Dealing with Merchant Receipts

Dealing with Merchant Receipts
By Mat Clarke, Information Security Analyst

When a face-to-face payment is made, there are typically two types of receipt generated. One of these is handed to the customer for their own records (known as the “cardholder copy”), whilst the other is kept by the merchant.

 

Whilst the PAN (e.g. full card number) has to be truncated on the cardholder copy, this isn’t the case with the merchant receipt, where displaying the full PAN isn’t strictly prohibited within the Payment Card Industry Data Security Standard (PCI-DSS).

 

However, in cases where a merchant receipt displays full PAN information, the merchant must ensure that measures are taken to adequately secure the receipts. There are several controls contained within PCI-DSS with this is mind, which will be covered later within this article.

 

Retention of Merchant Receipts

Of course, retaining merchant receipts is very important for a business, as it allows them to respond to copy (retrieval) requests and chargebacks – this ability is vital in situations where a customer has raised an issue, for example:

 

  • The amount shown on a customer’s receipt doesn’t match the transaction amount
  • The customer doesn’t recognise the transaction or is claiming the transaction never took place
  • The cardholder copy of the receipt is illegible

 

Unfortunately, many businesses are under the impression that merchant receipts need to be retained for 6-7 years, in line with financial regulations covering accounting records; such as sales invoices, financial statements and general ledgers.

 

In reality, as merchant receipts are not considered to be primary accounting records, there is often little need to store them this length of time.

 

However, individual payment card brands have their own guidelines on how long merchant receipts should be stored for.

 

Visa state that merchant receipts must be stored for at least 13 months from the date of the transaction, as do On the other hand, American Express recommend a retention period of at least 24 months. These requirements are usually reflected in the Terms & Conditions or Operating Guides provided to businesses by their Acquirer.

 

Sysnet Global Solutions recommends that businesses should fully assess their financial and legal obligations when determining a sufficient retention period for this sort of material.

 

The Receipt Itself

Whilst there are certain items you would expect the see on a merchant receipt, such as transaction amount, information pertaining to the item purchased, time and date etc. it’s not uncommon when visiting a business to see full PAN information displayed on the merchant receipts being created on-site.

 

Typically, the reason for this is either that the payment terminals in use within the business were set up to display full PAN from the outset (no conscious thought has gone into the decision) or that the business was under the false impression that full PAN information must be retained. This is normally not the case, as full PAN information is very rarely required to respond to chargeback claims.

 

Businesses who do not require for full PAN information to be retained (and do not have a legal obligation do so) but are currently producing receipts containing this information should contact their acquirer and/or payment terminal provider to request for this information to be suppressed on future receipts.

 

However, if the business in question requires for the full PAN to be displayed, then there are specific controls detailed within the PCI-DSS which must be adhered to, in order to protect this information.

 

The Controls

Req. 3.1:

Implement data-retention and disposal policies, procedures and processes

Here, it’s important to document the specific retention requirements for cardholder data, including the length of time the business must keep this information for and why. Processes for the secure destruction of the data when it falls out of its retention period should also be detailed.

 

Req. 3.3:

Mask PAN when displayed such that only personnel with a legitimate business need can see more than the first 6/last 4 digits of the PAN.

This requirement does not supersede stricter requirements – such as legal or payment card brand requirements for point-of-sale receipts.

 

Req. 9.5–9.8

In general, this range of requirements deals with the following:

  • Documenting the procedures used to protecting the cardholder data displayed on merchant receipts
  • Reviewing storage locations to confirm that the media remains secure
  • Creating a distribution policy to ensure receipts are distributed securely where applicable
  • Ensuring merchant receipts are transported in a secure, trackable fashion – such as via a secure courier service
  • Creation of a media destruction policy which specifies requirements for the secure deletion of merchant receipts which have outlived their retention period.
  • The use of cross-cut shredding, incineration or pulping to ensure that the destroyed material is unrecoverable.

 

Chargeback Letters

It’s important to note at this point that chargeback letters may also be retained by businesses and can often also include full PAN information.

 

In these cases, it is Sysnet’s recommendation that businesses should seek alternative methods for the notification of chargeback/copy receipts requests. For example, there may be the option to manage this using an online tool, or have only a partial PAN displayed on the letters.

 

If there is a legitimate need for letters containing full PAN information to be retained, then businesses must ensure that these are being protected in the same fashion as stored merchant receipts containing full PAN, as per the controls indicated above.