Each copy of a receipt for a retail sale, credit, or cash disbursement transaction must comply with minimum statutory and regulatory requirements in the jurisdiction in which the receipt originates and any applicable regulations, and must contain the following:
- In the case of retail sale and credit receipts, a space for the description of products, services, or other things of value that are sold by the merchant to the customer and their cost, in sufficient detail to identify the transaction.
- Sufficient spaces for:
- Customer's signature.
- Card imprint and the merchant or bank identification plate imprint.
- Date of the transaction.
- Authorization number (except on credit slips).
- Sales representative's initials or department number.
- Currency conversion field.
- Merchant's signature on credit slips.
- Description of the identification document supplied by the cardholder on cash disbursements and retail sale slips for certain unique transactions.
- A note clearly identifying the receipt as a retail sale, credit, or cash disbursement and identifies the receiving party of each copy.
- On the customer copy of the receipt, the words (in English, local language, or both): "IMPORTANT - retain this copy for your records," or words to similar effect.
- Any other contents as are not inconsistent with these rules.
Content of Sales Receipts at the Point of Sale
Each copy of a sales receipt produced by a physical terminal at the point of sale must be in compliance with all requirements of applicable laws and regulations. Whether a terminal or another device has been used at the point of sale, the sale receipt must not display magnetic stripe track data other than card account number, expiration date, and cardholder name. The following information information must be included in the sales receipt:
- The merchant's Doing Business As (DBA) name, city and state, country, or the point of banking location.
- Transaction date.
- Card account number.
- Transaction amount in the original transaction currency.
- Sufficient space for the customer's signature (required on merchant copy only).
- Authorization response code (except on credit receipts). Alternatively, the acquiring bank also may print the transaction certificate, the application cryptogram, or both for EMV chip card transactions.
- Merchant's signature on credit receipts only.
Card Account Number Truncation
The Credit Card Associations of Visa and MasterCard require acquiring banks to truncate, or make indeterminable on printed sales receipts generated by automated telling machines (ATM), a minimum of four digits of the personal account number (PAN). The Associations also require PAN truncation for all receipts generated at Cardholder-Activated Terminals (CATs). PAN truncation is permitted for receipts generated at all other points of interaction.
Since 2005 it is also required that all sales receipts generated by newly installed, replaced or relocated point-of-sale terminals, whether attended or unattended, display only the last four digits of the account number. All preceding digits must be replaced with fill characters that are neither blank spaces nor numeric characters, such as "X," "*," or "#."
Following best practices for truncating card account numbers helps merchants fight fraud but it also promotes customer confidence in the merchant's ability to securely handle personal information. The last four digits provide the customer with enough information to identify the card that he or she used in the transaction.
General Truncation Consideration
Typically, the truncation of a greater number of digits, when compared to the total number of digits in the PAN, increases the effectiveness of the procedure. However, it also increases the confusion and difficulty that cardholders may have reconciling their ATM terminal receipts to their periodic card statements. There are several considerations to take into account when developing your own procedures for truncating account numbers:
- A truncation of the routing bank account number (BIN) alone, while helpful, may not prevent duplication of the PAN. It is possible to observe the card in use in order to obtain card issuer identification.
- Truncating the check digit and several other digits does not improve PAN security. Without the check digit, calculation of several missing digits within the PAN, especially if the routing BIN also is truncated, is substantially more complicated and time consuming.
- Truncating a small number of digits, when compared to the total number of digits in the PAN, reduces the effectiveness of the procedure. It is possible to reconstruct a few missing digits by using a trial-and-error approach.
- Truncating a greater number of digits, when compared to the total number of digits in the PAN, increases the effectiveness of the procedure.
Acquiring banks that are using Electronic Signature Capture Technology (ESCT) must ensure the following procedures are implemented:
- Proper electronic data processing (EDP) controls and security measures are established, so that digitized signatures are recreated on a transaction-specific basis. Acquiring banks may recreate the signature captured for a specific transaction only in response to a retrieval request for the transaction.
- Adequate controls exist over employees with authorized access to digitized signatures maintained in the acquiring bank or merchant host computers. Employees and agents should be allowed to access the stored, electronically captured signatures only on a "need to know" basis.
- Digitized signatures are not accessed or used in a manner contrary to applicable industry regulations.
No comments:
Post a Comment