Wednesday 14 May 2014

Credit card security blown wide open on postal transactions

(Originally made this post on, now, on 11 Dec 2007)

I'm becoming increasingly worried by suppliers that ask for your debit or credit card security number in writing, along with the card number and expiry date, for postal transactions. This blows the security system wide open. Anyone that intercepts your instructions, either before or after your legitimate payment is made, has everything needed to rip off suppliers (and you).

Why are suppliers doing this? Simply, it's because their banks are demanding these details for Customer Not Present transactions that are entered through merchant machines such as the PDQ.
When you enter card details onto a secure supplier website or a proper payment service such as PayPal, the possible number of fraudsters is quite limited, and collusion or fraudulent action by the owner of the site is a strong suspicion if anything goes wrong. The chain is pretty clear. But just like a pair of CD-ROMs, if a piece of paper goes astray, it could be in anyone's hands, it can be photocopied and sent anywhere in the world, and huge amounts of damage can be done.

Signature as confirmation of identity should be enough for 'cold' transactions where no goods are shipped within 24 hours. When a PDQ machine is used, the bank now seems to require the security number. Specific cases in the last two weeks: NatWest demanded this from a charity for a donation that I wanted to make by card (I sent a cheque instead, along with my Gift Aid form) and a UK passport application where the payment must accompany the application form (I used the Check and Send service at a Post Office which allowed me to make the payment electronically).

This is really dangerous stuff. Barclaycard told me definitely not to send the card security number in writing along with other card details, but I wouldn't be surprised if their merchant people are following the same protocol as NatWest and the Home Office. Is this a general problem? I'd like to gather evidence and to hear of any other cases where this practice has been introduced. And then make some noise in the right places.

Comments received on

John, I agree with you and I will not write down a security number. I also agree with S - suppliers keeping written records of credit card numbers also provides a security loophole for dishonest employees and theft from suppliers premises. What's the point of shredding all your documents at home if suppliers have such details in their filing cabinets ! My advice (which I will now take myself in future) is not to write down my credit / debit card numbers on any paper form. Regards, G (UK)

John, I totally agree, you should never give out all these details in writing. The point of the security code, well is.... security. The best practice on this is never to have the card details in writing..... as soon as there is a record, there is a risk towards the data protection rules. As e-retailers, we make 3 important points: 1- all online purchases are managed through secure services so we never have access to the customer's card details 2- for transactions over the phone, we always carry out the transaction live and do not take notes of the card numbers. Once the transaction is finished we (and any other mischievous party) have no way of retrieving the card details. this is quite an effective way of preventing credit card fraud. 3- we never ask for card details in writing I now demand the same type of security from my suppliers, so no employee could take note of the card number in passing. Many organisations do not realise their responsibilities in that area... how many are ensured against employee dishonesty???  S (France)


It always makes me think about it on line, I am not sure that is good practice even with the security that wraps around it. K (UK)

I agree with you John, I think there is very little personal safety as regards our financial details. I hate to think how many companies have our details of cards, dob, NI numbers etc. You are right - so much damage can be done in a short space of time. When the CD's went missing I think it gave everyone a shake up. And yet will any of these things stop? I think not. I recently watched a movie. It was called 'The Lives of Others' . It was in German with subtitles. It was set in East Germany just before the wall came down. It really exposed just how thorough the Stasi were in gathering information on everyone. It was a society where people had no freedom, no secrets, no comeback.Nowhere to go to talk about injustice. Anyone who spoke out or argued against the State were imprisoned or worse. Is this what is happening over here. One has to ask - 'What exactly is going on'? L (UK)