The National Restaurant Association posted a notice earlier this month on their website: double-check your debit and credit card receipts—make sure that expiration dates are not shown, and the receipt only shows the last five digits of the credit or debit card number, and nothing more.
The NRA is reminding all restaurants in the country to abide by this stringent federal law, refreshing everyone of the existence of the Fair and Accurate Credit Transactions Act of 2003 (the FACT Act or FACTA) which forbids businesses from displaying expiration dates and more than the last five digits of a credit or a debit card number. Such regulation pertains to electronically printed restaurant receipts that are provided to customers at the point of sale.
The notice was prompted by reports that many restaurant businesses are still not abiding by the federal regulation. Companies that process card transactions (Visa, MasterCard, American Express and Discover) reported that there are still thousands (tens of thousands, in fact) of restaurant establishments in the U.S. that fail to comply with the FACT Act of 2003. The industry was said to make up 40% of incidents where unlawful individuals gain unauthorized access to customers’ credit card information—the largest percentage incident for the credit card merchant category.
The FACT Act was passed by the U.S. Congress in 2003 and has been in full effect since December 2006. The act was ratified to allow American consumers to obtain fair credit reports, and more importantly, to help reduce identity theft. It has seven major titles, among which is the Truncation of Credit and Debit Card Numbers, which strictly prohibits any businesses from printing more than 5 digits of any customer’s card expiration date or card number on receipts that are supplied to the customer at point of sale. The regulation excludes receipts that are imprinted or handwritten, and only applies to electronically printed ones.
Many restaurant operators thought that they complied with the rules, but later found out that their software systems have not been functioning properly, and became liable for full penalties both with the law and credit card companies. Most restaurant software systems (which often combines tabulation of bills with other restaurant procedures such as tracking reservations and delivering orders to the kitchen, etc.) do not strictly follow credit card security rules, but the pressure cannot be passed on to the software developers at all—restaurants shall be held liable in the end.
Other security measures that protect restaurant diners’ card information include an ample password protection or firewalls, as well as being careful who to hire to prevent skimming (a fraudulent act where dishonest apron-clad employees photocopy receipts or use skimmers to swipe and store restaurant diners’ credit card details). There used to be a time when restaurant credit card transactions were considered very low risk by Visa and MasterCard, which is why the industry gets lower interchange rates.
But now, the warnings has been clear, both from the government and credit card companies—be on guard or pay enormous fines.