Feb 23 2010
This one hit’s close to home quite literally; Andrew Storms had some major issues this weekend with how a pizza place close to his house handled his credit card information. Andrew only lives a city or so away from me and the pizzeria is one that I might visit for lunch or dinner given the chance. Or rather, I might have before I read his story. Now I’ll probably avoid it, going some place where I have a little more hope they’ll treat my credit card and other personal information with a little more caution.
The short version of Andrew’s story is that he ordered a pizza online and when the owner/delivery guy showed up, he told Andrew he’d received the credit card number via email from the central corporate website in an email. There are so many forms of wrong here that it’s hard to know where to start. This is a violation of PCI, there’s a chance it’s a violation of several state and federal laws (depending on how card data is handled from this point on) and it is simply bad practice in general. But the real problem came when Andrew tried to figure out how to report this and get the merchant to change how he’s doing business. As best as we can figure out, there is no way for a consumer to report a merchant to the credit card companies or his acquiring bank.
It’s a huge hole in the system. The pizzeria is a very small chain, there’s a corporate web site that’s probably run by a third party and it’s mailing credit card numbers, along with other important PII like name and address. Unless the owner is using a shredder, which I doubt, all it would take is one episode of dumpster diving for a local data breach to happen. While the pizzeria probably doesn’t get more than a couple dozen online orders a week, even one breach is too many if it’s your credit card.
Consumers don’t have much power in the credit card system, but this is an egregious issue that should have some sort of reporting mechanism. Andrew canceled his card and tried to report the merchant, but there’s literally no way I or anyone I know can think of to report the merchant and force some sort of change to their system. Quite frankly they’re a Level 4 merchant who might have heard of PCI but has no idea it actually applies to them. It’s not a problem of the merchant being malicious, it’s a problem of the merchant simply being ignorant of the problem and having bigger issues to worry about, such as trying to get a new business off the ground. I don’t blame him, but I do want some form of reporting for situations like this so that consumers can be protected and merchants can be warned to stop practices that are dangerous to their customers.