Acting Victorian Privacy Commissioner, Doctor Anthony Bendall, is investigating an error with receipts from Myki public transport ticketing machines in Melbourne where receipts show the customer’s name and credit card details.
A Privacy Victoria spokesperson told Computerworld Australia that the Commissioner has asked the Transport Ticketing Authority (TTA) for a briefing on the matter and has requested a response by 22 August.
Victorian Public Transport Users Association (PTUA) president, Daniel Bowen, said the Myki ticketing problem dates back to 2010 when the system was introduced to Melbourne.
“These receipts affect all customers who use Myki vending machines on stations, major tram stops and bus interchanges to top-up their cards, and paying via Eftpos using a debit or credit card,” he said.
The ticket vending machine will ask if a receipt is wanted, and will print a receipt even if the customer presses the decline button, according to Bowen,
The PTUA has posted a photo of some receipts which show that nine out of the 16 digits of the customer’s debit or credit card number is visible along with the expiry date, and full name.
He added that thousands of the receipts are left behind every day at Myki vending machines across Melbourne’s rail network, and at major tram stops and bus interchanges.
“We have raised the issue with the TTA numerous times since 2010, but there has been no progress in fixing it. Only this week have they publicly said they will look at it,” he said.
While Bowen said that some members of the PTUA would like to see the Myki system scrapped and replaced, it was too late as most of the equipment had been installed.
“What the [Victorian] government and the TTA must ensure is that the system works as smoothly and efficiently as possible, and that illogical functionality like this receipts issue is fixed,” he said.
“In the meantime, passengers should be wary and check the collection tray at vending machines before leaving.”
In addition, Bowen pointed out that the receipts do not comply with MasterCard Australia’s receipt guidelines (PDF) which state:
“The cardholder and merchant receipts generated by all electronic point of sale (POS) terminals, whether attended or unattended, and all printed automatic teller machine (ATM) receipts must omit the card expiration date. In addition, the cardholder receipt generated by all electronic POS Terminals, whether attended or unattended, and all printed ATM receipts must reflect only the last four digits of the personal access number," read the guidelines.
Customers whose credit card details may have been compromised can make a complaint under the Victorian Information Privacy Act 2000, which includes the provision that action can be taken against an organisation which has mishandled customers' personal information by breaching one or more of the 10 Information Privacy Principles in the Act.
Follow Hamish Barwick on Twitter: @HamishBarwick
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.