Educause Security Discussion mailing list archives
Re: Terminal Credit Card devices
From: "HALL, NATHANIEL D." <halln () OTC EDU>
Date: Fri, 26 Oct 2007 13:17:20 -0500
IANAL, but my opinion is that if the card company requires the full credit card number than that is a legitimate business justification. There just may have to be additional controls around who has physical access to those merchant receipts. -- Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA Network Security System Administrator OTC Computer Networking (417) 447-7535 ________________________________ From: Gibson, Nathan J. (HSC) [mailto:Nathan-Gibson () OUHSC EDU] Sent: Friday, October 26, 2007 11:32 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Terminal Credit Card devices HELP!!!! As anyone ran into an issue where terminal credit card devices print the full credit card number on the MERCHANT copy of sales receipts. How did you approach this issue. I have found that some credit card companies require the full credit card numbers to be printed on MERCHANT copies of the receipt and that it be retained for up to 24 months after the sale, while others don't. And then to put icing on the cake we have the PCI-DSS that tells us to not store anything unless it has a legitimate business justification. So which document do you base your organization policies on-The Merchant Operation agreement that tells you to keep the full credit card number, or - Your Business Managers and the PCI-DSS, that don't want to keep the numbers.
Current thread:
- Terminal Credit Card devices Gibson, Nathan J. (HSC) (Oct 26)
- <Possible follow-ups>
- Re: Terminal Credit Card devices Gibson, Nathan J. (HSC) (Oct 26)
- Re: Terminal Credit Card devices HALL, NATHANIEL D. (Oct 26)