Imprinted Receipts Expose Cardholder Information – Needlessly
PDF Print

It Costs Everyone, and It's a Security Hole We Must Close Now

Exposing cardholder information by imprinting this information on receipts is the 
Russian Roulette of the credit industry.  It’s risky, foolish and potentially devastating:  
if not immediately, then probably later.

For the cardholder, the maximum immediate monetary damage is $50.  Problems 
resulting from identity fraud, credit holds, and card reissuance can be serious, but 
consumers react to what’s happening today, and generally don’t become concerned 
about something as seemingly-innocent as a receipt until it does serious damage.  
Thus, there’s no outcry from this sector.

For the businesses involved, problems caused by imprinted receipts are simply costs 
that are spread around – akin to shoplifting, pfishing, and other fraud.

Banks mitigate their losses by refusing to honor the sale, but they can’t avoid the 
operational costs of investigation processing and documentation,  tie-ups in 
cardholder credit, card reissuance, etc.

As usual, the heaviest burden falls on the merchant.  A fraudulent transaction 
caused by an imprinted receipt sets in motion an investigation where the merchants 
has to spend time with the issuer and the bank, loses the merchandise, and forfeits 
the sale.  All with virtually no recourse.   The extent of damage is unknown, because 
there are no definitive national numbers on how many merchants continue to use 
imprinted drafts as primary receipts, but informal surveys indicate the problem is 
substantial, and, like all other forms of credit mischief, growing.

Are imprinted receipts a component of identity theft?  Others have suggested, 
and I agree, that the stealing of cardholder account names and expiration dates 
alone doesn’t enable ID theft.  It’s just one tool among several that are needed.

Criminals (fortunately) are lazy, relying more on brute force than brains.    
Tightening security against hackers with better network protection, and enhancing 
merchant site security has put formidable obstacles in their path.  The response of 
the tech-savvy criminal sector has been to use multiple computers to attack a site 
and expose itself – a technique which had some success until electronic 
countermeasures – better obstacles - were devised.

Now, defeating security systems is more difficult, and takes longer -  if it can be 
accomplished at all.  So, criminals are left with a conundrum:  invest a lot of time 
with possibly no payoff, or return to the time-honored tradition of dumpster diving.   
Human nature, at least at this level, says go for the easier target.   And that’s 
what’s occurring.

This reality begs three questions  How many merchants are still advertising 
cardholder data via imprinted sales drafts?  How much fraud can we eliminate with 
drafts that do not contain this information?  And why, if we can get the latter with 
no increase in expense, and no operational changes, doesn’t the financial industry, 
if not the regulatory agencies, mandate it?

Protecting cardholder information is in everyone’s best interest.  Financial factors 
aside, the merchant wants to be perceived in the community as a responsible party 
who takes security -  and privacy -  (another hot button issue) seriously.  From a 
selling standpoint, the bank or ISO also wants to be viewed as a provider of products 
or services that protect – not a contributor to a problem, or source of personal risk.

Knowledgeable consumers pay attention to receipts, as do their employers, who 
often get those receipts as reimbursements for business expenses, or as receipts 
from corporate purchasing cards.  Neither wants cardholder information put at risk.  
The issue is truly one of awareness, because merchants have the option:  truncated 
sales drafts that do not reveal cardholder information, and cost the same as 
conventional sales drafts, are available.

Do we need a law to close this gaping security hole? Current state and federal laws, 
written in the previous century, exclude imprinted sales drafts, because there was 
no viable alternative.  And, at the time these laws were written, ID theft was in its 
infancy, and not regarded as a major issue.

We’ve implemented many costly, high-tech procedures to assure greater security.  
Now the big hole  - big enough to drive a (stolen) truck through, is the non-truncated 
receipt.   It has become, once again, the path of least resistance.

Like corporate cost savings, all the “easy” steps to improve security, (and many of 
the hard ones), were implemented long ago.  What’s left is small but critical steps that 
can make a real difference now.   And this step, unlike all those that preceded it, 
has no additional expense, no new training to do, and no downside.

Biff Matthews is President of Thirteen Inc, the parent company of 
CardWare International.  He is one of 12 founding members of the ETA, 
serving on its board, advisory board and committees.  (740) 522-2150.