Retailer refund compromised credit card security

By , CardRatings contributor
  • Google +
  • Twitter
  • Facebook

A British retailer's response to holiday delivery problems has raised questions about credit card security both in the U.K. and around the world. Luxury home goods merchant Fortnum & Mason has already apologized for computer glitches that kept many of its customers' online orders from arriving in time for Christmas. In statements to reporters, company officials assured the public that customers could request full refunds for unfulfilled orders by calling a toll free hotline.

However, journalists have since uncovered numerous cases of Fortnum & Mason employees requesting customers e-mail their credit card details to a company inbox before confirming refunds. Despite the apparent good intentions of the company's customer service agents, such activity violates the PCI security standard that all merchants must comply with before accepting Visa, MasterCard, and American Express transactions. E-mailing credit card information could expose account numbers and other personally identifiable data to anyone with access to either the sender's or the recipient's mailbox account.

Storing credit card numbers in corporate e-mail violates PCI standards.

In addition, company e-mail requested that customers reply with the CVV code, the three digit sequence printed on the signature strip on most credit cards. (American Express prints a four digit security code on the front of its cards.) This secret code acts like a PIN for many "card not present" transactions, mirroring the authentication code embedded in a credit card's magnetic stripe or EMV chip. Although merchants usually require one of these codes to process a return, the PCI DSS security standard prohibits merchants from storing any of those codes for future use.

Although credit card industry officials declined to comment on the specifics of the Fortnum & Mason situation, each payment platform's website warns consumers not to send credit card numbers via e-mail. Because legitimate-looking e-mail from both merchants and banks can be forged, banking security experts advise sharing credit card account information online using only a secured website. Modern Web browsers highlight a site's security by displaying a "lock" icon in the address bar, where the "https://" designation also assures Web surfers that their information has been encrypted.

0 Responses to "Retailer refund compromised credit card security"

No Comments

Leave a Comment
About Our Ratings ×

Our editors rate credit cards objectively based on the features the credit card offers consumers, the fees and interest rates, and how a credit card compares with other cards in its category. Ratings vary by category, and the same card may receive a certain number of stars in one category and a higher or lower number in another.

The ratings are the expert opinion of our editors, and not influenced by any remuneration this site may receive from card issuers.

Advertisers in our database are highlighted, and advertisements include an option to apply using links on our site. CardRatings.com may be compensated by companies mentioned on the site when a user's application is accepted or approved by such companies.

How do your cards stack up?

Compare your card starting here


Featured Partner Cards