Unintended Consequences: More Secure Credit Card Receipts Weaken Privacy

For the past several years, merchants have “masked” most of the numbers in a credit card account on receipts. You’ll see something like “VISA XXXXXXXXXXXX6723″. The idea is that this hides almost all of your credit card number — enough to thwart thieves — but (probably) allows you to figure out which of your many credit cards you used.

I shred my credit card receipts, but I toyed with the idea of stopping because everyone masks the credit card number these days. As I thought about it, I realized that thieves can make a pretty good guess at the first 12 digits, because most of those digits identify your bank, and there are only so many of those. In other words, the receipt still solves the hardest part of a thief’s job. Better to shred it.

This problem could be solved, though. Most people only have one card (or at least, one card of each type) from a particular institution, so you could get the benefit of knowing which card you used AND masking most of your number if merchants would mask the end of the credit number, rather than the beginning.

Which is exactly what they are starting to do. Unfortunately, some of them still mask the beginning. So you could end up with two receipts like this in your trash can:

VISA 2345 6789 1xxx xxxx
VISA XXXX XXXX XXXX 6723

Which narrows the uncertainty to 1,000 numbers. Who knows, maybe somebody will have the bright idea to mask the beginning and the end, leaving the middle numbers exposed.

The only way to standardize this — and make masking even halfway useful — is legislation. It would be helpful if those legislatures who mandated masking also specified how that masking should be done, preferably leaving only a few numbers at the beginning unmasked.

On the other hand, really good credit card thieves don’t dive into dumpsters for receipts. They steal millions of numbers from merchants’ computer systems.