- Retail sale.
- Credit.
- Cash disbursement.
- Information.
Formset Contents
Each copy of a retail sale, credit, or cash disbursement formset must satisfy minimum statutory and regulatory requirements in the jurisdiction in which the slip originates and any applicable regulations, issued by the U.S. Board of Governors of the Federal Reserve System or other regulatory authorities, and must contain the following:
- In the case of retail sale and credit slips, a space for the description of goods, services, or other things of value sold by the merchant to the customer and the cost thereof, in sufficient detail to identify the transaction.
- Adequate spaces for:
- Customer's signature.
- Card imprint and the merchant or bank identification plate imprint.
- Date of the transaction.
- Authorization number (except on credit slips).
- Sales clerk's or teller's initials or department number.
- Currency conversion field.
- Merchant's signature on credit slips.
- Description of the ID supplied by the cardholder on cash disbursements and retail sale slips for certain unique transactions.
- A legend clearly identifying the slip as a retail sale, credit, or cash disbursement and identifies the receiving party of each copy.
- On the customer copy of the formset, the words (in English, local language, or both): "IMPORTANT—retain this copy for your records," or words to similar effect.
- Such other contents as are not inconsistent with these rules.
Terminal Receipt Contents
A terminal or other device at a point of sale (POS) must not display magnetic stripe track data other than card account number, expiration date, and cardholder name. Each copy of a POS terminal receipt must contain the following information:
- Doing Business As (DBA) merchant name, city and state, country, or the point of banking location.
- Transaction date.
- Card account number.
- Transaction amount in the original transaction currency.
- Adequate space for the customer's signature (required on merchant copy only).
- Authorization approval code (except on credit receipts). Optionally, the acquirer also may print the transaction certificate, the application cryptogram, or both for EMV chip card transactions.
- Merchant's signature on credit receipts only.
Primary Account Number Truncation
ATM acquirers must truncate a minimum of four digits of the Primary Account Number (PAN). PAN truncation is also required for all receipts generated at Cardholder-Activated Terminals (CATs). PAN truncation is permitted for receipts generated at all other points of sale.
The cardholder receipt generated by point of sale (POS) terminals, whether attended or unattended, must reflect only the last four (4) digits of the PAN. All preceding digits must be replaced with fill characters that are neither blank spaces nor numeric characters, such as "X," "*," or "#."
Truncation Considerations
Truncating a greater number of digits, when compared to the total number of digits in the PAN, increases the effectiveness of the effort. However, it also increases the confusion and difficulty that cardholders may have reconciling their ATM terminal receipts to their monthly statements. The following practices are recommended:
- Truncation of the routing BIN alone, while helpful, may not prevent duplication of the PAN. It is possible to observe the card in use in order to obtain issuer identification.
- Truncating the check digit and several other digits does not improve PAN security. Absent the check digit, calculation of several missing digits within the PAN, especially if the routing BIN also is truncated, is substantially more complicated and time consuming.
- Truncating a small number of digits, when compared to the total number of digits in the PAN, reduces the effectiveness of the effort. It is possible to reconstruct a few missing digits by using a trial-and-error approach.
- Truncating a greater number of digits, when compared to the total number of digits in the PAN, increases the effectiveness of the effort.
An acquirer using Electronic Signature Capture Technology (ESCT) must ensure that:
- Proper electronic data processing (EDP) controls and security are in place, so that digitized signatures are recreated on a transaction-specific basis. The acquirer may recreate the signature captured for a specific transaction only in response to a retrieval request for the transaction.
- Appropriate controls exist over employees with authorized access to digitized signatures maintained in the acquirer or merchant computers. Only employees and agents with a "need to know" should be able to access the stored, electronically captured signatures.
- Digitized signatures are not accessed or used against applicable standards and regulations.
No comments:
Post a Comment