Re: Terminal Credit Card devices

["HALL, NATHANIEL D." <halln () OTC EDU>]

IANAL, but my opinion is that if the card company requires the full
credit card number than that is a legitimate business justification.
There just may have to be additional controls around who has physical
access to those merchant receipts.

 

--

Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
Network Security System Administrator
OTC Computer Networking

(417) 447-7535

 

________________________________

From: Gibson, Nathan J. (HSC) [mailto:Nathan-Gibson () OUHSC EDU] 
Sent: Friday, October 26, 2007 11:32 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Terminal Credit Card devices

 

HELP!!!!

 

As anyone ran into an issue where terminal credit card devices print the
full credit card number on the MERCHANT copy of sales receipts. 

 

How did you approach this issue. I have found that some credit card
companies require the full credit card numbers to be printed on MERCHANT
copies of the receipt and that it be retained for up to 24 months after
the sale,  while others don't. And then to put icing on the cake we have
the PCI-DSS that tells us to not store anything unless it has a
legitimate business justification. 

 

So which document do you base your organization policies on-The Merchant
Operation agreement that tells you to keep the full credit card number,
or - Your Business Managers and the PCI-DSS,  that don't want to keep
the numbers.