0

I work with a software development company and we have a client that is asking us to change the coding in our software that allows for the signers name to print on the customers receipt. They are citing that it is a PCI compliance issue however I cannot find any example or regulation that states a card holders name has to be shown on for a signed retail transaction. Could you please advise or point me to any PCi documentation for that requirement?

Dave
  • 1
  • 1
  • To clarify: presumably the customer signs on an electronic pad, and the client wants a copy of that signature to be printed on the customer's receipt? Or a receipt retained by the merchant/client? – gowenfawr Aug 14 '17 at 17:42
  • Thank you for your response. Yes the customer signs on the signature pad and the signature is captured to the receipt. The question really is does PCI require the Cardholders Name to be printed underneath the signature line? I cannot find anything in PCI security standards that states a printed receipt must have the cardholders name. – Dave Aug 14 '17 at 20:13

1 Answers1

1

When people say PCI, they usually mean the PCI DSS ("Data Security Standard"). That doesn't address your question, however; it has much more to do with backend systems and online processes. On the question of receipts, all the DSS says is "Mask PAN data before printing on a receipt" and "Protect receipts in storage."

The card brands and the banks have more extensive requirements, and that's probably what you're looking for - for example, the Visa Rules. Looking at the current revision, cardholder name is only required in a specific instance:

Table 5-31 from Visa Rules April 2017 Revision

I could be wrong - it's not spelled out - but I believe "manually imprinted" refers to old-fashioned receipts formed by sticking the card and a carbon paper duplicate form into a small tray and CHUNK-CHUNK imprinting the card number onto the paper by slamming a sliding weight back and forth. So I don't think that requirement applies to you. And it expired in April 2017 anyway.

Simplest solution is to tell the client that you need a reference to the documented requirement before you can implement it correctly. If they provide a reference, and it applies, then you should implement it. If they can't, then you can't implement it according to (nonexistent) specification, and shouldn't try, and you can just tell them that.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • I like the eloquent CHUNK-CHUNK :). – dan Aug 14 '17 at 21:18
  • Thank You gowenfar...I really appreciate you taking the time to answer my question so thoroughly. I also like the CHUNK-CHUNK reference. – Dave Aug 17 '17 at 17:17