It Costs Everyone, and It's a Security Hole We Must Close Now
Exposing cardholder information by imprinting this information on receipts is the
Russian Roulette of the credit industry. It’s risky, foolish and potentially devastating:
if not immediately, then probably later.
For the cardholder, the maximum immediate monetary damage is $50. Problems
resulting from identity fraud, credit holds, and card reissuance can be serious, but
consumers react to what’s happening today, and generally don’t become concerned
about something as seemingly-innocent as a receipt until it does serious damage.
Thus, there’s no outcry from this sector.
For the businesses involved, problems caused by imprinted receipts are simply costs
that are spread around – akin to shoplifting, pfishing, and other fraud.
Banks mitigate their losses by refusing to honor the sale, but they can’t avoid the
operational costs of investigation processing and documentation, tie-ups in
cardholder credit, card reissuance, etc.
As usual, the heaviest burden falls on the merchant. A fraudulent transaction
caused by an imprinted receipt sets in motion an investigation where the merchants
has to spend time with the issuer and the bank, loses the merchandise, and forfeits
the sale. All with virtually no recourse. The extent of damage is unknown, because
there are no definitive national numbers on how many merchants continue to use
imprinted drafts as primary receipts, but informal surveys indicate the problem is
substantial, and, like all other forms of credit mischief, growing.
Are imprinted receipts a component of identity theft? Others have suggested,
and I agree, that the stealing of cardholder account names and expiration dates
alone doesn’t enable ID theft. It’s just one tool among several that are needed.
Criminals (fortunately) are lazy, relying more on brute force than brains.
Tightening security against hackers with better network protection, and enhancing
merchant site security has put formidable obstacles in their path. The response of
the tech-savvy criminal sector has been to use multiple computers to attack a site
and expose itself – a technique which had some success until electronic
countermeasures – better obstacles - were devised.
Now, defeating security systems is more difficult, and takes longer - if it can be
accomplished at all. So, criminals are left with a conundrum: invest a lot of time
with possibly no payoff, or return to the time-honored tradition of dumpster diving.
Human nature, at least at this level, says go for the easier target. And that’s
This reality begs three questions How many merchants are still advertising
cardholder data via imprinted sales drafts? How much fraud can we eliminate with
drafts that do not contain this information? And why, if we can get the latter with
no increase in expense, and no operational changes, doesn’t the financial industry,
if not the regulatory agencies, mandate it?
Protecting cardholder information is in everyone’s best interest. Financial factors
aside, the merchant wants to be perceived in the community as a responsible party
who takes security - and privacy - (another hot button issue) seriously. From a
selling standpoint, the bank or ISO also wants to be viewed as a provider of products
or services that protect – not a contributor to a problem, or source of personal risk.
Knowledgeable consumers pay attention to receipts, as do their employers, who
often get those receipts as reimbursements for business expenses, or as receipts
from corporate purchasing cards. Neither wants cardholder information put at risk.
The issue is truly one of awareness, because merchants have the option: truncated
sales drafts that do not reveal cardholder information, and cost the same as
conventional sales drafts, are available.
Do we need a law to close this gaping security hole? Current state and federal laws,
written in the previous century, exclude imprinted sales drafts, because there was
no viable alternative. And, at the time these laws were written, ID theft was in its
infancy, and not regarded as a major issue.
We’ve implemented many costly, high-tech procedures to assure greater security.
Now the big hole - big enough to drive a (stolen) truck through, is the non-truncated
receipt. It has become, once again, the path of least resistance.
Like corporate cost savings, all the “easy” steps to improve security, (and many of
the hard ones), were implemented long ago. What’s left is small but critical steps that
can make a real difference now. And this step, unlike all those that preceded it,
has no additional expense, no new training to do, and no downside.
Biff Matthews is President of Thirteen Inc, the parent company of
CardWare International. He is one of 12 founding members of the ETA,
serving on its board, advisory board and committees. (740) 522-2150.