Inside the Black Hole

Industry regulations require merchants and processing banks to truncate, or make otherwise indeterminable on printed sales receipts generated by point-of-sale (POS) terminals and automated telling machines (ATMs), all but the last four digits of a personal account number (PAN). Truncation is also required for all sales receipts generated at Cardholder-Activated Terminals (CATs), like the ones installed at gas stations or train stations, as well as for receipts generated at all other points of sale.

Since 2005 all transaction receipts generated by newly installed, replaced or relocated POS terminals, whether attended or unattended, have been required to adhere to this policy. While an account number’s last four digits must be shown on a sales receipt, all preceding digits must be replaced with fill characters that are neither blank spaces nor numeric characters. Characters that can be used include “X,” “*,” and “#.”

Implementing best practices for truncating card account numbers helps merchants fight fraud but it also promotes customer confidence in the merchant’s ability to securely handle personal information. The last four digits provide the customer with enough information to identify the card that he or she used in the transaction.

Truncation of a greater number of digits, when compared to the total number of digits in the PAN, typically increases the effectiveness of your data protection procedures. However, it may also increase the confusion and difficulty that cardholders may have in reconciling their sales receipts to their monthly card statements. That’s why a sales receipt should also include the following information:

• Your Doing Business As (DBA) merchant name.
• The transaction date.
• A description of the products or services sold.
• The authorization approval code (except on credit receipts).
• Cardholder identification – only required for unique transactions processed in a card-present environment (with the exception of truck stop transactions and card-read transactions where a non-signature CVM is used). In such transactions merchants must include on the sales receipt a description of the unexpired, official government document provided as identification by the cardholder, including any serial number, expiration date, jurisdiction of issue, customer name (if not the same name as embossed on the card), and customer address.

PAN truncation is an important part of each merchant’s data security policy. While most of the technical work related to the procedure is done by processing banks and POS terminal manufacturers, it is important to understand that merchants bear (or at the very least share) the ultimate responsibility for a data security breach, as many retailers have discovered. Remember that your customer has a relationship with you, not with your processor or suppliers, and will hold you exclusively responsible for any compromise in his or her account information. Even if you are not held legally responsible for a data breach, your customers are likely to vote with their feet and go to a competitor, if they believe you are not doing enough to protect their sensitive account information.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Wireless credit card processing solutions have proliferated with the coming of age of the cellular phone technology. As their name suggests, these services enable merchants to accept bank cards on mobile devices, at locations outside of their stores and offices. Traditionally, wireless solutions have required merchants to purchase specialized mobile point of sale (POS) terminals, but over the past few months a couple of start-ups have introduced services compatible with smart phones.

There are two distinct groups of wireless processing services:

• Long-range wireless card processing. Long-range wireless services operate on the same networks that cell phone carriers use for transmitting voice and data. The service is available everywhere network service is present. These services are designed for businesses that regularly accept payments at their customers’ locations or at industry gatherings and similar types of events.
• Short-range wireless card processing. Short-range wireless devices use the same connectivity services that cordless phones use. The mobile processing terminal can be operational within a radius of several hundred feet of the location of its base unit which is connected to a phone line. The short-range wireless card processing service is perfect for merchants with limited mobility requirements, e.g. merchants who need card acceptance capabilities at different locations on their premises.

The advantages of using mobile services for accepting card payments are:

• Convenience. Wireless card processing services enable merchants to immediately accept card payments at trade shows, conventions, or on their customers’ premises. The alternative is to collect customers’ payment information to be processed later, increasing transaction costs and the probability of making an error.
• Reduced risk exposure. Wireless transactions fall into the “card-present” category, which is the first factor processors look at when determining the merchant’s risk level. Card-present transactions are much less likely to be fraudulent than card-not-present ones.
• Better fraud protection. With a wireless terminal the customer remains in possession of the card at all times, thus reducing the possibility of a fraudulent activity. The card’s magnetic stripe is “read” by the terminal making it much easier to validate the transaction’s information.
• Reduced processing costs. Because wireless transactions are processed in the safer card-present environment, they generally receive the best processing rates available.

