Data breaches are making headlines and Canadians seem more
concerned than ever about identity theft and credit card fraud.
Businesses have a legal obligation to ensure that they develop and
implement comprehensive plans to protect the personal information
with which their customers entrust them, including credit card
information that can quickly be exploited, but which is
all-too-frequently freely available on credit card receipts. There
is no legal requirement to mask or truncate credit card numbers
from receipts and such plans can play an important role in
preventing identity theft and the costs and disruption associated
with data security breaches, as well as protecting a business'
The Recommendations Of The Privacy Commissioners In Canada
The Office of the Privacy Commissioner of Canada
("OPCC") describes credit card receipts
that contain a consumer's name, full credit card number and
card expiry date as "dangerous receipts" and makes the
following recommendations to businesses:
use equipment that does not print the entire credit card number
on a receipt;
for small businesses that are not able to afford equipment that
truncates or masks credit card numbers and are still manually
taking imprints of credit cards, take all the steps necessary to
protect credit card information including keeping credit card
imprints in a secure location and limiting access to them to
authorized personnel; and
adopt the latest Payment Card Industry Data Security Standard
("PCI DSS") issued by the Payment Card
Industry Security Standards Council, which is composed of the major
credit card companies and which works with merchants and payment
service providers to protect customer data (the PCI DSS can be
found at https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml).
Some Privacy Commissioners in Canada have also urged businesses
to use technology that partially obscures credit card numbers on
credit card receipts, which is consistent with the OPCC's
recommendation. Although the Commissioners recognize that what is
reasonable varies with the circumstances, they have not expressly
distinguished between large and small businesses and have not
specifically addressed the PCI DSS.
Practical Recommendations For Your Business: What You Can Do To
Better Protect Your Customer's Personal Information?
Canadian businesses should use electronic payment processing
equipment that truncates or masks credit card numbers and obscures
the expiry date and the customer's name. Both large and small
businesses must ensure that credit card data is always stored in a
secure location and that access to such information is restricted
to authorized personnel. Businesses should also ensure that they
and their advisors stay on top of industry developments and
technological advancements and make privacy considerations an
essential element of any technology purchase.
Software license agreements generally require the customer to pay fees for the software license and related services, which fees are usually based upon the duration of the license and the manner in which the customer is allowed to use the software, together with applicable taxes and withholdings.
In less than nine months, on July 1, 2017, persons affected by a contravention of Canada's anti-spam legislation will be able to invoke a private right of action to sue for compensation and potentially substantial statutory damages.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).