Mask PAN when displayed so only personnel with a business need can see the full PAN
This section will list all locations where PANs can be displayed. Please note that file locations and logs are already listed in PA-DSS Requirement 2.1 above, so these will not be repeated here. Instead, this section will focus on printed receipts, POS screens and reports where PANs could be displayed.
| Standard Guest Check | Transaction Record | Transaction Record |
|---|---|---|
When the customer has finished ordering food items, a guest check is printed. The guest check does not bear any payment information. It lists all the items purchased, applicable taxes, discounts, gratuity and service charge.
If the customer decided to pay using a payment card, the employee operating the POS will swipe the card at the POS, and a pre-authorization request will be sent to the card processor. If approved, the transaction record will be printed. There will be one copy for the customer and one copy for the merchant, which the customer has to sign. Both copies will bear the masked PAN and expiration date of the credit card being used.
In most tableside service establishments, the customer will enter a tip amount followed by a total amount before signing the merchant copy. In this scenario, the employee will need to finalize the transaction with the tip amount.
After finalization of the transaction and if requested by the customer, a transaction receipt can be printed. Transaction records can also be reprinted at will, in case the originals are lost or damaged, or simply requested by the customer. The receipt bears the masked PAN, while reprinted transaction records bear the masked PAN and expiration date.
| Receipt | Transaction Record | Transaction Record |
|---|---|---|
Contrary to table side service, Guest Checks printed in Fast Food mode will be printed only after the payment has cleared. Therefore, the guest check will carry payment information, including the masked PAN in case of credit card payments.
Like their table side service counterparts, transaction records produced in fast food mode will bear the masked PAN and expiration date. The main difference is that there is no tip and total lines, as the customer is not expected to leave tips.
After the transaction is completed and if requested by the customer, a transaction receipt can be printed. Transaction records can also be reprinted at will, in case the originals are lost or damaged, or simply requested by the customer. The receipt bears the masked PAN, while reprinted transaction records bear the masked PAN and expiration date. Note that reprinted transaction records are identical to the originals.
In the event that a card gets declined, transaction records will be printed. Both the merchant and customer copies will bear the masked PAN and expiration date.
When finalizing a payment with tips, the masked PAN is displayed on screen. The full PAN can never be displayed
When recalling an earlier transaction in order to reprint receipts or transaction records, the masked PAN is displayed on screen. The full PAN can never be displayed.
The Maitre’D Back-Office suite comes with over 300 different reports that cover all aspects of restaurant operations. Out of these, only a handful will display masked PANs and expiration dates. As for full PANs and expiration dates, there is only one report that shows them, and this report is only available to System Owner or Distributor access levels
Here is the list of reports that displays masked PANs and expiration dates:
Medias
Medias by Employee
Medias by media
Medias by Revenue Center
Medias Summary (Folios)
Duplicate Credit Cards Report
| Standard Guest Check | Transaction Record | Transaction Record |
|---|---|---|
Customer Copy
Merchant Copy
(printed after finalization)
Customer Copy
Merchant Copy
(Reprinted)
(Reprinted)
(Fast Food)
Customer Copy
Merchant Copy
Customer Copy
Customer Copy
(Reprinted)
(Reprinted)
As soon as Maitre’D is installed and configured for use with integrated card payments, PANs and expiration dates are masked. Essentially, as soon as a payment type is marked as “Electronic Funds Transfer”, the PAN and expiration dates are masked, and it is not possible to configure the system otherwise.
Since Maitre’D version 7.08.000.000, all access to full PANs and expiration dates are blocked. While this data is held in encrypted form in File144.dat and File215.dat for the duration of the fiscal day, this information cannot be viewed through reports or otherwise displayed on screen for the user to see. In earlier versions of Maitre’D, a report called Media by Media (Plain Folios) used to allow certain types of users to see full PANs and expiration dates. This report has been removed, and the files used by that report no longer hold full PANs or expirations dates.
No special configuration is required. There is actually no way to configure Maitre’D to cause it to display full PANs or expiration dates. As explained previously, PANs and expiration dates are saved in encrypted form in File144.dat and File215.dat for the current fiscal day only. No tools are provided to display this information to the users. The only business reason that warrants saving this information is to be able to finalize pre-authorizations or void transactions without having the actual credit card in hand. There is absolutely no valid business reason to keep cardholder data any longer.
