I’d like to think that it’s common knowledge that credit card receipts can be a prime opportunity for identity theft. However, too many of us simply crumple the receipts and throw them in the trash without a care. If the receipt shows your full credit card number and expiration date, this is an invitation for a criminal to go on a shopping spree at your expense.
Federal law is intended to help protect against this problem. A few years ago, congress amended the Fair Credit Reporting Act 15 U.S.C. 1681 to require all merchants to truncate credit card numbers on the receipts that they give you at the register. This means that the receipt you receive should not show more than the last 5 digits of the card number. The remaining digits and the expiration date should be unreadable. Even if you threw out this receipt, it would be impossible for an identity thief to use the information.
Although this law went into effect in 2006, I occasionally receive receipts that are not in compliance. These are usually the two-part variety – white on top and yellow below, but it can happen even on the type that print out two separate receipts at the time of purchase (one that you sign and return and the other you keep).
Earlier this month, I had the pleasure of taking my eldest son on the big college tour – 10 schools in five days. Visiting the schools and the time with my son were terrific; the lengthy drives and staying at a different hotel each night not so much. What was interesting was the receipt I received from one of the major hotel chains where we stayed outside of Washington, DC. To my surprise, this nationally recognized chain provided me with an illegal credit card receipt, showing my full card number and expiration date. Needless to say, I did not toss that one in the trash, but kept it until I got home and could shred it. But imagine how many patrons think nothing of it or simply tell the clerk to just throw it out?
I came to learn that hotels are apparently the biggest offenders when it comes to data security. Being a maven of sorts on the topic, I happened to see in the March 18 Wall Street Journal that data breaches are heaviest at hotels. According to their sources, 38% of breach investigations in 2009 involved hotels, twice as high as the next highest category. The culprit is typically the point of sale software used to accept payment, much of which is not compliant with Payment Card Industry (PCI) standards.
I have sent a complaint to the hotel chain. They are currently investigating my concern. Let’s see what happens.