There are a couple of disadvantages of using wireless card processing solutions:

• High equipment cost. The cost of mobile terminals is significantly higher than that of regular POS terminals and can be the deciding factor in your decision, especially if your processing volumes are low. It must be mentioned, however, that some new services offer significantly lower hardware cost. Square, for example, gives away a card reader that can be plugged into a smart phone, turning the phone into a POS terminal. Square is still in beta testing, though, and it is not yet clear whether it will prove to be a viable alternative to a full-fledged wireless terminal.
• Network signal availability. Perhaps the biggest issue associated with wireless card processing is the reliability of the wireless signal. You should check the coverage map of the network that your prospective provider is using in the area you will be operating in before setting up a wireless merchant account. The two major networks used by wireless payment processing providers are:
  • Verizon – check network coverage map.
  • AT&T – check network coverage map.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Content of sales receipts. Sales receipts are used by both customers and merchants to validate a transaction in which they have participated and to use them as reference points whenever a dispute needs to be resolved or a representment is requested in a case of a chargeback. Each copy of a receipt for a retail sale, credit, or cash disbursement transaction must contain the following information:

• In the case of retail sale and credit receipts, a space for the description of products or services that are sold by the merchant to the customer and their cost, in sufficient detail to identify the transaction.
• Sufficient spaces for:
  • Customer’s signature.
  • Card imprint and the merchant or bank identification plate imprint.
  • Transaction date.
  • Authorization number (except on credit slips).
  • Sales representative’s initials or department number.
  • Currency conversion field.
  • Merchant’s signature on credit receipt.
  • Description of the identification document supplied by the cardholder on cash disbursements and retail sale slips for certain unique transactions.
• A note clearly identifying the receipt as a retail sale, credit, or cash disbursement and the receiving party of each copy.
• On the customer copy of the sales receipt, the words (in English, local language, or both): “IMPORTANT – retain this copy for your records,” or words to that effect.

The merchant can include other relevant information on the receipt, provided it is not inconsistent with these rules. It is recommended that each retail receipt identifies the organization that distributed the receipt to the merchant.

Card account number truncation. Since 2005 it is also required that all sales receipts generated by newly installed, replaced or relocated point-of-sale terminals, whether attended or unattended, display only the last four digits of the account number. All preceding digits must be replaced with fill characters that are neither blank spaces nor numeric characters, such as “X,” “*,” or “#.” The last four digits provide the customer with enough information to identify the card that he or she used in the transaction.

General truncation consideration. Typically, the truncation of a greater number of digits, when compared to the total number of digits in the personal account number (PAN), increases the effectiveness of the procedure. However, it can also make it more confusing and difficult for cardholders to reconcile transaction receipts to their monthly card statements. There are several considerations to take into account when developing your own procedures for truncating account numbers:

• A truncation of the routing bank account number (BIN) alone, while helpful, may not prevent duplication of the PAN. It is possible to observe the card in use in order to obtain card issuer identification.
• Truncating the check digit and several other digits does not improve PAN security. Without the check digit, calculation of several missing digits within the PAN, especially if the routing BIN also is truncated, is substantially more complicated and time consuming.
• Truncating a small number of digits, when compared to the total number of digits in the PAN, makes the procedure less effectiveness. It is possible to reconstruct a few missing digits by trial and error.
• Truncating a greater number of digits, when compared to the total number of digits in the PAN, increases the effectiveness of the procedure.

Electronic signatures. Processing banks that are using Electronic Signature Capture Technology (ESCT) must ensure the following procedures are implemented:

• Adequate electronic data processing (EDP) controls and security measures are established, so that digitized signatures are recreated on a transaction-specific basis. Processors may recreate the signature captured for a specific transaction only in response to a retrieval request for the transaction.
• Sufficient controls exist over employees with authorized access to digitized signatures maintained in the processor’s or merchant’s computers. Employees and agents should be allowed to access the stored, electronically captured signatures only on a “need to know” basis.
• Digitized signatures are accessed and used in compliance with applicable industry regulations.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Cardholder-activated terminals (CATs) are typically unattended terminals that accept bank cards for payment. These terminals are frequently installed at rail ticketing stations, gas stations, toll roads, parking garages, and other merchant locations.

There are four types of cardholder-activated terminals:

• Automated Dispensing Machines / Level 1.
• Self-Service Terminals Level 2.
• Limited Amount Terminals Level 3.
• In-flight Commerce (IFC) Terminals Level 4.

CAT requirements specify the maximum dollar amount of transactions permitted as well as authorization, clearing and chargeback requirements and related transaction liability for each CAT type.

Because CATs are typically unattended, traditional point-of-sale (POS) card acceptance procedures do not apply, such as verification of the card’s validity by examining its hologram, account number, expiration date and other security features for signs of tampering. For the same reason the merchant is also prevented from verifying the authenticity of the cardholder’s signature.

