HOME > Chowhound > Not About Food >

Discussion

Credit card security on receipts?

  • p
  • pwang Mar 18, 2009 10:00 AM
  • 32
  • Share

I got some soup at the Jason's Deli in Hancock shopping center last night, and noticed that on the merchant's copy of the receipt, they had printed my entire credit card number.

Has anyone else noticed this at any other restaurants in the area? Is this something we can convince a proprietor or manager to change?

  1. Click to Upload a photo (10 MB limit)
Delete
Posting Guidelines | FAQs | Feedback
Cancel
  1. My sister who is in the credit card business told me the machines are supposed to be set up so they don't do that. Whenever she gets a merchant's copy like that when we are eating out, she scratches it out so it is unreadable.

    1. Most likely not but you have the jurisdiction to cross it out. If you'll notice many have stopped printing the entire thing.
      I cross mine out after becoming the victim from someone simply copying that number and using it.

      1. I brought this issue up some time ago (can't find the thread) but it seems to be OK for the number to be on the Merchants copy but not the customers. This seemed counter intuitive to me but some knowledgeable posters said this was within the law. Go figure.

        4 Replies
        1. re: Sinicle

          If this is the case then the law needs to be changed.
          There are many merchants who have employs who are stealing the numbers and committing fraud against unknowing customers.
          I simply scratch out my number on the merchant's copy and that's that.

          1. re: latindancer

            Laws won't eliminate all risk. Neither will scratching the number out. Someone could always write down the number first before you scratch it out.

            The only sure way to catch this stuff is to log in to your bank regularly and check the activity on your credit card. It only takes a minute and it will give you peace of mind. In the rare instance where you do see something bad you can contact the bank and they'll immediately remove the charge.

            BTW, this is a good procedure to follow above and beyond any issues in restaurants. If you use your credit card for Internet purchases you're also open to the same risks. The convenience of using a card for these purchases makes it worthwhile to me but along with that comes the responsibility to keep on top of things.

            1. re: Bob Martinez

              >>The only sure way to catch this stuff is to log in to your bank regularly and check the activity on your credit card. It only takes a minute and it will give you peace of mind. In the rare instance where you do see something bad you can contact the bank and they'll immediately remove the charge.

              You are right on- on account activity part. But as far as removing the charge, it MAY take weeks, or months to fully recover the loss. Granted, you may get a "provisional" removal of the disputed amount, till they fully research the matter. If they feel that the customer was negligent it can be charged back with back dated fees.

              1. re: RShea78

                I've been using my debit card for regular purchases for over 10 years. During that time I've had only 2 issues. In both instances they involved duplicate charges. A restaurant charged me twice for the same meal. An appliance store charged me twice for the same crock pot. I'm convinced that both were accidental.

                In both instances I reported it to my bank, Chase, within a few days and they immediately removed the charge.

                It really does pay to keep on top of your account activity each week rather than wait until the end of the month when you receive a paper statement. The Internet makes it easy.

        2. I'm with sooeygun, i've seen it, and I scratch it out .

          1 Reply
          1. re: im_nomad

            Definitely scratch it out. We had that happen at a bar and someone from the establishment charged $9200 ordering from an internet website. Naturally the credit card company reversed the charge but it was a complete hassle as we were traveling and the fraudulent charge put us over our limit.

          2. It is federal law that the number be truncated on the customer copy, but it doesn't have to be on the merchant copy.

            http://www.ftc.gov/opa/2007/05/slipsh...

            Just curious for those who scratch out the number on the merchant copy--why do you think you have the right to do this? What is the merchant supposed to do in the event of a data crash if this info needs to be manually reconstructed, or is challenged to provide a receipt in case of a chargeback ?

            By this logic, you should be scratching out the routing information and account numbers that appear on the bottom of every check you write. Anybody handling the check can just as easily see the routing and account information (not to mention what your signature looks like) and wreak a lot more havoc on your finances than stealing your credit card number.

