The card acceptance process concludes with the printing of a sales receipt, which you need to ensure that your customer signs and then you have to compare that signature with the signature on the back of the card. Depending on the card and point-of-sale (POS) terminal, the customer should be in your full view when signing the receipt or the POS terminal signature window display. If possible, you should check the two signatures for any obvious inconsistencies in spelling or handwriting.
Today I will review the requirements with which each transaction receipt should comply and the information it needs to contain. Then I will show you how you can use the receipt for transaction verification purposes, so that you can protect yourself from fraud. Finally, I will review the circumstances when a receipt is not required. Let’s get started.
Sales Receipt Content
Sales receipts are used by both customers and merchants to validate transactions in which they have participated and are used as reference points whenever a dispute needs to be resolved or a representment is requested in a case of a chargeback. Each copy of a receipt for a retail sale, credit, or cash disbursement transaction must contain the following information:
- In the case of retail sale and credit receipts, a space for the description of products or services that are sold by the merchant to the customer and their cost, in sufficient detail to identify the transaction.
- Sufficient spaces for:
- Customer’s signature.
- Card imprint and the merchant or bank identification plate imprint.
- Transaction date.
- Authorization number (except on credit slips).
- Sales representative’s initials or department number.
- Currency conversion field.
- Merchant’s signature on credit receipt.
- Description of the identification document supplied by the cardholder on cash disbursements and retail sale slips for certain unique transactions.
- A note clearly identifying the receipt as a retail sale, credit, or cash disbursement and the receiving party of each copy.
- On the customer copy of the sales receipt, the words (in English, local language, or both): “IMPORTANT — retain this copy for your records,” or words to that effect.
The merchant can include other relevant information on the receipt, provided it is not inconsistent with these rules. It is recommended that each retail receipt identifies the organization that distributed the receipt to the merchant.
Content of Sales Receipts at the Point of Sale
Each copy of a transaction receipt produced by a physical POS terminal must be in compliance with all requirements of applicable laws and regulations. Whether a terminal or some device has been used at the point of sale, the sale receipt must not display magnetic stripe track data other than card account number, expiration date and cardholder name. The following information must be included in all sales receipts:
- The merchant’s Doing Business As (DBA) name, city and state, country or the point of banking location.
- Transaction date.
- Card account number.
- Transaction amount in the original transaction currency.
- Sufficient space for the customer’s signature (required on the merchant copy only).
- Authorization response code (except on credit receipts). Alternatively, the acquiring bank also may print the transaction certificate, the application cryptogram or both for EMV chip card transactions.
- Merchant’s signature on credit receipts only.
It is also required that each sales receipt must clearly identify the transaction as a retail sale, credit or cash disbursement.
Card Account Number Truncation
The Credit Card Networks of Visa and MasterCard require that acquiring banks truncate or otherwise make indeterminable on printed sales receipts generated by automated telling machines (ATM), a minimum of four digits of the personal account number (PAN). The Networks also require PAN truncation for all receipts generated at Cardholder-Activated Terminals (CATs).
Furthermore, since 2005 it is also required that all sales receipts generated by newly installed, replaced or relocated POS terminals, whether attended or unattended, display only the last four digits of the account number. All preceding digits must be replaced with fill characters that are neither blank spaces nor numeric characters, such as “X”, “*” or “#”.
Following best practices for truncating card account numbers helps merchants fight fraud but it also promotes customer confidence in the merchant’s ability to securely handle and protect personal information. The last four digits provide the customer with enough information to identify the card that she had used in the transaction.
General Truncation Consideration
Typically, the truncation of a greater number of digits, when compared to the total number of digits in the personal account number (PAN), increases the effectiveness of the procedure. However, it can also make it more confusing and difficult for cardholders to reconcile transaction receipts to their monthly card statements. There are several considerations to take into account when developing your own procedures for truncating account numbers:
- A truncation of the routing bank account number (BIN) alone, while helpful, may not prevent duplication of the PAN. It is possible to observe the card in use in order to obtain card issuer identification.
- Truncating the check digit and several other digits does not improve PAN security. Without the check digit, calculation of several missing digits within the PAN, especially if the routing BIN also is truncated, is substantially more complicated and time consuming.
