| ]


A colleague of mine spotted the below while doing expenses - The photograph below shows two separate receipts from two parking buildings that are not far away from each other in central Luxembourg (est. 1km). Both were paid by credit card / debit card.

Update:  Bruce Schneier thoughts on this matter


Can you spot the issue ?


Spotted it? While the first receipt masks everything except the last four digits, the second receipt masks everything except the first digits and leaves the last digits visible. While the example above shows a Debit and a Credit card, I can assure you that if you use a VISA credit card, both together show your complete PAN.

There are multiple reasons on why this might be an issue, PCI compliance obviously is one. My interest in this goes further. Two different systems use what they believe is good enough privacy/security and it works as long as they are in their separate world. Put both into the same public place and it becomes apparent it's no longer the case.

This might pose a problem for those that collect tickets and them throw them in the bin, or expense them, like in our case.

Thanks for Opale Security to point out the relevant VISA Guidance on the matter :