            The same law that requires the merchant to truncate the customer copy requires them to take appropriate safeguards to protect the data on their copy. If you don't like the law, encourage your lawmakers to change it rather than resorting to vigilantism. If you think a merchant isn't taking the appropriate safeguards or employing dishonest people, either don't patronize them or pay in cash.

            6 Replies
            1. re: tubman

              >>Just curious for those who scratch out the number on the merchant copy--why do you think you have the right to do this? What is the merchant supposed to do in the event of a data crash if this info needs to be manually reconstructed, or is challenged to provide a receipt in case of a chargeback ?<<

              "CREDIT CARD SYSTEMS" used by responsible merchants keeps that information as a hard copy (on the CCS Servers printout, keeping merchant personal honest). Then the 4 digit tracer used for reconcile CC purchases made from a merchant.

              BTW- Even the merchant's copy is to be truncated as they are not in compliance with FTC.

              1. re: RShea78

                >>BTW- Even the merchant's copy is to be truncated as they are not in compliance with FTC.<<

                By all means show me where the law has been changed since 12/1/06.

                Otherwise, here's another FTC release http://www.ftc.gov/bcp/edu/pubs/busin...

                "Several details of the law are worth noting: It applies only to electronically printed receipts, not to handwritten or imprinted ones. And it applies only to receipts you give your customer at point of sale, not to any transaction record you retain. Be aware, however, that when you keep your customers’ personal information — including account data — you have an obligation to keep it safe."

                1. re: tubman

                  Keywords Tubman- "Merchants Copy" vs "Merchants Original". The latter is generally stored off their premises- electronically.

                  Because merchants have employees that generally run the credit cards through some secure system, it would be a huge liability should either employees (or in case of a holdup) customers private information got compromised.

              2. re: tubman

                I work in Information Security at a large bank, hence my interest in this subject.

                It is illegal for merchants to keep unencrypted digital copies of credit card numbers with expiration dates or the names of the customers -- that's the safeguarding you mention. However, while the paper merchant copy CAN still contain the whole number, it does not REQUIRE the whole number to reproduce a transaction. Merchant copies all have an authorization code, and that, matched with the merchant code or specific code based on which system you're using, can reproduce a transaction. This way the merchant doesn't have to enter in your credit card number in the case of data loss.

                As far as checking accounts go, your logic is unfounded. Checking accounts require confirmation to withdraw money from them, usually in the form of a signature. Yes, you could sign up for electronic funds withdrawal with a checking account and routing number, but there are specific measures to protect this information. It is much easier to use that information to deposit into an account than to withdraw from it.

                One problem is that American financial institutions have never been as security-conscious as, for example, our European counterparts. When I lived in Germany fifteen years ago, it was common to pay bills by going to the post office and using the checking account number on a bill -- yes, the account numbers were printed on the bottom of paper bills you got from utility companies, gyms, etc -- to make a deposit directly to their account. The protections on bank accounts were much greater then, and seem to be now, too. In any case, working in the US I came to agree with the saying that in most European countries, financial systems are designed with security in mind, to prevent theft or fraud. American systems are not designed that way (this is painting in a broad stroke, I know), but instead we design systems that we assume we'll have to fix when they break.

                American consumers, coincidentally or not, seem to be more suspicious and assume things will break.

                In any case, there is nothing wrong with scratching out the sensitive information on a merchant copy, and if you get slack from the merchant, I'd suggest not using your credit card with them any more. Most merchants we (my husband and I) have mentioned this to have actually gone in and had their credit card machines changed so the merchant copy didn't include the full number.

                Some states have already enacted laws requiring truncation on BOTH copies, and based on a cursory search of best practice, it seems the POS industry is in support of the measure.

                http://www.globalpaymentsinc.com/mygl...
                http://forum.pcianswers.com/showthrea...

                A few years ago, the National Retail Federation requested that member companies be allowed to instead keep only the authorization code and a truncated receipt. They say they don't want to have to perform onerous security validation when they could just get the POS systems to automatically remove sensitive data that isn't necessary for them to keep.
                http://www.securityfocus.com/news/11491

                1. re: ataraxy

                  I think it's worthwhile to look for this stuff, particularly perhaps with smaller restaurants or delivery places. Worth bringing up and mentioning to them that it's safer not to include the whole number. (Also check comments fields to make sure they haven't included any other key codes.)

