mprinting and thereby exposing cardholder information on receipts is the Russian roulette of the credit industry. It's risky, foolish and potentially devastating, if not immediately, then probably later.

For cardholders, the maximum immediate monetary damage is $50. While problems resulting from identity (ID) fraud, credit holds and card re-issuance can be serious, consumers generally don't become concerned about something as seemingly innocent as a receipt, until it does serious damage. Thus, there's no outcry from the cardholder sector.

For the businesses involved, problems caused by imprinted receipts are simply costs that are spread around - akin to shoplifting, pfishing and other fraud.

Banks mitigate losses by refusing to honor transactions made using stolen card information, but they can't avoid the costs of investigation processing and documentation, tie-ups in cardholder credit, card re-issuance and so forth.

As usual, the heaviest burden falls on merchants. A fraudulent transaction caused by an imprinted receipt sets in motion an investigation in which a merchant has to spend time with the issuer and the bank, loses the merchandise and forfeits the sale. All with virtually no recourse. The extent of damage is unknown because there are no definitive national numbers on how many merchants continue to use imprinted drafts as primary receipts. However, informal surveys indicate the problem is substantial, and growing.

Others have suggested, and I agree, that the stealing of cardholder account names and expiration dates alone doesn't enable ID theft. It's just one tool among several that contribute to the crime.

Criminals (fortunately) are lazy, relying more on brute force than brains. Stronger network protection and enhanced merchant site security have put formidable obstacles in their paths. The response of the tech-savvy criminal sector has been to use multiple computers to attack a site and expose its data, a technique which had some success until electronic countermeasures (better obstacles) were devised.

Now, defeating security systems is more difficult, and takes longer, if it can be accomplished at all. So, criminals have a choice: They can invest a lot of time with possibly no payoff or return to the time-honored tradition of dumpster diving. Human nature, at this level, says go for the easier target. And that's what's occurring.

This begs three questions: How many merchants are still advertising cardholder data via imprinted sales drafts? How much fraud can we eliminate by using drafts that omit this data? And, since the latter costs nothing and requires no operational changes, why doesn't the financial industry, if not the regulatory agencies, mandate it?

Protecting cardholder information is in everyone's best interest. Financial factors aside, merchants want to be perceived as responsible parties who take security and privacy seriously. From a selling standpoint, banks or ISOs also want to be viewed as providers of products and services that protect merchants and their customers, not as contributors to a problem, or sources of personal risk.

Knowledgeable consumers pay attention to receipts, as do their employers, which often use receipts as documentation for business expense reimbursements. Neither employee nor employer wants cardholder information put at risk. The issue is awareness: Truncated sales drafts that do not reveal cardholder information, and cost the same as conventional sales drafts, are available.

Do we need a law to close this gaping security hole? Current applicable state and federal laws exclude imprinted sales drafts because there was no viable alternative when the laws were enacted. And ID theft, then in its infancy, wasn't regarded as a major issue.

We've implemented many costly, high-tech procedures to assure greater security. Now the big hole, big enough to drive a (stolen) truck through, is the non-truncated receipt.

All of the easy steps to improve security (and many of the hard ones) were implemented long ago. Small but critical steps are what can make a real difference now. And this step, unlike all those that preceded it, involves no additional expense, no new training, and no downside.

Biff Matthews is founder and President of Thirteen Inc, the parent company of Cardware International. He is one of the 12 founding members of the Electronic Transactions Association and has served on its board and various committees.