Visa clarifies credit card truncation operating regulations

National Retail Federation and Visa promote card account elimination to advance data security

San Francisco, July 14, 2010

Visa Inc. (NYSE: V) launched a global effort to reduce unnecessary storage of sensitive card information in merchant payment systems. Understanding the significant commitment by merchants to secure the payment system and to protect sensitive cardholder information from criminals, Visa is clarifying existing operating regulations to ensure that acquirers and issuers allow merchants to present a truncated, disguised or masked card number on a transaction receipt for dispute resolution in place of the full 16-digit card number.

“Visa’s priority is protecting cardholders and the integrity of the electronic payments system,” said Eduardo Perez, Head of Global Payment System Security, Visa Inc. “By reducing the amount of vulnerable data in merchant systems that must be protected from compromise, merchants can see greater security as well as more streamlined compliance needs.”

Visa and the National Retail Federation (NRF) agree that merchants should not be obligated by their acquiring banks to store card numbers for the purpose of satisfying card retrieval requests. While Visa does not require merchants to store full card numbers beyond settlement, NRF’s comments indicated marketplace confusion about what information merchants are required to store for dispute resolution by issuers, acquirers or processors. To clarify, Visa operating regulations stipulate the following:

  • Issuers must accept a disguised or suppressed card number on transaction receipts for dispute resolution.
  • Merchants may keep truncated or disguised card numbers and reduce the amount of potential vulnerable data stored in their systems.

National Retail Federation senior vice president and chief information officer David Hogan welcomes Visa’s effort. “We have long advocated that retailers should not be required to store their customers’ full card numbers and instead rely on an alternative identification number to reference a transaction,” he said. “NRF has been pleased to take a leadership role working with Visa in this effort to assist retailers in our mutual goal of securing customers’ information while potentially reducing the scope of the PCI Data Security Standard. Merchants should be encouraged to minimize both the amount of card information they store and the duration they keep it. The bottom line is that they should not be penalized for not storing card information. This clarification from Visa is a promising step in that direction,” said Hogan.

“Making data less vulnerable to card thieves by eliminating it wherever possible has been a major focus by Visa for several years now,” Perez said. “Visa is committed to helping develop workable solutions that reduce the burden on merchants who must secure their payment systems from criminal threats. Working with the National Retail Federation has helped us identify an issue and address it effectively.”

Card Number Truncation Best Practices

Additionally, Visa has developed global best practices for acquirers and merchants who choose not to store full card numbers to truncate, disguise or mask card information in cardholder and merchant receipts, reducing the amount of sensitive information in storage. The following are best practices for card number truncation:

  • On the cardholder receipt, merchants should disguise or suppress all but the last four digits of the card number (####-####-####-1234) and suppress the full expiration date (currently required in the U.S.)
  • On the merchants’ copy of the receipt, merchants should disguise or suppress the card number so that a maximum of the first six and last four digits of the card number are displayed (1234-56##-####-1234) and suppress the full expiration date on the merchant copy of receipts.
  • Acquirers should support merchants who choose not to store full card numbers by providing transaction data storage. Merchants may then retain only disguised or suppressed card numbers on the merchant copy of the receipts.
  • Acquirers should evolve their systems to provide merchants with substitute transaction identifiers or tokens, in place of using full card numbers.
  • Acquirers should disguise or suppress card numbers in any merchant communications, such as email, reports, statements, etc. The Payment Card Industry Data Security Standards (PCI DSS) already requires that card numbers transmitted over public networks must be rendered unreadable (e.g. by encryption, truncation or hashing).

Visa will work with key stakeholders to consider incorporating the best practices formally into Visa Operating Regulations and is soliciting industry feedback until August 31, 2010. The best practices are available at www.visa.com/cisp.

Visa previously established efforts to ensure that merchants do not store prohibited data elements which are specifically targeted by criminals, including card security codes and PIN data. In particular, Visa has required the largest Visa-accepting merchants to confirm that they do not store such prohibited data and thus far 96 percent of Level 1 and 2 merchants globally have done so. In addition, Visa has promoted the use of secure payment applications to ensure small and medium sized merchants do not store prohibited data.

Full press release and contacts

http://corporate.visa.com/media-center/press-releases/press1033.jsp

laws to truncate credit card numbers on receipts

FEDERAL LEGISLATION on Credit Card Numbers on Receipts updated February 7, 2008.

Through the Fair and Accurate Credit Transactions Act, Public Law 108-159, Congress preempted the states on credit and debit card truncation to set a national standard. Under Title I, §113 of the Act, only the last five digits of the card account number can be printed on electronically printed receipts provided to the customer. The new truncation requirement does not apply to handwritten receipts or receipts imprinted with a copy of the credit card.

Link to Federal laws on credit card receipts

For Release: May 30, 2007
FTC Reminds Businesses Law Requires Them to Truncate Credit Card Data on Receipts

The Federal Trade Commission has issued an alert, to remind businesses that a federal law calls for them to truncate electronically processed credit card receipts to include no more than the last five digits of the card number, and to delete the expiration date.
The law applies only to electronically printed receipts, not to handwritten or imprinted ones, and it applies to the receipts the customer is given, not to the receipts the businesses retain for their own records.

According to the FTC, credit card numbers and expiration dates on sales receipts provide helpful information for scammers trying to commit identity theft. Congress passed the Fair and Accurate Credit Transaction Act to minimize the amount of personal identifying information on credit receipts, because they can be lost or thrown away to be retrieved by would-be identity thieves. The law was phased in so that merchants with newer electronic card-processing machines had to comply with its provisions as early as 2004, and those with older machines by December 2006. All merchants that electronically print credit or debit card receipts must now truncate the information on the copy they give consumers.

The business alert advises that merchants who fail to comply with the law could face FTC law enforcement action, including financial penalties and federally-enforced restrictions or requirements.

See page 24 of the FCRA, Federal Credit Reporting Act for additional information. ( FCRA PDF download)

credit card number truncation

State Law Update: Merchant Receipt Truncation
Effective January 1, 2009, California Code Section 1747.09 requires:

  • Cardholder and merchant receipts printed at the time of purchase to contain no more than the last five digits of a credit or debit account number
  • Cardholder and merchant receipts not contain the card expiration date

Several other states require “merchant receipt truncation” and similar legislation is pending elsewhere in the country.

With respect to laws for truncating consumer receipts, this is pretty widely known with significant merchant compliance, and we’ve reported on it before. This is Federal Law and a felony violation for non-compliance.

(g) Truncation of Credit Card and Debit Card Numbers
(1)In general. Except as otherwise provided in this subsection, no person that accepts  credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.
(2)Limitation.  This subsection shall apply only to receipts that are electronically printed, and shall not apply to transactions in which the sole means of recording a credit card or debit card account number is by handwriting or by an imprint or copy of the card.
(3) Effective date.  This subsection shall become effective–
(A) 3 years after the date of enactment of this subsection, with respect to any cash register or other machine or device that electronically prints receipts for cred- it card or debit card transactions that is in use before January 1, 2005; and (B) 1 year after the date of enactment of this subsection, with respect to any cash register or other machine or device that electronically prints receipts for credit
card or debit card transactions that is first put into use on or after January 1, 2005.

http://www.ftc.gov/os/statutes/031224fcra.pdf