Requirements and Best Practices for Truncating Card Account Numbers

Industry regulations require merchants and processing banks to truncate, or make otherwise indeterminable on printed sales receipts generated by point-of-sale (POS) terminals and automated telling machines (ATMs), all but the last four digits of a personal account number (PAN). Truncation is also required for all sales receipts generated at Cardholder-Activated Terminals (CATs), like the ones installed at gas stations or train stations, as well as for receipts generated at all other points of sale.

Since 2005 all transaction receipts generated by newly installed, replaced or relocated POS terminals, whether attended or unattended, have been required to adhere to this policy. While an account number’s last four digits must be shown on a sales receipt, all preceding digits must be replaced with fill characters that are neither blank spaces nor numeric characters. Characters that can be used include “X,” “*,” and “#.”

Implementing best practices for truncating card account numbers helps merchants fight fraud but it also promotes customer confidence in the merchant’s ability to securely handle personal information. The last four digits provide the customer with enough information to identify the card that he or she used in the transaction.

Truncation of a greater number of digits, when compared to the total number of digits in the PAN, typically increases the effectiveness of your data protection procedures. However, it may also increase the confusion and difficulty that cardholders may have in reconciling their sales receipts to their monthly card statements. That’s why a sales receipt should also include the following information:

• Your Doing Business As (DBA) merchant name.
• The transaction date.
• A description of the products or services sold.
• The authorization approval code (except on credit receipts).
• Cardholder identification — only required for unique transactions processed in a card-present environment (with the exception of truck stop transactions and card-read transactions where a non-signature CVM is used). In such transactions merchants must include on the sales receipt a description of the unexpired, official government document provided as identification by the cardholder, including any serial number, expiration date, jurisdiction of issue, customer name (if not the same name as embossed on the card), and customer address.

PAN truncation is an important part of each merchant’s data security policy. While most of the technical work related to the procedure is done by processing banks and POS terminal manufacturers, it is important to understand that merchants bear (or at the very least share) the ultimate responsibility for a data security breach, as many retailers have discovered. Remember that your customer has a relationship with you, not with your processor or suppliers, and will hold you exclusively responsible for any compromise in his or her account information. Even if you are not held legally responsible for a data breach, your customers are likely to vote with their feet and go to a competitor, if they believe you are not doing enough to protect their sensitive account information.

Image credit: Taxsalesonline.blogspot.com.