Data breaches are making headlines and Canadians seem more concerned than ever about identity theft and credit card fraud. Businesses have a legal obligation to ensure that they develop and implement comprehensive plans to protect the personal information with which their customers entrust them, including credit card information that can quickly be exploited, but which is all-toofrequently freely available on credit card receipts. There is no legal requirement to mask or truncate credit card numbers from receipts and such plans can play an important role in preventing identity theft and the costs and disruption associated with data security breaches, as well as protecting a business’ reputation.
The Recommendations of the Privacy Commissioners in Canada
The Office of the Privacy Commissioner of Canada (“OPCC”) describes credit card receipts that contain a consumer’s name, full credit card number and card expiry date as “dangerous receipts” and makes the following recommendations to businesses:
(i) use equipment that does not print the entire credit card number on a receipt;
(ii) for small businesses that are not able to afford equipment that truncates or masks credit card numbers and are still manually taking imprints of credit cards, take all the steps necessary to protect credit card information including keeping credit card imprints in a secure location and limiting access to them to authorized personnel; and
(iii) adopt the latest Payment Card Industry Data Security Standard (“PCI DSS”) issued by the Payment Card Industry Security Standards Council, which is composed of the major credit card companies and which works with merchants and payment service providers to protect customer data (the PCI DSS can be found at https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml).
Some Privacy Commissioners in Canada have also urged businesses to use technology that partially obscures credit card numbers on credit card receipts, which is consistent with the OPCC’s recommendation. Although the Commissioners recognize that what is reasonable varies with the circumstances, they have not expressly distinguished between large and small businesses and have not specifically addressed the PCI DSS.
Practical Recommendations for Your Business: What You Can Do to Better Protect Your Customer’s Personal Information?
Canadian businesses should use electronic payment processing equipment that truncates or masks credit card numbers and obscures the expiry date and the customer’s name. Both large and small businesses must ensure that credit card data is always stored in a secure location and that access to such information is restricted to authorized personnel. Businesses should also ensure that they and their advisors stay on top of industry developments and technological advancements and make privacy considerations an essential element of any technology purchase.