My card number and expiry date printed on receipt

Soldato
Joined
20 Apr 2014
Posts
2,564
Location
Home
Random question to ask but I have never noticed this before when using my card to pay for something. I Was in a crappy run down restaurant before and paid by debit card using contactless.
The guy came over with the card machine and asked for my card looked at it and said “oh is it contactless” asked me to check the amount on the machine then I scanned the card for payment. It then printed 1 receipt out which he handed over to me. It wasn’t until later I noticed the receipt was displaying my whole 16 digit card number and expiry date :confused: it also said merchant copy on the bottom. Now maybe I’ve just never noticed this before but doesn’t a receipt normally only display the last few digits of a card number? And don’t most print a customer and merchant copy out? Is this normal or does it sound dodgy?
 
Soldato
Joined
7 Nov 2007
Posts
6,814
Location
Required
Customer copy only shows last 4 digits whereas merchant shows the whole thing. Generally the merchant copy is not supposed to be given to customers. When you use contact less there is no cardholder receipt as you have not authorised with your PIN but most retailers are relaxed about giving you the merchant copy.
 
Soldato
OP
Joined
20 Apr 2014
Posts
2,564
Location
Home
Customer copy only shows last 4 digits whereas merchant shows the whole thing. Generally the merchant copy is not supposed to be given to customers. When you use contact less there is no cardholder receipt as you have not authorised with your PIN but most retailers are relaxed about giving you the merchant copy.
Oh so it’s normal practice then for the merchant copy to show the 16 digits and expiry date? Normally in restaurants I use my pin as it’s always over £30 so maybe that’s why I’ve always got the customer copy that only displays the last 4 digits instead of the merchant copy. It’s just something I’ve never noticed before it just seems fairly unsafe showing all that information and I was slightly paranoid with it being a fairly run down restaurant in a dodgy area lol
 
Soldato
Joined
7 Nov 2007
Posts
6,814
Location
Required
Oh so it’s normal practice then for the merchant copy to show the 16 digits and expiry date? Normally in restaurants I use my pin as it’s always over £30 so maybe that’s why I’ve always got the customer copy that only displays the last 4 digits instead of the merchant copy. It’s just something I’ve never noticed before it just seems fairly unsafe showing all that information and I was slightly paranoid with it being a fairly run down restaurant in a dodgy area lol
Yes it's supposed to show that.
 
Soldato
OP
Joined
20 Apr 2014
Posts
2,564
Location
Home
Yes it's supposed to show that.
Thanks for clearing that up I was worrying they had my full card details especially with him asking for my card first to look at and the receipt displaying my full card number. Just me being paranoid then lol.
 
Soldato
Joined
17 Jun 2005
Posts
6,507
Location
Near Brighton
Its normal for the merchant copy to have those details.

Customer copy only shows last 4 digits whereas merchant shows the whole thing. Generally the merchant copy is not supposed to be given to customers. When you use contact less there is no cardholder receipt as you have not authorised with your PIN but most retailers are relaxed about giving you the merchant copy.

They shouldn't be giving out the merchant copy. This should be retained in case of any issues in the future. A customer card receipt can be printed from the machine if needed.
 
Associate
Joined
19 Dec 2010
Posts
1,393
Our merchant copies only show the last 4 digits. I was under the impression there was some gdpr regulation or something that meant keeping that kinda thing insecurely on a paper receipt wasn't allowed anymore. Might be wrong though.
 
Soldato
Joined
19 Mar 2012
Posts
6,558
Our merchant copies only show the last 4 digits. I was under the impression there was some gdpr regulation or something that meant keeping that kinda thing insecurely on a paper receipt wasn't allowed anymore. Might be wrong though.

It wouldn't surprise me if this were true and the merchant was simply running an old terminal or software.

IME there's always a hardcore of people who will ignore every warning letter and phone call in response to regulatory stuff so it's not unlikely.
 
Soldato
Joined
8 Dec 2002
Posts
20,077
Location
North Yorkshire
Our merchant copies only show the last 4 digits. I was under the impression there was some gdpr regulation or something that meant keeping that kinda thing insecurely on a paper receipt wasn't allowed anymore. Might be wrong though.