Merchants operating CATs need to ensure that payment processing procedures at their unattended terminals comply with the following general acceptance requirements:

1. All non-face-to-face transactions initiated by the cardholder where the card number is either captured as a result of reading the card electronically or by using an electronic device (such as a transponder, PC, or mobile phone) must include the proper cardholder-activated terminal (CAT) level indicator in both the authorization message and clearing records. Depending on the CAT level indicator, other specific data is required for authorization and clearing.
   1. The authorization request message must include a valid merchant category code, point-of-sale (POS) country code, POS postal code, and CAT level indicator (Level 1, 2, 3, 4, 6, or 7).
   2. Messages used at the CAT must communicate to the cardholder, at a minimum, the following information:
      • Invalid transaction.
      • Unable to route.
      • Invalid PIN-re-enter (Level 1 only).
      • Capture card (subject to the terminal’s ability to retain cards).
   3. The merchant identification number and the CAT level indicator must be present in the First Presentment, First Chargeback, Second Presentment, and Arbitration Chargeback messages.
2. The description of products or services on the CAT sales receipt should be clearly recognizable to the cardholder.
3. Processing banks are responsible for providing requested transaction information documents.
4. No CAT may accept a bank card for the purchase of scrip.
5. The transaction receipts provided to cardholders should show only the last four digits of the primary account number, and that all preceding digits are truncated. The truncated digits must be replaced with fill characters such as “X,” “*,” or “#” and not with blank spaces or numeric characters.

Accept card payments quickly and safely

Accept credit and debit card payments at the lowest processing costs. You will get:

• Free merchant account set-up.
• No fixed monthly fees.
• 24 / 7 customer support.

Merchants operating physical stores have the advantage of accepting payments in a face-to-face environment, which is typically associated with lower levels of fraud and chargebacks. Consequently, card-swiped transactions are processed at the lowest interchange rates by the credit card networks. Key-entered transactions, however, are different. Although fully acceptable, key-entered transactions are associated with higher fraud and chargeback rates, mostly because some special security features – such as the expiration date and the card security codes – are not available.

Merchants key-enter transactions when the point-of-sale (POS) terminal is down or cannot read the card’s magnetic stripe or perform an authorization. There can be several reasons why the card’s stripe cannot be read, but it is usually because the terminal’s magnetic-stripe reader is not working properly, the card is not being swiped through the reader correctly, or the magnetic stripe on the card has been damaged or demagnetized.

It is important to estimate the percentage of key-entered transactions compared to total transactions to help you identify which stores, terminals, or sales associates have high key-entry rates. In order to do that, divide the total number of key-entered transactions for a certain period (a month or a quarter) by the total number of sales. If your business is processing mail order and telephone order transactions, exclude them from both totals. To represent the result as a percentage, multiply it by 100. To determine the key-entered rate for each associate, repeat the process for each terminal and each sales shift.

Now that you have calculated your business’ overall and per-associate key-entered transaction rates, you can begin your evaluation. Where key-entered transactions exceed one percent of total transactions, you should investigate the situation, identify the issue and take adequate corrective measures. Following is a list of the most common reasons for high rates of key-entered transactions and possible solutions at the point of sale:

• Damaged magnetic stripe reader. Check your magnetic stripe readers regularly to make sure they are working properly.
• Dirty magnetic stripe readers. Clean your magnetic stripe reader heads several times a year to ensure they remain in a good working condition.
• Magnetic stripe reader obstructions. Remove all obstructions near the magnetic stripe reader. Electric cords or other equipment could prevent a card from being swiped straight through the reader.
• Spilled food or drink. Remove all food or beverages near the magnetic stripe. Falling crumbs or an unexpected spill could soil or damage the terminals.
• Anti-theft devices that damage magnetic stripes. Keep magnetic anti-theft deactivation devices away from any counter area where customers might place their cards. These devices can erase a card’s magnetic stripe.
• Improper card swiping.
  • Swipe the card once in one direction, using a quick, smooth motion.
  • Never swipe a card back and forth.
  • Never swipe a card at an angle; this may cause a faulty reading.

Whenever you have to key-enter transactions, make an imprint of the card (the same best practice applies to voice-authorized transactions). The imprint proves that the card was present at the point of sale and protects your business from a potential chargeback in case of a fraudulent transaction. You can make the imprint either on the sales receipt, generated by the terminal, or on a separate manual sales receipt, signed by the customer.

Accept card payments quickly and safely

Accept credit and debit card payments at the lowest processing costs. You will get:

• Free merchant account set-up.
• No fixed monthly fees.
• 24 / 7 customer support.