Feb 23 2010

Hole in the system

Published by at 5:38 am under Family,PCI,Simple Security

This one hit’s close to home quite literally; Andrew Storms had some major issues this weekend with how a pizza place close to his house handled his credit card information.  Andrew only lives a city or so away from me and the pizzeria is one that I might visit for lunch or dinner given the chance.  Or rather, I might have before I read his story.  Now I’ll probably avoid it, going some place where I have a little more hope they’ll treat my credit card and other personal information with a little more caution.

The short version of Andrew’s story is that he ordered a pizza online and when the owner/delivery guy showed up, he told Andrew he’d received the credit card number via email from the central corporate website in an email.  There are so many forms of wrong here that it’s hard to know where to start.  This is a violation of PCI, there’s a chance it’s a violation of several state and federal laws (depending on how card data is handled from this point on) and it is simply bad practice in general.  But the real problem came when Andrew tried to figure out how to report this and get the merchant to change how he’s doing business.  As best as we can figure out, there is no way for a consumer to report a merchant to the credit card companies or his acquiring bank. 

It’s a huge hole in the system.  The pizzeria is a very small chain, there’s a corporate web site that’s probably run by a third party and it’s mailing credit card numbers, along with other important PII like name and address.  Unless the owner is using a shredder, which I doubt, all it would take is one episode of dumpster diving for a local data breach to happen.  While the pizzeria probably doesn’t get more than a couple dozen online orders a week, even one breach is too many if it’s your credit card.

Consumers don’t have much power in the credit card system, but this is an egregious issue that should have some sort of reporting mechanism.  Andrew canceled his card and tried to report the merchant, but there’s literally no way I or anyone I know can think of to report the merchant and force some sort of change to their system.  Quite frankly they’re a Level 4 merchant who might have heard of PCI but has no idea it actually applies to them.  It’s not a problem of the merchant being malicious, it’s a problem of the merchant simply being ignorant of the problem and having bigger issues to worry about, such as trying to get a new business off the ground.  I don’t blame him, but I do want some form of reporting for situations like this so that consumers can be protected and merchants can be warned to stop practices that are dangerous to their customers.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

2 Responses to “Hole in the system”

  1. Sharonon 27 Feb 2010 at 2:32 pm

    This is a huge problem that the world seems oblivious to and it is not only small companies who are offenders.

    How can we do something about this?

    I am tired of handing my credit card over and wondering when my information will be stolen due to the lack of concern shown by those receiving it. I recently received a new debit card from my bank with a letter stating that the information from my old one had been compromised by a merchant. Obviously concerned I called them to find out, which one so I would know not to use them again. Their answer “we can’t tell you due to privacy regulations” so as a consumer I can not take action and as a bank they are obviously not taking action either so who is?

  2. Donald Johnstonon 08 Mar 2010 at 11:42 am

    Have companies like this never heard of risk management? I think they likely have no idea about threats that exist out there nor about vulnerabilities in the tools, like email, that they use.

    The credit card companies should require their merchants to show a “certified” risk assessment of their card handling processes before they’re allowed to be a merchant!

%d bloggers like this: