Account Number Truncation
Federal Law Requires All Businesses to Truncate Credit Card Information on Receipts
What’s on the credit and debit card receipts you give your customers? The Federal Trade Commission (FTC), the nation’s consumer protection agency, says it’s time for companies to check their receipts and make sure they’re complying with a law that’s been in effect for all businesses since December 1, 2006.
According to the federal Fair and Accurate Credit Transaction Act (FACTA), the electronically printed credit and debit card receipts you give your customers must truncate (shorten) the account information. You may include no more than the last five digits of the card number, and you must delete the card’s expiration date. For example, a receipt that truncates the credit card number and deletes the expiration date could look like this:
Why is it important for businesses to make sure they’re complying with this law? Credit card numbers on sales receipts are a “golden ticket” for fraudsters and identity thieves. Smart businesses appreciate the importance of protecting their customers and themselves from credit card crime.
But there are other important reasons to make sure your slips are compliant with the law. Noncompliance could open a company up to an FTC law enforcement action, including civil penalties and injunctive relief. In addition, the law allows consumers to sue businesses that don’t comply and to collect damages and attorney’s fees.
While Congress passed this provision in December 2003, it has been phased in gradually, requiring merchants with newer electronic card processing machines to comply by December 2004. Merchants with older machines were given until December 1, 2006. So now all companies that electronically print credit or debit card receipts must truncate the information on the copy they give their customers. That’s why it’s important to make sure all your equipment complies with the law.
Several details of the law are worth noting: It applies only to electronically printed receipts, not to handwritten or imprinted ones. And it applies only to receipts you give your customer at point of sale, not to any transaction record you retain. Be aware, however, that when you keep your customers’ personal information, including account data, you have an obligation to keep it safe via PCI DSS compliance regulations.
Global Processing Systems wants to help. If you have any questions about this, or just want to make sure that you are meeting truncation standards, and are PCI DSS compliant, please give us a call. We will be glad to assist you and make sure everything is up to standard, and that you and your customers are protected.