Just curious for those who scratch out the number on the merchant copy--why do you think you have the right to do this? What is the merchant supposed to do in the event of a data crash if this info needs to be manually reconstructed, or is challenged to provide a receipt in case of a chargeback ?

            By this logic, you should be scratching out the routing information and account numbers that appear on the bottom of every check you write. Anybody handling the check can just as easily see the routing and account information (not to mention what your signature looks like) and wreak a lot more havoc on your finances than stealing your credit card number.

            The same law that requires the merchant to truncate the customer copy requires them to take appropriate safeguards to protect the data on their copy. If you don't like the law, encourage your lawmakers to change it rather than resorting to vigilantism. If you think a merchant isn't taking the appropriate safeguards or employing dishonest people, either don't patronize them or pay in cash.

            6 Replies
            1. re: tubman

              >>Just curious for those who scratch out the number on the merchant copy--why do you think you have the right to do this? What is the merchant supposed to do in the event of a data crash if this info needs to be manually reconstructed, or is challenged to provide a receipt in case of a chargeback ?<<

              "CREDIT CARD SYSTEMS" used by responsible merchants keeps that information as a hard copy (on the CCS Servers printout, keeping merchant personal honest). Then the 4 digit tracer used for reconcile CC purchases made from a merchant.

              BTW- Even the merchant's copy is to be truncated as they are not in compliance with FTC.

              1. re: RShea78

                >>BTW- Even the merchant's copy is to be truncated as they are not in compliance with FTC.<<

                By all means show me where the law has been changed since 12/1/06.

                Otherwise, here's another FTC release http://www.ftc.gov/bcp/edu/pubs/busin...

                "Several details of the law are worth noting: It applies only to electronically printed receipts, not to handwritten or imprinted ones. And it applies only to receipts you give your customer at point of sale, not to any transaction record you retain. Be aware, however, that when you keep your customers’ personal information — including account data — you have an obligation to keep it safe."

                1. re: tubman

                  Keywords Tubman- "Merchants Copy" vs "Merchants Original". The latter is generally stored off their premises- electronically.

                  Because merchants have employees that generally run the credit cards through some secure system, it would be a huge liability should either employees (or in case of a holdup) customers private information got compromised.

              2. re: tubman

                I work in Information Security at a large bank, hence my interest in this subject.

                It is illegal for merchants to keep unencrypted digital copies of credit card numbers with expiration dates or the names of the customers -- that's the safeguarding you mention. However, while the paper merchant copy CAN still contain the whole number, it does not REQUIRE the whole number to reproduce a transaction. Merchant copies all have an authorization code, and that, matched with the merchant code or specific code based on which system you're using, can reproduce a transaction. This way the merchant doesn't have to enter in your credit card number in the case of data loss.

                As far as checking accounts go, your logic is unfounded. Checking accounts require confirmation to withdraw money from them, usually in the form of a signature. Yes, you could sign up for electronic funds withdrawal with a checking account and routing number, but there are specific measures to protect this information. It is much easier to use that information to deposit into an account than to withdraw from it.

                One problem is that American financial institutions have never been as security-conscious as, for example, our European counterparts. When I lived in Germany fifteen years ago, it was common to pay bills by going to the post office and using the checking account number on a bill -- yes, the account numbers were printed on the bottom of paper bills you got from utility companies, gyms, etc -- to make a deposit directly to their account. The protections on bank accounts were much greater then, and seem to be now, too. In any case, working in the US I came to agree with the saying that in most European countries, financial systems are designed with security in mind, to prevent theft or fraud. American systems are not designed that way (this is painting in a broad stroke, I know), but instead we design systems that we assume we'll have to fix when they break.

                American consumers, coincidentally or not, seem to be more suspicious and assume things will break.

                In any case, there is nothing wrong with scratching out the sensitive information on a merchant copy, and if you get slack from the merchant, I'd suggest not using your credit card with them any more. Most merchants we (my husband and I) have mentioned this to have actually gone in and had their credit card machines changed so the merchant copy didn't include the full number.

                Some states have already enacted laws requiring truncation on BOTH copies, and based on a cursory search of best practice, it seems the POS industry is in support of the measure.

                http://www.globalpaymentsinc.com/mygl...
                http://forum.pcianswers.com/showthrea...

                A few years ago, the National Retail Federation requested that member companies be allowed to instead keep only the authorization code and a truncated receipt. They say they don't want to have to perform onerous security validation when they could just get the POS systems to automatically remove sensitive data that isn't necessary for them to keep.
                http://www.securityfocus.com/news/11491

                1. re: ataraxy

                  I think it's worthwhile to look for this stuff, particularly perhaps with smaller restaurants or delivery places. Worth bringing up and mentioning to them that it's safer not to include the whole number. (Also check comments fields to make sure they haven't included any other key codes.)

                  If they don't do it to your comfort level next time, I'd go to the restaurant in person (for instance a delivery place), ask them to delete any on-file card info they had for me, and never order from them again.

                  There's also I suppose the option of reporting them to Visa/MC/Amex if they are using especially unsafe practices.

                  1. re: ataraxy

                    .."It is illegal for merchants to keep unencrypted digital copies of credit card numbers with expiration dates or the names of the customers..."<<

                    I doubt that it will make many people feel much better but I think one difference here is in regard to the expiration dates. In reading through these posts I think that specific point, made in your post, is missing in the others. From what I've been aware of, exposing the card number is not a great risk unless the expiration date is exposed as well.

                    Until last October I ran a small retail business serviced by one of the largest merchant services companies in the US. I've checked the records I kept to be sure and found that every single signed credit card receipt has the whole card number printed on it. No expiration date, but the complete number. The customer name ALSO appears on my copies. The machine that printed the receipts was installed and serviced by that huge company and the software was updated on it several times by them. It is extremely difficult to believe this was not legal or appropriate. Not impossible, given some other issues I had with how they ran their business, but difficult.