An SMB PCI DSS Learning Opportunity

{Wow…love a chance to use 3 initializations in a row… 🙂 }
Over the past week I have been getting my holiday shopping done, almost entirely all online. I love to find unique stores, often small and medium sized businesses (SMBs) with interesting items, and I found one small store in Florida that makes some great, creative photo items at a reasonable price. Their online site was a little hard to navigate, though, so I spent a little time doing a bit of research about the store. They have been around since the 1980’s, and I could find no complaints about them. Their order form encrypted the input, but it was hard to figure out how to fill it in; I couldn’t get more than one photo uploaded to order more than one ornament, coffee mug, etc., at one time…

I tried numerous times to fill in the form so I wouldn’t have to make multiple orders, but could not get it to work. So I ended up submitting multiple orders, each of which I could not tell for sure had succesfully been submitted. However, in a few minutes I got the electronic receipts in my in-box. Well, the items I wanted to order seemed to have gone through successfully, but I could not be sure the way the receipts were worded.
What concerned me, though, was that in addition to my name and mailing address, the small business had included my full credit card number, CSV and expiration date in clear text within the emails; YIKES!!
This is definitely a time to provide the SMB with some information about security, privacy and compliance.
I called the business and had a very nice discussion with the owner. I let her know about some of the PCI DSS requirements, and also the risks involved with sending sensitive personally identifiable information (PII), including credit card numbers, in clear text email messages. She was not aware of PCI DSS, or of the security risks involved with sending clear text emails. I followed up the call by sending her the following email, to which I attached one of the email receipts they had sent to me…

“Hello [name removed],
It was nice chatting with you just a few minutes ago.
The following is one of the web order emails I received when placing my order from your website. As I mentioned on the phone, it is important for security and privacy protection to not include the full, clear text credit card number within emails. It is also against the Payment Card Industry Data Security Standard (PCI DSS; see it at to do so, which means you could be prohibited from taking credit card payments, get fines, or any of a number of other sanctions if this was discovered. What is appropriate to do is something similar to what I have done with my credit card information in the following; I have replaced the numbers with X’s to not only be in compliance with PCI DSS, but also to help protect my number from identity theft, identity fraud, or other crimes if it was intercepted by someone with malicious intent in their minds. In fact, you really do not need to include the CSV or expiration date within your email order confirmation at all. Companies often include the last 4 digits of the credit card number so that the customer can have a record of which of their cards they used for the purchase.
Thank you for checking and confirming my order! I will look forward to getting the photo ornaments and photo mugs.”

She responded…

Thank you so very much for this very valuable information.
I spoke to our web designers immediately after speaking to you. The credit card is being taken care now. I have forwarded your notes to our web designers so hopefully this will be fully operating immediately.
Thank you so much for all of your very valuable input, and especially your patience!
Happy Holidays!”

If you do business with an SMB, or large organization, and see that they are doing something in a way that puts PII at risk, do not hesitate to contact the company. It is very possible they may not be aware of the PCI DSS, regulatory or other requirements. And they may not realize that what they are doing is putting PII at risk.
If you see an opportunity to provide some awareness to a business about information security, privacy or compliance, take it!

Tags: , , , , , , , , , , ,

Leave a Reply