laws to truncate credit card numbers on receipts

FEDERAL LEGISLATION on Credit Card Numbers on Receipts updated February 7, 2008.

Through the Fair and Accurate Credit Transactions Act, Public Law 108-159, Congress preempted the states on credit and debit card truncation to set a national standard. Under Title I, §113 of the Act, only the last five digits of the card account number can be printed on electronically printed receipts provided to the customer. The new truncation requirement does not apply to handwritten receipts or receipts imprinted with a copy of the credit card.

Link to Federal laws on credit card receipts

For Release: May 30, 2007
FTC Reminds Businesses Law Requires Them to Truncate Credit Card Data on Receipts

The Federal Trade Commission has issued an alert, to remind businesses that a federal law calls for them to truncate electronically processed credit card receipts to include no more than the last five digits of the card number, and to delete the expiration date.
The law applies only to electronically printed receipts, not to handwritten or imprinted ones, and it applies to the receipts the customer is given, not to the receipts the businesses retain for their own records.

According to the FTC, credit card numbers and expiration dates on sales receipts provide helpful information for scammers trying to commit identity theft. Congress passed the Fair and Accurate Credit Transaction Act to minimize the amount of personal identifying information on credit receipts, because they can be lost or thrown away to be retrieved by would-be identity thieves. The law was phased in so that merchants with newer electronic card-processing machines had to comply with its provisions as early as 2004, and those with older machines by December 2006. All merchants that electronically print credit or debit card receipts must now truncate the information on the copy they give consumers.

The business alert advises that merchants who fail to comply with the law could face FTC law enforcement action, including financial penalties and federally-enforced restrictions or requirements.

See page 24 of the FCRA, Federal Credit Reporting Act for additional information. ( FCRA PDF download)

15 thoughts on “laws to truncate credit card numbers on receipts

  1. It is not required. In fact, I recommend you truncate the credit card number on the merchant receipt, just like on the customer receipt. Your credit card processor needs to set up your account for this, and then you’ll download an update to your terminal with the new settings.
    This is an item I discuss with new merchants before boarding them. Unless there is an overwhelming management need for the data on hard copy, they get set up with all truncated.

  2. In GA, this only applies to customer receipts. The law does not apply to machines first used prior to July 1, 2004.

    If you do go to a place where it does not apply, please be kind and leave the last 4 digits.

  3. I’m not sure what ‘retailer’ is saying. Machines that cannot truncate the customer credit card number on the customer receipt must be replaced in order to be PCI Compliant. There are no exceptions.

    With respect to the merchant receipt, there is no uniform law regarding equipment truncating the card number. However, merchants must follow PCI Security Standards Compliance guidelines for the storage of customer card information. There are far too many companies increasing their risk by not truncating the merchant receipt when they have no reason to store that information.

  4. I was in NYC over the weekend and was surprised to see my full credit card number on the merchant receipt! All it would take is one shady employee to duplicate my credit card number! Can/should I report this to someone? I really did not feel comfortable with that. It was at the Grand Slam store in Times Square, 1557 Broadway.

  5. Hi Carol
    I sent you a private email. Did you like the store, and your experience up to the point of receipt? If yes, then consider whether you want them to suffer a potential serious financial hardship vs simply rectifying the problem.
    I’m not excusing the company for failing to comply, but, would you be satisfied if they simply fixed the problem and served the community with jobs and cool stuff vs the alternative?

    I called the company President and left a message (holiday today, so office is closed). I’ll report back later this week on the resolution as well as who readers can report any company to.

  6. CORRECTION! Carol- there is no regulation against a card number being on the merchant receipt, so there is nothing to report.

    I must have been awfully tired because I misread your post. This is the rule referenced in the original article “All merchants that electronically print credit or debit card receipts must now truncate the information on the copy they give consumers.”

    The merchant is within its rights to allow printing of the merchant card number on the merchant receipts as of this writing. There are rules regarding protection of card data when it is not truncated on the merchant receipt. This is covered under PCI Data Security Standards (PCI-DSS). All merchants must comply with the standards appropriate for the size and type of organization. Failure to comply and a resulting data breach can result in major fines for companies, sometimes putting them out of business.

    On a final note, Grand Slam’s President returned my call in response to my inquiry and asssured me that their card data is never exposed on customer receipts as I originally thought your comment was referring to.

  7. hi ya
    my local shop have been giving me the merchant copy which contains all of my card details of my instead of the customer copy
    which only shows the last four digits.is this right or are they breaking the law i have enquired in the store to no avail. can you help with this quirey please.

  8. Emma- Are you the customer? Does your receipt say “merchant copy” or “customer copy”? It doesn’t matter which it says, but I’m curious. Federal law requires that the receipt given to customers must be truncated. It is a felony to issue receipts with fully exposed card numbers. If you’d like me to contact your merchant and talk to them about fixing the problem, please see EMAIL the company name, phone, address and owner information Or whatever information you have to help AT 3DMERCHANT.com.

    If you want to report them to authorities, contact the FTC. https://www.ftccomplaintassistant.gov/. The FTC does not resolve individual consumer complaints but enters the information into a database accessed by authorities.

  9. Why does this law not apply to handwritten receipts?
    I just found a receipt that someone dropped out in the parking lot from a Doctor’s office and it has the full credit card number and exp. date on it. Why aren’t these customer’s being protected?

  10. Who says the law does not apply? I’m not a lawyer, but here’s my personal take. There are 2 possible scenarios-
    1. Someone literally wrote out the whole thing and handed the customer a copy. That would be breaking the law.
    2. The merchant had some type of equipment problem. The merchant is required to get an imprint of the card. The customer signed and the merchant gave them a copy. Technically, stil a violation. Under the new law, and meet card policies, the merchant would take an imprint of the card for their records, but the receipt given to the customer would have only the last 4 and the authorization number, assuming they called for a voice auth.

    I’m going to have to look into the card imprinting though and see how retailers are going to address this.
    If you want to email the Doctors office information to me, as a courtesy, I’ll send them literature on the relevant laws. Please see 3dmerchant.com/contact for email. Thanks

  11. If it is not a rule in the merchant’s end, am I within my rights to ink out all but the last four (or five) numbers of my card number on a merchant’s copy? I really had to fuss with a dental office as I was using my debit and did not want the entire number in their office. The response I was getting was that if they had to refund the money, they needed the number. My husband is in retail and uses these machines. He told me that the entire number is in the machine if it is needed. It seems just that much safer to me to not have a hard copy that someone could copy and the merchant would be none the wiser. Thank you for your help.

  12. This article was written in 2009 and things have changed.

    1.Since then Visa came out with this:
    Visa clarifies credit card truncation operating regulations

    2. Sorry Becky, I’m not a lawyer to be able to answer about your specific rights. Next time you visit the office, I recommend you give them a copy of this article.

    3. PCI Compliant machines do NOT STORE card numbers. Most dental and doctor offices have “desktop” terminals. It’s a machine that usually has a phone line connected to it to dial out. When the card is swiped, the data is encrypted, and then transmitted.

    4. Personally, I would INSIST they block out the card data. Of course, since I’m in the business, I try to get the owners name to call and talk to them about an alternative secure solution.

    Seriously, when’s the last time anyone received a refund from a doctor or dental office?

    If you want me to contact your Dr’s office to offer them a more secure solution, including one that would enable them to give refunds without storing exposed card data, send me their info.
    Christine

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA *

This site uses Akismet to reduce spam. Learn how your comment data is processed.