retailer-refund-compromised-credit-card-security

A British retailer's response to holiday delivery problems has raised questions about credit card security both in the U.K. and around the world. Luxury home goods merchant Fortnum & Mason has already apologized for computer glitches that kept many of its customers' online orders from arriving in time for Christmas. In statements to reporters, company officials assured the public that customers could request full refunds for unfulfilled orders by calling a toll free hotline.

However, journalists have since uncovered numerous cases of Fortnum & Mason employees requesting customers e-mail their credit card details to a company inbox before confirming refunds. Despite the apparent good intentions of the company's customer service agents, such activity violates the PCI security standard that all merchants must comply with before accepting Visa, MasterCard, and American Express transactions. E-mailing credit card information could expose account numbers and other personally identifiable data to anyone with access to either the sender's or the recipient's mailbox account.

Storing credit card numbers in corporate e-mail violates PCI standards.

In addition, company e-mail requested that customers reply with the CVV code, the three digit sequence printed on the signature strip on most credit cards. (American Express prints a four digit security code on the front of its cards.) This secret code acts like a PIN for many "card not present" transactions, mirroring the authentication code embedded in a credit card's magnetic stripe or EMV chip. Although merchants usually require one of these codes to process a return, the PCI DSS security standard prohibits merchants from storing any of those codes for future use.

Although credit card industry officials declined to comment on the specifics of the Fortnum & Mason situation, each payment platform's website warns consumers not to send credit card numbers via e-mail. Because legitimate-looking e-mail from both merchants and banks can be forged, banking security experts advise sharing credit card account information online using only a secured website. Modern Web browsers highlight a site's security by displaying a "lock" icon in the address bar, where the "https://" designation also assures Web surfers that their information has been encrypted.