                  If they don't do it to your comfort level next time, I'd go to the restaurant in person (for instance a delivery place), ask them to delete any on-file card info they had for me, and never order from them again.

                  There's also I suppose the option of reporting them to Visa/MC/Amex if they are using especially unsafe practices.

                  1. re: ataraxy

                    .."It is illegal for merchants to keep unencrypted digital copies of credit card numbers with expiration dates or the names of the customers..."<<

                    I doubt that it will make many people feel much better but I think one difference here is in regard to the expiration dates. In reading through these posts I think that specific point, made in your post, is missing in the others. From what I've been aware of, exposing the card number is not a great risk unless the expiration date is exposed as well.

                    Until last October I ran a small retail business serviced by one of the largest merchant services companies in the US. I've checked the records I kept to be sure and found that every single signed credit card receipt has the whole card number printed on it. No expiration date, but the complete number. The customer name ALSO appears on my copies. The machine that printed the receipts was installed and serviced by that huge company and the software was updated on it several times by them. It is extremely difficult to believe this was not legal or appropriate. Not impossible, given some other issues I had with how they ran their business, but difficult.

                2. Wow...I'm responding to this post because about 8 years ago, I had my credit card number stolen and maxed out ($10,000) in about 42 hours. This was "back in the day" before you needed to add that security code and billing address and everything, and before credit card companies were vigilant about alerting you to odd spending patterns (Citibank called AFTER my card was maxed out). It took months of affidavits and notarized letters to clear my account, avoid late fees, and get things back to normal. A HUGE pain.

                  Anyhow, the stolen numbers were traced to a JASON'S DELI receipt that contained my FULL cc number - an employee had stolen my number, along with some other numbers. I battled with corporate over this, because even back then, they were one of the only companies publishing the entire number. They told me then - probably in mid 2002 - that they would change their system. In 2006 or so, I went to a Jason's Deli with a friend, and her number was printed on the card. I called JD (really just out of personal interest at this point), and they said they were "in the process" of changing that. Obviously they still haven't! I think safeguards put in place by cc co's have made it harder to use just the card number, but still, this is ridiculous. I don't know when I've seen an entire number printed on the receipt other than at JD and one gas station (I'm someone who looks :)

                  1. Little off the topic..... 20+ years ago when I was in the restaurant business, servers would save the carbon copy receipts which celebrities left behind so they could have their autograph. This is when the carbon copy had the account # and everything on it. Scary huh?

                    1. DH has been in the credit card and online paymen system business for a number of years. Visa and MC mandate that the whole number is not on EITHER copy. We go to a favorite local Mexican resto, and damn if they still have our whole cc number on the paper. He wont leave the merchant copy on the table, rather, he hands it directly to he server. Not that it guarantees anything, but he does.
                      The POS machines cost around 200-450 dollars, so it's not like it's a huge purchase, plus.......the resto can get fined if they get found out.
                      I've been tempted to contact the owner of our favorite Mex. restaurant to let him know that we in no way will turn him in, but, someone could...and perhaps should.
                      With the amount of damage that can be done in so little time with a cc number, it's irresponsible for ANY restaurant to not be in compliance.

                      4 Replies
                      1. re: monavano

                        "Visa and MC mandate that the whole number is not on EITHER copy. "

                        Somehow this mandate DH cites by the world's two largest credit card processors, affecting hundreds of millions of daily transactions with nearly every business in the U.S., has managed to escape the attention of the entire worldwide web.

                        So here are the facts as I leave this thread. I welcome DH or anyone else to provide a link to an official source that refutes any or all of these:

                        Credit card truncation of the *merchant copy* is not required by VISA/MC.

                        Credit card truncation of the *merchant copy* is not required by FTC regulation.

                        Credit card truncation of the *customer copy* is required by FTC regulation.

                        Credit card truncation of the merchant copy is currently required by law in California, Colorado and Tennessee--and as of July 1, 2009, Alaska. But that is a function of *state law*, not FTC or VISA/MC regulation.

                        Thank you--don't forget to tip your server.

                        1. re: tubman

                          >>Credit card truncation of the *merchant copy* is not required by VISA/MC.

                          >>Credit card truncation of the *merchant copy* is not required by FTC regulation.

                          >>Credit card truncation of the *customer copy* is required by FTC regulation.

                          For all intensive purposes what gets signed must be identical to what is received as a receipt. Therefore, common legal sense indicates that both copies must match in an identical fashion.

                          1. re: tubman

                            No need for the disrespect in your reply tubman, however correct you might be. Play nice, ok? While you might be correct that there is no specific regulation requiring merchant copies to mask or redact the credit card number, it is also true that the current credit card swipe terminals mask the card number on both copies for security purposes. It's my guess that those restaurants that still display full card numbers on merchant copies own or lease older versions of card swipe devices.

                            1. re: monavano

                              I guess things vary. Until last October I ran a small retail business that used both a CC terminal and a card swiper integrated into the computer 'register' system. BOTH were only about 2 1/2 years old; BOTH had been updated (I thought), within the last year, by the Merchant Services provider (one of the largest in the US); and BOTH showed the full card number on the merchant copy. No expiration date, just the card number.

                              A little off the subject, but one thing I did wonder about was that, on the few occasions when someone would inadvertently leave their card in the store, no card company would contact them for me to let them know. I was told to destroy the card or hold it til they came for it, or return it to the appropriate bank (if applicable). I found that a bit oddly over-protective.

                        2. If you have a dishonest server who's trying to steal your CC#, the fastest thing for them to do is just put the card on a flat surface, cover with receipt paper (the carbon or the shiny stuff), and then run a pen across it to create an imprint.

                          2 Replies
                          1. re: Coconuts

                            Dishonest servers also have a credit card in their possession long enough to write down all pertinent information. I NEVER pay by credit card at a restaurant, no matter how expensive it is.

                            1. re: Lenox637

                              They can also take a photo of it with a cellphone.

                          2. Given the chance, I simply take the merchant copy and leave the signed customer one. Course, this probably wouldn't work in a deli situation, only with tabs.

                            1. We ate at a restaurant out of state a few weeks ago. Two days later our credit card co. called to question some abnormal pattern transactions. The transactions were at a convenience store, a supermarket and another merchant all within 20 miles of the restaurant. Since you would need a CARD for these transactions, I am wondering how they made these purchases on our card without actual posession of the card [excuse me if you all know the answer to this and I am uninformed].

                              2 Replies
                              1. re: emilief

                                They can make credit cards from your information.
                                Normally from what I understand the server might use something called a "skimmer" to slide your card through into a PDA then they take that information from the card strip and can make credit card.

                                1. re: monku

                                  Skimmers can also be installed at ATM's. That's one reason I avoid no-name ATMs. And on regular bank ATMs, they say you should feel the slot before putting your card in. The skimmers have something protruding so it can be removed.

                              2. Some very timely and astute posts in light of this DC Examiner article published today.
                                http://www.washingtonexaminer.com/loc...

                                "Waitstaff at several Washington-area high-end restaurants stole credit card numbers from customers and ran up a $750,000 tab at stores like Gucci and Barney’s of New York, federal authorities said in court documents."

                                "Three men who allegedly bought the numbers from the servers — Joseph Artemus Bush, Aarron D. Gilbert and Erick V. Burton — used the information to create counterfeit credit cards that were used at area stores, Soto wrote. "

                                The criminal servers were given small scanning machines to pull this off. I think I may be paying in cash at restaurants, and of course, continue to closely monitor my accounts.

                                1. It's a good thing you caught that. Next time ask them if you could see the store's copy for a second and scratch out all but the last 4 numbers with a pen. The employee could've taken advantage of that.