- Truncating a small number of digits, when compared to the total number of digits in the PAN, makes the procedure less effectiveness. It is possible to reconstruct a few missing digits by trial and error.
- Truncating a greater number of digits, when compared to the total number of digits in the PAN, increases the effectiveness of the procedure.
It is now generally accepted to truncate all but the last four digits of the account number.
Acquiring banks that are using Electronic Signature Capture Technology (ESCT) must ensure the following procedures are implemented:
- Adequate electronic data processing (EDP) controls and security measures are established, so that digitized signatures are recreated on a transaction-specific basis. Processors may recreate the signature captured for a specific transaction only in response to a retrieval request for the transaction.
- Sufficient controls exist over employees with authorized access to digitized signatures maintained in the processor’s or merchant’s computers. Employees and agents should be allowed to access the stored, electronically captured signatures only on a “need to know” basis.
- Digitized signatures are accessed and used in compliance with applicable industry regulations.
Now let’s take a look at how you should use the newly-printed sales receipt for fraud prevention purposes.
Matching Customer Signatures
Once the customer has signed the sales receipt, ideally in your full view, you should closely check that signature to the one on the back of the card, looking for any obvious inconsistencies in the spelling or handwriting. While matching the two signatures, you should also compare the name and account number, as they appear on the card, to those on the transaction receipt.
For magnetic-stripe card transactions, compare both the name and the last four digits of the account number on the card to those printed on the sales receipt, as shown below.
Then match the signature on the back of the card to the one on the receipt itself. The first initial and the spelling of the surname must match. However, embossed name and signature do not need to be the same.
If the names, last four digits or the signatures do not match, make a Code 10 call and ask for further instructions on how to proceed with the transaction.
Additionally, when a magnetic stripe or chip-based transaction is PIN-based and you do have an active PIN pad, best practices dictate not to print a signature line on the receipt. In such cases, you should not request a signature from your customer.
When Is a Sales Receipt not Required?
Each one of the major U.S. payment brands maintains a program, which allows certain types of merchants to complete transactions below a specified amount, without the need to print sales receipts, unless explicitly requested by their customers. For example, Visa’s program is called Easy Payment Service (EPS) and MasterCard’s is named Quick Payment Service (QPS). Each of these programs is slightly different from the others, yet they are also similar enough to allow me to give you a general overview using the biggest one of them — Visa’s EPS.
Under the current Visa EPS rules, there’s no signature needed on just about all electronically-read (as opposed to key-entered) card-present Visa transactions of $25 or less. Furthermore, signatures are not required on transactions of $50 or less for U.S. merchants in two major category codes: Supermarkets (5411) and Discount Stores (5310). That allows businesses in more than 98 percent of Merchant Category Codes (MCC) to accept Visa without the need for customers to sign their name. Moreover, a receipt is generated only at the customer’s request.
To qualify, transactions need to comply with the following requirements:
- Be authorized.
- Include all MCCs for $25 or less.
- Include sales for up to $50 for Supermarket (MCC 5411) and Discount Stores (MCC 5310).
- Include unattended terminals, excluding automated fuel dispensers (AFDs), for transactions of $15 or less.
- Include all card types — magnetic-stripe, EMV chip and proximity (wireless) payments.
- Terminals must read and transmit unaltered magnetic-stripe, chip or contactless payment data.
Some transactions, however, are excluded from this program. Visa’s EPS, for example, excludes the following MCCs (the list is current at the time of writing):
Additionally, the following transactions do not qualify for Visa’s EPS program:
- Fallback transactions — these occur when an EMV-enabled POS terminal cannot process a chip-card transaction using the chip, but reads the card’s magnetic stripe instead.
- Account funding transactions.
- Cash-back transactions.
- Manual cash disbursement transactions.
- Quasi-cash transactions — these are sales of items that are directly convertible to cash, such as casino gaming chips, money orders, deposits, wire transfers, traveler cheques, travel money cards, foreign currency, etc.
- Prepaid load transactions.
- Transactions where Dynamic Currency Conversion is performed.
There is no registration requirement for the signature-less programs. If eligible, you simply run the transaction as you normally would, but eliminate the steps of PIN entry or checking and collecting the cardholder’s signature described above. Additionally, you only need to provide a transaction receipt if the cardholder requests one. That’s it.
Image credit: Onlythemanager.blogspot.com.