PCI compliance, not certain but when I was involved in this day to day I was sure card details had to be masked on physical and electronic copies at rest. At the very least it’s good practice to do so.
 
Permabanned
Joined
9 Aug 2008
Posts
35,707
PCI compliance, not certain but when I was involved in this day to day I was sure card details had to be masked on physical and electronic copies at rest. At the very least it’s good practice to do so.

For PCI Compliance in the UK card numbers must be hidden (6 digits) on the receipts. I worked in installing tills and card machines 4/5 years ago. This may or may not have changed in the last 4 years. Any store that has card numbers on the receipts I wouldn't trust them at all!

It only takes them to photo your CSV on the back and that's it someone could take your money.

Mask PAN when displayed such that only personnel with a legitimate business need can see more than the first 6/last 4 digits of the PAN.
 
Soldato
OP
Joined
20 Apr 2014
Posts
2,564
Location
Home
For PCI Compliance in the UK card numbers must be hidden (6 digits) on the receipts. I worked in installing tills and card machines 4/5 years ago. This may or may not have changed in the last 4 years. Any store that has card numbers on the receipts I wouldn't trust them at all!

It only takes them to photo your CSV on the back and that's it someone could take your money.
I’m worrying again now :( is there anything anyone would recommend doing should I contact the bank or change my card etc?
 
Permabanned
Joined
9 Aug 2008
Posts
35,707
I’m worrying again now :( is there anything anyone would recommend doing should I contact the bank or change my card etc?

Not really - just watch your statements. You will be covered for fraud but depends on what you tell them in the end. No need to worry, you do still get companies displaying digits as long as they haven't took the CSV.

You could change your card but personally I wouldn't. You see they could be still using an old card machine and not upgraded within the last 5 years or something. I'm not 100% sure if UK businesses have to be compliant now or not when they get issued a new card machine.

http://www.theukcardsassociation.org.uk/security/what_is_PCI DSS.asp

Is PCI DSS mandatory in UK?
The short answer is that PCI DSS is not a legal requirement in UK law. However, companies often overlook that credit card data is not just financial data but is personal data and comes under the Data Protection Act. ... Keeping personal information secure is a basic legal requirement.
 
Last edited:
Soldato
Joined
8 Dec 2002
Posts
20,077
Location
North Yorkshire
For PCI Compliance in the UK card numbers must be hidden (6 digits) on the receipts. I worked in installing tills and card machines 4/5 years ago. This may or may not have changed in the last 4 years. Any store that has card numbers on the receipts I wouldn't trust them at all!

It only takes them to photo your CSV on the back and that's it someone could take your money.

Thanks Mrbell, I should remember myself really as I worked with EPOS for 15 years and actually put my old company through accreditation. I was fairly sure but thanks again for confirming it.
As for @Dav4 don't stress if it’s a standalone terminal it might be an out of date terminal. If you are really bothered go back in and see who provided the terminal. There is only a few providers Elavon, Worldpay, FIS are the ones I have worked with. Might even tell you on the receipt.....
 
Soldato
OP
Joined
20 Apr 2014
Posts
2,564
Location
Home
Thanks Mrbell, I should remember myself really as I worked with EPOS for 15 years and actually put my old company through accreditation. I was fairly sure but thanks again for confirming it.
As for @Dav4 don't stress if it’s a standalone terminal it might be an out of date terminal. If you are really bothered go back in and see who provided the terminal. There is only a few providers Elavon, Worldpay, FIS are the ones I have worked with. Might even tell you on the receipt.....
The receipt has RMS retail merchant services on the top
 
Soldato
Joined
9 Dec 2007
Posts
10,492
Location
Hants
It wouldn't surprise me if this were true and the merchant was simply running an old terminal or software.

IME there's always a hardcore of people who will ignore every warning letter and phone call in response to regulatory stuff so it's not unlikely.
The terminal provider would push updates for compliance. Wouldn't be reliant on the retailer.
 
Back
Top Bottom