A colleague of mine spotted the below while doing expenses - The photograph below shows two separate receipts from two parking buildings that are not far away from each other in central Luxembourg (est. 1km). Both were paid by credit card / debit card.

Update:  Bruce Schneier thoughts on this matter


Can you spot the issue ?


Spotted it? While the first receipt masks everything except the last four digits, the second receipt masks everything except the first digits and leaves the last digits visible. While the example above shows a Debit and a Credit card, I can assure you that if you use a VISA credit card, both together show your complete PAN.

There are multiple reasons on why this might be an issue, PCI compliance obviously is one. My interest in this goes further. Two different systems use what they believe is good enough privacy/security and it works as long as they are in their separate world. Put both into the same public place and it becomes apparent it's no longer the case.

This might pose a problem for those that collect tickets and them throw them in the bin, or expense them, like in our case.

Thanks for Opale Security to point out the relevant VISA Guidance on the matter :



9 comments

Anonymous said... @ 07 December, 2011 11:12

Reported to a PCI auditor.

tristan said... @ 16 December, 2011 23:34

Thank you for the very very interesting post.

One tip to follow, always park your car in the same parking if you live in Luxembourg ;-)
I will always remember it. More seriously, that's a good point

Tristan

markoer said... @ 21 December, 2011 23:13

The problem is that one receipt is German and the other is in French. They couldn't agree on the digits to mask :-)

Tom said... @ 25 January, 2012 06:36

Just off the top of my head, but I'm quite certain the first 6 and last 4 are permitted to be displayed. So the issue here is the ticket showing all but the last 4.

C Delbrassine said... @ 07 May, 2012 09:40

As PCI auditor I confirm that masking everything except first six and last four is the minimum to be compliant.

Nevertheless, masking cardholder receipt is not an obligation as this ticket is supposed to be kept by the cardholder who is also holding the card which clearly displays these information.... Hopefully majority of acquirers decided to mask cardholders receipt to enhance global security. The most important part is to be sure that merchant's copy does not contain PAN in clear as a lot of these receipts are stores in a central place... and often not really a protected place. Usually encryption is used for merchant's copy in order to be able to decrypt data for manual encoding (terminal failure).

Thierry Zoller said... @ 07 May, 2012 21:39

Guys, please read the PDF posted below, it should be very clear what is the best practise.

Recommended by VISA is :
Disguise or suppress all but the last four digits of the PAN,
and suppress the full expiration date, on thecardholder’s copy
of atransaction receipt created at a point of sale (POS) terminal or anATM (already required for merchants in the U.S., Europe, andCEMEA; Visa will apply this rule across all regions in the nearfuture to provide global consistency)

thierryzoller said... @ 03 June, 2012 12:18

 The Document above states to "Disguise or suppress all but the last four digits of the PAN" which is contrary to what you say. Can you confirm ?

EAP-TTLS said... @ 11 December, 2012 13:51

There is a perception that WPA and WPA2, using TKIP and AES, make the wireless network secure, and they do - as long as these solutions are deployed correctly. WPA and WPA2 deployed using pre-shared keys (personal mode) do not make the wireless network more secure than using WEP encryption. Weak passwords that users typically employ are vulnerable to password cracking attacks, and the same passwords are often used indefinitely.

credit card defense attorney said... @ 12 February, 2013 00:23

thanks a lot to share this informational article,but its really sad that credit card receipt should not be like that,

Post a Comment