Credit card fraud: those pesky receipts

Official advice from the Association for Payment Clearing Services (APACS - PDF press release) is that we should shred or burn all our credit card receipts to avoid sensitive information falling into the hands of fraudsters. The research presented on this page underlines just how important this is.

However, I also argue that it is disingenuous of APACS to put the burden of responsibility for protecting credit card data onto the hapless consumer whilst retailers are quite unnecessarily printing all this information on receipts in the first place. The table below reveals a wide range of practise among retailers, from the admirably careful to the downright irresponsible.

Retailers should be giving us four digits on credit card receipts. This name-and-shame page is my small contribution to bringing this about.

Please note that I have never yet been the victim of credit card fraud, nor have I any axe to grind. My initial motivation for creating this page was actually because it presented some interesting computer programming challenges. (The XSLT script that generates the table has some nice features.) Any useful information presented here is merely a side-effect 8^)

Four digits is enough

The news that credit card fraud as a result of "card not present" (CNP) transactions has now reached the amount of £110 million per year in the UK (BBC report) finally prompted me to put up this page.

CNP fraud is perpetrated by criminals who have got hold of our credit card details, generally by bin-diving to find our old receipts. Why do credit card receipts reveal so much information useful to criminals?

It seems to me that the only real reason to put any credit card details on a receipt is so that it is possible to identify the card with which the transaction was made—I have several cards, and I need to know which one I used when I come to do my accounts. About four digits of the credit card number suffice for this. That's it. There's absolutely no need to put the whole number, the expiry date, or the name of the cardholder on the receipts. If retailers printed only four digits of the card number on the receipt this kind of risk would disappear overnight, and our shredding machines could have a rest.

To shred or not to shred?

Advice from the Association for Payment Clearing Services (APACS - PDF press release) is that we should shred or burn all our credit card receipts. This is important advice, notwithstanding the fact that most receipts have something like "please retain for your records" printed on them.

However, this advice is also disingenuous. It attempts to place the burden of responsibility for our card information falling into the wrong hands on us, the hapless consumers, careless with our receipts, whereas the main responsibility should lie with APACS's members who quite unnecessarily sanction the printing of all this information on credit card receipts in the first place.

Another problem with shredding receipts is that, increasingly, credit card receipts are being combined with till receipts—which we might want to keep for returns or proof of purchase—making it more difficult to shred them routinely, and more likely that they fall into nefarious hands.

Information leakage

Many retailers are blatant offenders, including all the digits of the card number, as well as the expiry date. If I can also find out your name, say from discarded letters also in your bin, then fortune beckons. A few retailers save me even that bother by helpfully printing your name on the receipt itself. Others preserve your signature, which might be an illegible squiggle, but could give clues to your name as well.

Furthermore, there is no consistency over which digits are included, so even if two different retailers omit several of the digits of the CC number, obtaining a receipt from each of them will reveal the whole number. The numbers on one fill in the blanks on the other. According to the table neither Ethel Austin nor Boots are particularly bad offenders, but give me receipts from both and I have your full CC number, and the expiry date.

Perversely, Bwise receipts show the first 12 digits of the card number while a receipt from almost any other retailer will show the last four didgits. So a Bwise receipt plus any other receipt will reveal the whole number, and the expiry date.

Who are the offenders?

One quiet evening I went through all the receipts in our receipt tin before the tedious monthly shredding ritual and had a look at what they recorded. Here are the results, which show a huge variation in information presented.

Click on the blue column headings to re-sort the data. High scores are bad. Green is good. Yellow, orange and red are increasing levels of badness. Note, this is not a comprehensive survey: it just reflects what happened to be among my own credit card receipts.

