In addition to federal law and various state laws which require merchants to truncate the cardholder copy of receipts, three (3) states now require merchants to truncate both the cardholder and merchant copies of receipts. 

Now six states (see updated entry http://blog.vantagecard.com/post/Card-Number-Truncation-on-Merchant-Receipts.aspx

States Requiring Full (Cardholder and Merchant) Receipt Truncation:

• Colorado - as of 01/01/2006
• Tennessee - as of 01/01/2007
• California - as of 01/01/2009

Under the current legislation in Colorado, Tennessee and California, a merchant is required to truncate both the cardholder and merchant copy of the receipt by masking the card number and the expiration date as follows:

• Card number truncation is defined as masking all but the last 4 digits of the card number by using * or X.

(Example:  XXXXXXXXXXXX1234   OR   ************1234)

• Expiration date truncation is defined as masking the expiration date using * or X.

(Example:  XX/XX   OR    **/**)

Merchants in these states should check their receipts to comply with applicable laws and regulations regarding truncation. 

If you are a Vantage merchant, you have already been contact and updates are in progress.   Additional states have legislation in progress which may require merchants to truncate both cardholder and merchant receipts.  As these are announced we will pass this information along.

Contact Vantage if you need support in meeting Full Receipt Truncation.  In most cases we can work with you to provide updated software for your existing terminal or payment application. 

By now all merchants should understand the importance of securing cardholder data.  Like other industry leaders, Vantage has been communicating constantly the need for merchants, particularly those using any type of PC based point of sale payment system connected to the internet to accept credit and debit cards, to secure their systems and networks and comply with the Payment Card Industry Data Security Standards.  

Our intent with this blog entry is to make clear to the merchant community the full financial risk of a breach.  If mag-stripe data is stored on your system's hard drive or log files and this data is stolen from your system, criminals can manufacturer counterfeit cards and use these counterfeit cards at stores to buy electronics, jewelry, etc., and you are responsible for these fraudulent card sales performed at other stores!   These compliance chargebacks can quickly add up in the tens, even hundreds, of thousands of dollars.  So until the card acceptance rules change (which Vantage is strongly lobbying for) your business is not only responsible for chargebacks on sales you make but for chargebacks on fraudulent sales made at other merchants with stolen card data from your system! 

A hacker can mine cardholder data from your system for days, weeks, or months, then wait a year or more before using the stolen data. Once the stolen cards are used, a sophisticated “Compromised Account Management System” will track them back to a common place of purchase. As the rules & regulations now stand, once your business has been identified as the compromised location, you are responsible for the costs of a POS forensics exam, remediation, mandated security monitoring, fines and chargebacks!

Protect yourself…

• Upgrade to a secure Payment Application immediately. Validate your  specific payment application brand and version number.
• In addition to upgrading your payment software, any old storage of prohibited data must be securely deleted from all systems, databases and log files. 
• Enforce network security on your POS. Insecure networks connected to the internet are prime candidates for attacks. 
• Secure remote management applications like PCAnywhere.  Turn on your remote management software ONLY when needed.
• A low tech alternative is to process your card payments using a credit card terminal not tied to your POS network. 

  If your system is connected to the Internet, hackers can compromise computer networks within your location to steal cardholder data!!  Don't think it will not happen to you.  Merchants just like you are getting compromised and it is putting their business at risk.  Please protect yourself, your business and your customer data.

  More resources available at http://www.vantagecard.com/resources/PCI_Data_Secrity.html.

PARK CITY, UT--( April 22, 2008) - The Aegenis Group and Vantage Card Services have partnered to provide data security eLearning to merchants. The partnership leverages The Aegenis Group’s eLearning materials and data security expertise and combines it with the unique, high-touch approach to merchant services offered by Vantage Card.

“In partnering with The Aegenis Group, we are able to provide our merchants a quality educational experience that is in keeping with our dedication to servicing the merchant,” said Ty Hardison Vice President of Business Development at Vantage Card Services. “We are excited about being able to offer our merchants education that will enable them to increase the security of their customer data.”

Chris Mark, CEO and co-Founder of The Aegenis Group, added, “Vantage Card Services is at the forefront of a growing movement in the industry to empower merchants with respect to data security. By offering their merchants the opportunity to learn more about data security and its impact on the industry as whole, including the consumer, Vantage is enabling their merchants to better their data security measures and The Aegenis Group is very excited to be a part of it.”

The partnership, which launches this week, will allow Vantage Card Services to send their merchants to a unique portal (http://training.vantagecard.com) in which merchants will be able to access eLearning courses and reference material.

About The Aegenis Group

The Aegenis Group is a regulatory compliance and risk management consulting organization specializing in strategic consulting, training, and market development assistance for companies in and around the payment card industry. The Aegenis Group is the worldwide QSA trainer and is contracted with a major card brand to conduct merchant and acquirer PCI DSS training. For more information about The Aegenis Group please contact us at info@aegenis.com.

About Vantage Card Services

Vantage Card Services, Inc., was established in February of 1996 to market and manage card processing services and payment systems for merchants, businesses and banks. Vantage provides clients with payment processing consulting to address specific interchange pricing and regulations in all types of industries. Vantage caters to clients that require value, expertise and personal attention, with a core philosophy focused on merchant education. For more information about Vantage Card Services please contact us at www.vantagecard.com.