TransWikia.com

Does a physical POS terminal expose my full bank card number to the merchant?

Personal Finance & Money Asked by sigil on February 8, 2021

In theory, POS terminal communicates directly with the acquiring bank and has no need to tell the merchant my bank card number, cardholder name or any other details. The paper receipt I get contains only the last four digits of my card’s number.

However, nothing stops the terminal from disclosing any or all of these data to the merchant just because it can. Is this choice regulated in any way? Is there any definite business practice?

4 Answers

The corporation that handles 45% of US merchant card transactions, First Data, offers a suite of reporting tools that includes search by card number. The first example I found is the reporting tool described within here: ClientLine user's guide, page 48:

The Card Search option allows you to perform searches on specific card numbers, either credit or debit, over time. This search will detail all occurrences of the card number entered for the time period selected. There are five card search reports to assist with your research needs.

  1. Transactions
  2. Authorizations
  3. Chargebacks
  4. Retrievals
  5. Gift Cards*
  • Based on your specific account set-up or configuration, all of these options may not be available to you.

Answered by user662852 on February 8, 2021

Yes, the full PAN (your credit card number) is exposed to the merchant's POS system, and yes there is a definite business practice applied, it's called PCI-DSS and is required by all of the world's major credit card providers when merchants want to process their cards.

If the merchant didn't have the ability to have access to the full PAN, how would they respond to chargebacks or customer disputes about payment?

The PCI DSS regulations (for which there is a 139 page, at the time of writing, document describing all of it's requirements), that all merchants have to sign up to in order to be able to process payments from the major credit cards, require that all but the first 6 and last 4 digits of the PAN is masked "when displayed" (including on receipts), it doesn't actually prevent the PAN from being recorded in full on receipts because it allows for a legitimate business need exception that you can drive a horse through (though it defers to local laws and stricter local regulations).

It is worth noting (thanks to updated info from @Bobson in the comments), that PCI-DSS allows for P2PE solutions that can remove the merchants network from needing to comply with PCI-DSS, as the customers data (including the PAN) is not available to the merchant directly (though it is still available to the POS terminal). This does not necessarily mean that these solutions encrypt the data all the way to the bank (unless the bank is the P2PE provider), and moves the subject of your question away from the merchant, to a third party. Additionally, for large merchants, the P2PE provider is allowed to be the merchant itself. For example a merchant of the scale of Walmart could have an internal P2PE subsidiary (they actualy use an external P2PE solution) that all of it's shops use, to move the PCI-DSS liabilities away from the shops (which could be setup in a number of other subsidiaries).

In particular, requirement 3.1 of the PCI-DSS has the following guidance:

The only cardholder data that may be stored after authorization is the primary account number or PAN (rendered unreadable), expiration date, cardholder name, and service code

and requirement 3.3 of the same document states:

Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN.

Note: This requirement does not supersede stricter requirements in place for displays of cardholder data—for example, legal or payment card brand requirements for point-of-sale (POS) receipts.

While the guidance makes it clear that this should be restricted to people who have a legitimate business need to see the full PAN, the operator has discretion as to who this is, and many businesses who operate POS systems either don't know about this restriction requirement, or determine that all of their staff have a legitimate need to see the full PAN on the merchant copy of the receipts.

In the jurisdictions I have lived and worked in, the receipt you receive from the POS, the customer receipt, obscures all but the first two digits and the last four digits of the PAN (your credit card number). However, the merchant receipt, that is usually printed out prior to the customer receipt, is permitted to, and does have the full PAN of the card printed on it. It also, in many cases, has the expiry date of the card on it as well. Though if they do, the merchant is required to apply PCI-DSS requirements on physical security to those receipts.

If there isn't a local law prohibiting it, the likelihood is that in your jurisdiction the case is the same.

Answered by illustro on February 8, 2021

I can give you an anecdotal answer. When I purchased stuff from home Depot using self checkout, i get an option to send the e-receipt. The first time it asks me for my email address and for subsequent purchases using the same credit card did not but just sends the email. Scary as it sounds, they do have a link between the credit card used (or its hash) and email address stored within their system.
This would make me believe that POS terminals do expose all the information to the merchant.

Also in my previous life, I've programmed communication link between a POS terminal database to a remote web service for authorization. Even in this case the whole CC number is visible.

Answered by Viv on February 8, 2021

Existing answers have already explained that the merchant can typically see the credit card number. This is often necessary (e.g., for auto-renewal of subscription products).

However, there is one piece of information which is handled differently (by PCI-DSS compliant merchants). A POS terminal will not store/share the CVV1 code with the merchant. The CVV1 is stored on the stripe for verification of card-present transactions (as opposed to the CVV2, which is printed on the card for use in card-not-present transactions).

A merchant can charge your credit card without using either CVV code. In fact, this is necessary for subscription-based products, since they cannot store the code but want to offer automatic renewal. However, a PCI-Compliant merchant will not use a credit card without collecting and validate a CVV code when they are first given the credit card. Hence, someone who gains access to a merchant database will find it difficult to use the information stored in that database in order to clone credit cards.

Note that this answer is speaking from the perspective of a PCI-Compliant merchant using a PCI-Compiant POS terminal. Anybody with physical access to your credit card can take a stripe reader and extract your CVV1 code.

Answered by Brian on February 8, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP