Friday, August 27, 2004

Article: Credit-card processors gear up for new privacy law

I find it amazing that when I closely examine the detritus of daily life (by emptying my pockets at the end of the day), I discover that so many merchants still print all the digits of the card number on credit and debit card receipts. Why? Why? Why? There is simply no need to have that info there and by it threatens the privacy of the cardholders.

The problem is usually compounded by a pretty cavalier attitude toward these flimsy pieces of paper. How many times have I picked up someone's reciept from the check-out at the grocery store, only to find a full credit card number, complete with expiry date? Or a full debit card number? When I mention it to the clerk, they just chuck it in the garbage. If you want to commit fraud, I can tell you the dumpsters to dive in.

PIPEDA, thanks to its broad statement that you must secure personal information against accidental disclosure, etc., probably requires obscuring at least part of the number. But not enough retailers have read it. At least the US is taking this seriously. The Fair and Accurate Credit Transactions Act requires card "truncation" by January 1 and some state laws have mandated it for some time:

Credit-card processors gear up for new privacy law:

"By Marion Davis, Staff Writer

A federal law requires merchants to truncate personal information on credit card receipts by Jan. 1. Does your business take credit cards? If so, when the slip prints out, how much of the customer's card number is included? If it's more than the last five digits, and/or if the expiration date shows, you need to upgrade your terminal by Jan. 1.

A federal law passed last December, the Fair and Accurate Credit Transactions Act, requires credit-card "truncation" by that date, and a new state law makes merchants liable, starting in 2007, for any resulting fraud, plus legal fees, if they don't comply.

Some states, starting with California, have been gradually implementing truncation mandates for new terminals since 2001, but it was only last January that the first laws affecting existing machines kicked in. Some are tougher than Rhode Islandos: In Maine, anyone who didn't switch by last Jan. 1 is already subject to a $1,000 penalty; in Arizona, as of June 1, merchants who don't truncate can be fined $10,000. "

I gather that Visa/Mastercard have made this mandatory for their Canadian retailers by 2005.


Anonymous said...

Last week I used my Mastercard to pay for some take-out food (Swiss Chalet) and only later realized my credit card number along with the expiry date was printed on the receipt. I complained through their toll-free number and was told they plan to convert the machines very soon - around January - to the new truncated format. They noted down the store location and said they would remind them of the need to update their cash registers. If it happens again, I may complain to the Privacy Commissioner.

privacylawyer said...

I noticed the same last week when I ordered take-out from the same chain. It's amazing that a large chain is still doing that almost two years after PIPEDA came into force.

Unknown said...

It is really informative, thanks for such a creative share.

Unknown said...

Yes David i agree with you, i have also suffered from the same thing.