We are a merchant that must comply with PCI DSS. Does printing the full credit card number on the merchant's copy...
of the receipt violate PCI DSS credit card requirements?
Yes, the merchant's copy of the receipt may absolutely have the full credit card number on it. That being said: Is there a particular reason your company wants the full credit card number on paper? Doing so is not useful for recurring transactions, and it's not generally useful for returns either.
Having the full number on the receipt does mean there are significantly more precautions mandated for those receipts. They must be stored securely and destroyed securely when the time comes, both of which will cost time, money and effort. Plus, printing the full number gives customers the impression that protecting their information is not a priority. Hence, on many levels, it's not a good idea.
If this is something your company does today, consider implementing changes so that past and future receipts don't increase your risk exposure. If this is a change that business leaders have asked for, then try to dig into exactly why that change is needed and attempt to find another, less risky way to meet that need.
Related Q&A from David Mortman
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ...continue reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security...continue reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.