Credit card security/PCI Compliance FAIL

[ld13]

I'm at the moment. But before I name&shame I need to get my ducks in a row.

I booked myself a car from a car rental company. They wanted a deposit, I was more than happy with the quoted price (story for another day) and I gladly filled in my credit card details on their HTTPS+Thawte protected page. It was with horror that I realized moments thereafter that I got a booking/quote confirmation email from them with my full billing and credit card details and CVV - the whole shebang in clear text!

As far as I understand it, you are only allowed to store CC details if you are PCI compliant? If you are not PCI compliant one would usually submit payment info directly to a 3rd party payment processor that is PCI compliant and they would then process the transaction or whatnot. So in short full CC data are always handled in a secure PCI compliant environment. Last time I checked email is not regarded as being secure so this rental company is not PCI compliant and is disregarding the safety of my info.

Yes/No/Tips/Comments on how I go about reporting a company like this?

[VG008]

If the merchant stats that they are complaint, you need to report them to either MasterCard or Visa.

They are allowed to print your PAN & Expiry date on receipts, but not the CVV.

"PCI DSS requirement 3.3 states "Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).” While the requirement does not prohibit printing of the full card number or expiry date on receipts (either the merchant copy or the consumer copy), please note that PCI DSS does not override any other laws that legislate what can be printed on receipts (such as the U.S. Fair and Accurate Credit Transactions Act (FACTA) or any other applicable laws). "

[ld13]

They printed (emailed) my full names, surname, ID number, billing address, full card number, expiry date and CVV number. While they do not state they are PCI compliant, I am pretty sure they are in violation of their merchant agreement.

We got a merchant account with absa and we would be in heaps of troubles if we were to pull a stunt like this.

[securitywatcher]

I did some PCIDSS pre-audits and I know that details like CVV details must never be revealed to any party but the buyer and the seller or the seller’s representative where a third-party does the credit card processing

[eCliPSe]

LOL.... ever used one of those "wireless / mobile" cred card thingy at a restaurant petrol station??? Check next time after you enter your pin it connects to an RFC1918 address on port 23... fruit for though

[eehellfire]

Name and shame

[ld13]

Check next time after you enter your pin it connects to an RFC1918 address on port 23... fruit for though

There is nothing wrong with the device connecting to a private IP. They probably throw it over a VPN over a GPRS connection. I do not see the problem here?

[eCliPSe]

I don't think the handheld units support IPSec or even SSL tunneling. As they communicate with a base unit using well known port 23. I have started realizing the newer handheld units are more secure as they create a dial out connection itself and doesnt use the 802.abg to communicate to its base station. I have sat at a local business capturing the transaction information in the past with some measure of success. New units are also starting to use SSH. Credit cards aren't safe but if you manage them well you mitigate your risk.