By Natasja Bolton, Senior Acquirer Support
Download your Free eBook
MERCHANT RECEIPTS: ARE YOUR CUSTOMERS STORING MORE PAYMENT CARD DATA THAN THEY NEED?
Face to face card payment transactions generate two receipts – the cardholder copy, on which the Primary Account Number (PAN) must be truncated, and the merchant copy which will usually show the full PAN.
Businesses are well aware that they must retain their merchant copy receipts in order to be able to respond to retrieval (or copy) requests and chargebacks.
However, Sysnet’s QSAs have found through our visits with small businesses across all industry sectors that many believe merchant copy receipts need to be kept for 6-7 years. Businesses may therefore be storing a significant amount of hardcopy cardholder data.
The reason for this appears to be that finance teams think the merchant copy receipts are accounting records that need to be retained for up to 7 years, in line with policies for other company accounting records and documents such as sales invoices, general ledgers, financial statements, etc.
Merchant copy receipts are, however, not generally considered to be primary accounting records, as the business should also have other records of the customer transaction, such as cash register receipts, invoices, order forms, car rental agreements, etc.
From the card brands’ perspective
The card brands require retention of the merchant copy receipts for a shorter period. For example, VISA states that merchant copies must be retained for a minimum of 13 months from the date of the original transaction. This is also the case for Mastercard who explain their position on retention of receipts in this eLearning video on preventing chargebacks.
For American Express a retention time of 24 months is expected. The card brand requirements are usually reflected in the Terms & Conditions or Operating Guides provided to businesses by their Acquirer.
Therefore, businesses should not have a need to retain merchant copy receipts beyond the period stipulated by the card brands. Sysnet recommend that all businesses consider their financial and legal obligations for long-term retention of merchant copy receipts.
Another factor relating to merchant receipts that businesses should consider is the need to have full PAN shown on the receipt. Again, many businesses believe that they must have the full PAN in order to be able to respond to retrieval requests and chargebacks but this is not always the case.
Indeed, in their Chargeback Guide, Mastercard state that “at no time does the merchant need to retain the entire PAN” with some limited exceptions, for example manual imprint/embossed transactions.
Operational requirements and recommendations
If there is no business operational need, or law enforcement obligation, to retain the full PAN on the merchant receipt, Sysnet recommend that businesses contact their acquirer or terminal provider about their options to suppress full PAN on their merchant copy receipts.
Hardcopy merchant receipts containing only masked PAN are not considered in scope for PCI DSS and do not need to be managed as such.
As a result of taking action as above, the business may find that they have merchant receipts with the full PAN that they no longer need to store. Business owners must make sure that these hard copy records are securely erased/destroyed such that they cannot be recovered (per PCI DSS requirement 3.2).
Chargeback letters are another record that usually contain the cardholder’s full PAN and which businesses may be retaining. Often those personnel or teams working on PCI DSS compliance for payment acceptance activities forget to include chargeback handling in their considerations; usually because they do not have visibility of the chargeback process.
Sysnet has seen instances where chargeback letters are scanned/copied electronically, even sent via internal email between stores and head office as the business tracks down the transaction. As a result, the business may be storing not only the original hard copy chargeback letters containing full PAN but also electronic copies.
Sysnet recommend that our clients advise their customers of alternative ways that they may be notified of and respond to retrieval requests and chargebacks. We are aware that many of our clients offer online solutions that do away with the need to receive the physical letters. In addition, it may be possible for your customer to request suppression of the full PAN on their chargeback letters.
As with the hard copy merchant receipts, any hard copy chargeback letters that the business considers they have a legitimate need to keep will need to be protected in compliance with PCI DSS Requirement 3.3 (i.e. only people with a business need should be able to access the letters with the full PAN) and the media protection and destruction controls in Requirement 9.
There could be major implications for the business’s PCI DSS compliance if they also create and retain electronic copies of the chargeback letters. Retention of electronic scans of chargeback letters (containing the full PAN) would be considered a store of electronic card data in scope for PCI DSS.
Such storage of electronic cardholder data may change the merchant’s PCI DSS compliance requirements, e.g. they may now only be eligible to assess compliance using the SAQ D.
If you are a merchant that requires technical or PCI DSS help, please click here