Canadian Privacy Law Blog

The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Privacy Law Blog Privacy Resources Privacy Articles Privacy Calendar Contact Info/Profile Useful Links Travel Resources

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Friday, August 27, 2004

Article: Credit-card processors gear up for new privacy law 

I find it amazing that when I closely examine the detritus of daily life (by emptying my pockets at the end of the day), I discover that so many merchants still print all the digits of the card number on credit and debit card receipts. Why? Why? Why? There is simply no need to have that info there and by it threatens the privacy of the cardholders.

The problem is usually compounded by a pretty cavalier attitude toward these flimsy pieces of paper. How many times have I picked up someone's reciept from the check-out at the grocery store, only to find a full credit card number, complete with expiry date? Or a full debit card number? When I mention it to the clerk, they just chuck it in the garbage. If you want to commit fraud, I can tell you the dumpsters to dive in.

PIPEDA, thanks to its broad statement that you must secure personal information against accidental disclosure, etc., probably requires obscuring at least part of the number. But not enough retailers have read it. At least the US is taking this seriously. The Fair and Accurate Credit Transactions Act requires card "truncation" by January 1 and some state laws have mandated it for some time:

Credit-card processors gear up for new privacy law:

"By Marion Davis, Staff Writer

A federal law requires merchants to truncate personal information on credit card receipts by Jan. 1. Does your business take credit cards? If so, when the slip prints out, how much of the customer's card number is included? If it's more than the last five digits, and/or if the expiration date shows, you need to upgrade your terminal by Jan. 1.

A federal law passed last December, the Fair and Accurate Credit Transactions Act, requires credit-card "truncation" by that date, and a new state law makes merchants liable, starting in 2007, for any resulting fraud, plus legal fees, if they don't comply.

Some states, starting with California, have been gradually implementing truncation mandates for new terminals since 2001, but it was only last January that the first laws affecting existing machines kicked in. Some are tougher than Rhode Islandos: In Maine, anyone who didn't switch by last Jan. 1 is already subject to a $1,000 penalty; in Arizona, as of June 1, merchants who don't truncate can be fined $10,000. "

I gather that Visa/Mastercard have made this mandatory for their Canadian retailers by 2005.

Labels:

8/27/2004 04:20:00 PM  :: (2 comments)  ::  Backlinks
Comments:
Last week I used my Mastercard to pay for some take-out food (Swiss Chalet) and only later realized my credit card number along with the expiry date was printed on the receipt. I complained through their toll-free number and was told they plan to convert the machines very soon - around January - to the new truncated format. They noted down the store location and said they would remind them of the need to update their cash registers. If it happens again, I may complain to the Privacy Commissioner.
# posted by Anonymous Anonymous : December 16, 2005 8:36 PM
 
I noticed the same last week when I ordered take-out from the same chain. It's amazing that a large chain is still doing that almost two years after PIPEDA came into force.
# posted by Blogger David T.S. Fraser : December 17, 2005 3:41 PM
 
Post a Comment

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs