Official advice from the Association for Payment Clearing Services (APACS - PDF press release) is that we should shred or burn all our credit card receipts to avoid sensitive information falling into the hands of fraudsters. The research presented on this page underlines just how important this is.
However, I also argue that it is disingenuous of APACS to put the burden of responsibility for protecting credit card data onto the hapless consumer whilst retailers are quite unnecessarily printing all this information on receipts in the first place. The table below reveals a wide range of practise among retailers, from the admirably careful to the downright irresponsible.
Retailers should be giving us four digits on credit card receipts. This name-and-shame page is my small contribution to bringing this about.
Please note that I have never yet been the victim of credit card fraud, nor have I any axe to grind. My initial motivation for creating this page was actually because it presented some interesting computer programming challenges. (The XSLT script that generates the table has some nice features.) Any useful information presented here is merely a side-effect 8^)
The news that credit card fraud as a result of "card not present" (CNP) transactions has now reached the amount of £110 million per year in the UK (BBC report) finally prompted me to put up this page.
CNP fraud is perpetrated by criminals who have got hold of our credit card details, generally by bin-diving to find our old receipts. Why do credit card receipts reveal so much information useful to criminals?
It seems to me that the only real reason to put any credit card details on a receipt is so that it is possible to identify the card with which the transaction was made—I have several cards, and I need to know which one I used when I come to do my accounts. About four digits of the credit card number suffice for this. That's it. There's absolutely no need to put the whole number, the expiry date, or the name of the cardholder on the receipts. If retailers printed only four digits of the card number on the receipt this kind of risk would disappear overnight, and our shredding machines could have a rest.
Advice from the Association for Payment Clearing Services (APACS - PDF press release) is that we should shred or burn all our credit card receipts. This is important advice, notwithstanding the fact that most receipts have something like "please retain for your records" printed on them.
However, this advice is also disingenuous. It attempts to place the burden of responsibility for our card information falling into the wrong hands on us, the hapless consumers, careless with our receipts, whereas the main responsibility should lie with APACS's members who quite unnecessarily sanction the printing of all this information on credit card receipts in the first place.
Another problem with shredding receipts is that, increasingly, credit card receipts are being combined with till receipts—which we might want to keep for returns or proof of purchase—making it more difficult to shred them routinely, and more likely that they fall into nefarious hands.
How much information should appear on a credit card receipt?
Many retailers are blatant offenders, including all the digits of the card number, as well as the expiry date. If I can also find out your name, say from discarded letters also in your bin, then fortune beckons. A few retailers save me even that bother by helpfully printing your name on the receipt itself. Others preserve your signature, which might be an illegible squiggle, but could give clues to your name as well.
Furthermore, there is no consistency over which digits are included, so even if two different retailers omit several of the digits of the CC number, obtaining a receipt from each of them will reveal the whole number. The numbers on one fill in the blanks on the other. According to the table neither Ethel Austin nor Boots are particularly bad offenders, but give me receipts from both and I have your full CC number, and the expiry date.
Perversely, Bwise receipts show the first 12 digits of the card number while a receipt from almost any other retailer will show the last four didgits. So a Bwise receipt plus any other receipt will reveal the whole number, and the expiry date.
One quiet evening I went through all the receipts in our receipt tin before the tedious monthly shredding ritual and had a look at what they recorded. Here are the results, which show a huge variation in information presented.
Click on the blue column headings to re-sort the data. High scores are bad. Green is good. Yellow, orange and red are increasing levels of badness. Note, this is not a comprehensive survey: it just reflects what happened to be among my own credit card receipts.