In 2003, the United States Congress passed the Fair and Accurate Credit Transactions Act, intended to enhance existing provisions against identity theft and to better protect consumers. It included the mandatory requirement, also incorporated into the federal Fair Credit Reporting Act, that credit (and debit) card numbers be truncated on electronically printed receipts. This US legislative requirement has prompted interest regarding the state of the law in Canada as to what credit card information may be printed on customer and merchant sales receipts.
Current Canadian legislation has no similar explicit restriction regarding what credit card data may be included on such receipts. However, the policies of both the federal and provincial Privacy Commissioners indicate it is best practice to limit the details printed so as to safeguard privacy and curb identity theft.
The Office of the Privacy Commissioner of Canada (OPCC) has indicated businesses should avoid creating so-called “dangerous receipts,” that is, credit card receipts that include complete credit card numbers. Under the federal Personal Information Protection and Electronic Documents Act (PIPEDA), businesses are required to protect personal information, and they are encouraged to use equipment that does not print the entire credit card number on a receipt. Where a business keeps a merchant copy sales receipt, it must ensure that the personal information collected is used and stored in a manner consistent with PIPEDA, and that such information is not disclosed without authorization. Consumers are advised to keep receipts with full credit card numbers in a safe place and to destroy them when no longer needed.
Industry representatives had advised the OPCC that the masking of credit card receipts would soon be an industry-wide practice, and that by 2007 all equipment used to process credit card payments would mask or truncate numbers. Despite these assurances, the Privacy Commissioner noted in March 2008 that unmasked receipts continue to be printed and that this issue requires attention from creditprocessing organizations.
Privacy statutes and Privacy Commissioner policy in Ontario, Alberta and British Columbia maintain an approach consistent with that at the federal level. This includes recommendations that businesses truncate or otherwise obscure credit card numbers, but without explicit statutory requirements to do so.
In April 2007, the Legislative Assembly of British Columbia appointed a Special Committee to conduct a statutory review of the Personal Information Protection Act (PIPA), which came into force on January 1, 2004. The Report of the Special Committee, Streamlining British Columbia’s Private Sector Privacy Law, was released on April 17, 2008. It considered the safety of credit card receipts and whether it was necessary to amend legislation to specifically address the masking of credit card information.
The committee heard a proposal to amend PIPA’s implicit consent section to address credit card truncation. Under the proposed provision, a purchaser would be deemed to have consented to the collection, use and disclosure of personal information when conducting business with a credit card, and to have provided consent to use the card information to process the business transaction. Nonetheless, this consent would not extend to posting the full card number, the expiration date, and the purchaser’s name and signature on the receipt for anyone to access.
The committee concluded that such legislative change was unnecessary, as businesses operating in British Columbia are increasingly using point-of-sale technology that includes only the last four digits of a customer’s credit card number and omits the expiration date.
The committee did consider that some small businesses would still be making imprint copies of the credit card. A proposed “identity tag” system, which would identify the person who accepted the credit card and hold them accountable for credit card information sold or stolen for financial fraud purposes, was considered too impractical to implement. Rather, the committee recommended that the Office of the Information and Privacy Commissioner use its website to encourage small business owners to use safe methods in processing credit and debit card transactions, and to highlight the risks associated with the improper handling and disposal of such receipts.
McCarthy Tétrault Notes:
The current Canadian consensus is that, despite the absence of specific laws requiring number truncation on receipts, it remains good practice for businesses to convert to technology that permits the masking of cardholder information in order to protect personal data in accordance with privacy and personal information legislation.
This article previously appeared in McCarthy Tétrault Co-Counsel: Business Law Quarterly.