This past Saturday my son and I were having a "boys day". My wife was out having
fun all day and the boys were left to be boys. Dinnertime rolled around and we were
having too much fun playing LEGO India Jones to even consider making food. So I
treated him to a stereotypical boys dinner - video games and pizza. This was when
the fun turned into fear.
Moments after ordering pizza online from our favorite local pizzeria, the phone
rang.
Caller: "This is Joe from the local pizza place, calling to confirm your order".
The order and delivery location was confirmed.
Caller: "And how do want to pay for this?"
Me: "Um, well I just entered all my credit card info into your website like I usually
do".
Caller: "oh". A moment of pause. "Oh I see your credit card info now in the email."
Me, with a definite tone of anger: "My credit card was sent to you in email?!"
Caller: "um, I'll get that pizza delivered ASAP."
Click
The pizza delivery guy arrived. As it turns out it was the owner delivering the pizza.
He explained to me that he had recently bought the local franchise and had no idea
that the online orders were emailed to him along with all the customer information.
As an attempt at a good-hearted gesture, he gave me some free breadsticks along
with the printed email containing my entire credit card and address information.
I was now bent out of shape. Five minutes of Google searches turned up no methods
for a consumer to report this obvious PCI non-compliance. Asking friends on
Twitter and Facebook ended up with equally non-specific information. Some friends
offered up email addresses of people at Visa, others stated quite assuredly that a
consumer has no means to turn in violators. Realize of course that nCircle (my
employer) is a certified PCI scan vendor and my online friends are all very much
entrenched in information security. That is to say that you would think someone
like me could ask around and quickly find a way to report this merchant to the PCI
council for review.
The next step was to call my bank and issue a fraud alert. The bank customer
support person took my information, listened well and followed her procedural
steps exactly as instructed. All my information was confirmed, past orders were confirmed
and a new card was issued. I requested directions on how to report this merchant
for obvious non-compliance. Furthermore, I felt the merchant was in violation of a
number of laws by printing out my entire credit card number. The bank customer
support person offered the number of the Better Business Bureau.
Think about this. The PCI standards council has worked hard to ensure compliance
of all their merchants. An entire industry has sprung up around the PCI Data
Security Standards. Yet, the standard provideds no means for consumers to flag
merchants for non-compliance. Even the issuing bank seems to have no means to do
so.
Aside from naming names here in my public soap box, how are consumers suppose
to help due their part to ensure security and privacy of the credit card industry?
Comments (7)
Oh. Don't worry about that!
The PCI SSC is busy, right now, trying to think of ways about how to monetize that. Let them handle it. Or they'll find a way to make your life more difficult.
With all of this credit card reform in the news, it's even better to think of questions like "when will consumers not get the short end of the stick?" or "what is going to happen to swipe fee reform?".
Posted by Andre Gironda | February 22, 2010 10:41 AM
Posted on February 22, 2010 10:41
wow ... i remember same thing happened to me when i was traveling and staying at a motel in Philly...I was shocked to see the order email attached to my pizza box with all the details and the form which i filled was also not secured with HTTPS but i had no choice at all at that time...If you find something, do let us know.
thanks.
Posted by binary-zero | February 22, 2010 12:09 PM
Posted on February 22, 2010 12:09
Risk and liability is assigned on the acquiring side. Every merchant has a payment processor and sponsoring bank (referred to as the acquiring bank). Card brands pass liability to the bank. The bank passes liability to the merchant. For SMB, PCI enforcement itself is also passed by card brands to the acquiring side.
You could email the appropriate card brand address with merchant information and request that they inform the acquiring bank. For example, if you have a Visa cards, email cisp@visa.com. I wouldn't go that hardball with a merchant though. Most merchants have security issues that are much more damaging than the email scenario. If you want to be friendly, let the merchant know of the risk they're incurring by receiving emails with plain text cardholder data. Contact the web designer or online ordering company being used and let them know too. Chances are that they're capable of switching to fax. The merchant can then shred the fax after completing the order.
I wouldn't worry about it as a consumer. Credit cards offer you "zero liability" protection. You're not liable for fraudulent transactions and get your money back quickly if that does happen. Credit cards also provide additional protection in that disputed purchases can be charged back by calling your card issuing bank so you get your money back from the merchant.
Posted by Lucas Zaichkowsky | February 24, 2010 9:43 AM
Posted on February 24, 2010 09:43
In my former life working at an issuing bank, I agree partially with Lucas. However, if your credit card is actually a Visa or MasterCard backed Debit card, your zero liability protection is a little less so. It becomes closer to minimal liability protection. You don't get your money back as quick, etc.
Posted by Opie | February 27, 2010 2:41 PM
Posted on February 27, 2010 14:41
I've been searching to the answer to this question myself. It is pretty amazing that it is, at this point, an impossible task to notify anyone of non-compliance.
As a 3rd party witness to a stunning non-compliance issue I have been completely stymied as to how to report it after two days of relentless searching.
The vendor responsible for the non-compliance is completely unresponsive.
Posted by ZGedquess | January 27, 2011 4:00 PM
Posted on January 27, 2011 16:00
As a security professional I too have witnessed blatant violations of the PCI/DSS standard involving very high dollar amount purchases put on credit cards with information emailed and/or faxed, printed out and stored in unsecured file cabinets or unsecured on a local network. I have even provided a certain amount of information and links to the PCI/DSS information and compliance and they just don't care. The business in question is a >$10 million per year in medical supply sales. It is rediculous that there is no reporting mechanism.
Posted by Tim Cole | February 17, 2011 9:34 AM
Posted on February 17, 2011 09:34
Just ate at BK where they have their receipts out in a bucket next the register and am disappointed to see that your post is the only relevant hit to my queries. I used to work for a pci related firm, of course, or I wouldn't have even known how to articulate my concern. I imagine the BBB is equally indifferent.
Posted by Carl | April 20, 2011 6:37 PM
Posted on April 20, 2011 18:37