Retailer	Comment	Digits	From	Expiry	Name	Sig	Score
Adams		xxxxxxxxxxxxxxxx		x			21
Argos		............xxxx					4
Asda		............xxxx		x			9
B&Q		............xxxx		x			9
BHS		............xxxx		x			9
BP		xxxxxxxx....xxxx		x			17
Ben's	Restaurant	xxxxxxxxxxxxxxxx	x	x		x	25
Berks Cycle	Local shop	xxxxxxxxxxxxxxxx		x		x	24
Boots		xxxxxxxx....xxxx					12
Budgens		............xxxx		x			9
Bwise		xxxxxxxxxxxx....		x			17
Clarks		............xxxx		x			9
Co-op		xxxxxxx.....xxxx		x			16
Debenhams		xxxxxxxx....xxxx		x			17
Early Learning		xxxx.......xxxxx		x			14
Ethel Austin		........xxxxxxxx		x			13
Fabric Warehouse	Local shop	xxxxxxxxxxxxxxxx		x	x	x	34
Focus		xxxx........xxxx		x			13
Fourways	Local shop	xxxxxxxxxxxxxxxx	x	x		x	25
Halfords		............xxxx	x	x			10
Hicks Holdings	Garage	............xxxx	x	x			10
Homebase		xxxx........xxxx					8
Iceland		xxxxxx.......xxx		x			14
John Lewis		xxxxxx......xxxx		x			15
Lloyds Pharmacy		xxxxxxxxxxxxxxxx		x			21
Marks&Spencer		............xxxx		x			9
Matalan		xxxxxxxxxxxxxxxx		x			21
Match Point Fabrics	Local shop	xxxxxxxxxxxxxxxx		x			21
Mothercare		xxxxxxxxxxxxxxxx		x		x	24
National Trust		xxxxxxxxxxxxxxxx		x		x	24
Network Rail		xxxxxxxxxxxxxxxx				x	19
Phones4u		xxxxxxxxxxxxxxxx		x	x	x	34
Primark		xxxxxxxxxxxxxxxx		x			21
Robert Dyas		.........xxxxxxx		x			12
Rotechniks	Garage	xxxxxxxxxxxxxxxx		x		x	24
Safeway		xxxxxxxx....xxxx		x			17
Savers	Local shop	xxxxxxxxxxxxxxxx	x	x		x	25
Star Service Station		xxxxxxxxxxxxxxxx		x			21
Superdrug		xxxxxxxxxxxxxxxx		x		x	24
Tesco		xxxxxxxx....xxxx		x			17
The Natural World		............xxxx	x	x			10
The Pier		xxxxxxxx....xxxx		x			17
Toys R Us		............xxxx		x			9
WHSmith		............xxxx		x			9
Waitrose		xxxxxx......xxxx		x		x	18
Warner Village		xxxxxx......xxxx	x	x			16
Waterstones		............xxxx		x			9
Wickes		............xxxx					4
Woolworths		............xxxx		x			9
Zizzi	Restaurant	xxxxxxxxxxxxxxxx		x			21

The scoring system

Higher scores are worse. Scores are awarded for each item displayed according to how sensitive I consider the information to be. Thus,

Therefore the maximum "worst" score is 35 points. Alarmingly there are two retailers in the table who achieve almost maximum information leakage at 34 points each.

Local retailers are among the worst offenders, perhaps because they tend to use the kind of card reader that produces the receipt as a "carbon copy", so the retailer's copy is identical to the customer's copy. Larger retailers generally print out a separate receipt for the customer with less detail on it.

The effective minimum score is four points, since four digits is probably a reasonable minimum number for identifying which card was used to make the transaction. A mere two retailers achieve this happy result.

Conclusion

It is clear that if we care about our credit card information we need to destroy our receipts thoroughly.

However, it is unfair for APACS to put the onus on us to detroy our credit card receipts when simple sanitising by retailers would completely eliminate the problem of criminals obtaining our details. The table shows that very few retailers indeed are as careful as they ought to be with our sensitive data. Use this material to persuade them otherwise.

Comment from an APACS spokesperson

The response to this information when I contacted APACS is that the much anticipated chip-and-PIN cards will solve the problem:

The good news with regard to your suggestion about retailers' till receipts lies with the introduction of chip and PIN in the UK. Under this new system, the vast majority of face-to-face plastic card transactions will be verified by the cardholder keying in a four-digit PIN rather than signing their name. The guidelines for the receipts that these transactions generate stipulate that the card number should be truncated or asterisked out - there will also be no name or signature on the receipt because the personal identification number is being used rather than a signature. Retailers up-and-down the country are now beginning the rollout of chip and PIN terminals in the UK, but there are 850,000 to upgrade or replace so this will not happen overnight. By the start of 2005, however, the majority of card transactions in shops will be chip and PIN and retailers replicating complete card numbers should be a thing of the past.

My reply to this is that there is already no need for retailers to include any of this information on receipts, and indeed the best retailers do not include it. So, why don't the current guidelines specify the omission of sensitive data? And if they do, why don't retailers implement them? And on what grounds do they expect retailers to follow guidelines in future?

This could have been sorted out much quicker than waiting for chip-and-PIN to finally appear.