Why Do Logos Prepub eMails Show Credit Card Info?

Page 1 of 1 (14 items)
This post has 13 Replies | 0 Followers

Posts 10625
Denise | Forum Activity | Posted: Fri, Dec 29 2017 4:22 PM

I'm just curious? It seems irresponsible these days.

- If the expiration is in danger, easy enough to warn the customer. But far in the future, why?

- Billing address? I'd assume first use would confirm the address validity.

In these days of data consolidators, honest or not, all these pieces are handy for identifying people. 

Doubt an answer, but I cleared my prepubs.

Edit: Accordance receipts are also quite forthcoming. But no exp-dates.

"I didn't know God made honky tonk angels."

Posts 2829
Don Awalt | Forum Activity | Replied: Sat, Dec 30 2017 6:20 AM

If you are referring to either the "We are about to begin processing..." emails or the Prepub ready to be downloaded emails, mine shows expiration but no account number, not even last 4 digits. It would be hard for someone to steal a credit card number without... a credit card number. IMHO. 

Posts 1002
JohnB | Forum Activity | Replied: Sat, Dec 30 2017 6:27 AM

Big Smile

Posts 10625
Denise | Forum Activity | Replied: Sat, Dec 30 2017 6:32 AM

Yep, folks are still in the older world where they think the data has to be in the same place, relative to risk.

But with large amounts of data collected about you, it's an easy proposition. The problem is being able to duplicate you digitally.

Corporately, the principle is is don't show customer information, unless absolutely necessary. Amazon is much more disciplined.  In any event, my prepubs are gone.

"I didn't know God made honky tonk angels."

Posts 2499
Lee | Forum Activity | Replied: Sat, Dec 30 2017 7:23 AM

You're right to be careful, but in FL's defence they've never referenced my card number in any correspondence. So there are no dots to connect.

My only worry is that internally, FL is authorized to charge my card. Only a verbal confirmation is needed. This is convenience at its best, but I imagine, also a hacking incident waiting to happen. I just have to trust my online vendors.

Posts 1002
JohnB | Forum Activity | Replied: Sat, Dec 30 2017 7:37 AM

There is a difference between careful and being paranoid. The trick is to attempt to divine the difference.

In practise, if one is careful, the main risk seems to be that the holder of card information is hacked and the number, name and expiry date are stolen together. 

Posts 2829
Don Awalt | Forum Activity | Replied: Sun, Dec 31 2017 5:06 AM

Denise:

Yep, folks are still in the older world where they think the data has to be in the same place, relative to risk.

But with large amounts of data collected about you, it's an easy proposition. The problem is being able to duplicate you digitally.

Corporately, the principle is is don't show customer information, unless absolutely necessary. Amazon is much more disciplined.  In any event, my prepubs are gone.

No worries, this is minor compared to the many breaches we are all subjected to, which is why you have to monitor your transactions daily IMHO. There is much greater risk of an employee at your healthcare provider selling ALL your personal information than anyone being able to glean an account number and security code somewhere else and putting it with logos.com emails that would have to be intercepted as well. Sounds like you were looking for a reason to delete all your prepubs, since you have now mentioned it twice. I know what that's like, sometimes I need an external influence to help me make a decision I should be doing anyway. Good for you! Happy New Year!

Posts 10625
Denise | Forum Activity | Replied: Sun, Dec 31 2017 6:45 AM

Happy New Year, Don. Anything might happen, so why be careful. Agree completely.

"I didn't know God made honky tonk angels."

Posts 245
BriM | Forum Activity | Replied: Mon, Jan 1 2018 7:05 AM

Don Awalt:
anyone being able to glean an account number and security code somewhere else and putting it with logos.com emails that would have to be intercepted as well

I'm with Denise on this one.

For many years there have been commercial solutions to merge disparate pieces of information about customers - email address from here, phone number from there, physical address from another place - all to get a complete picture of customers. Whilst difficult to conceive of manually, I work in an environment where this is bread and butter work.

It's easy to imagine this type of technology being used to collate various pieces of credit card information, particularly when different retailers mask different parts of the credit card number - a few retail transactions would combine to give the whole number then Faithlife's ill-advised disclosure of the expiry date leaves the villains only the 3 digit security code to guess.

Posts 2829
Don Awalt | Forum Activity | Replied: Mon, Jan 1 2018 8:35 AM

BriM:
particularly when different retailers mask different parts of the credit card number

I am wondering, do you have an example of any retailer that exposes anything other than up to the last 4 digits of the credit card? I have not found this to exist, as it's specifically prohibited by the standards that technology vendors and retailers follow (PCI Security Standards Council). Violations carry very strict penalties initially enforced by the credit card payment organizations - who may fine the bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine along until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate the relationship with the merchant in violation or increase transaction fees. So there are a lot of eyes on this.

I am not trying to be nit-picky, but when you are asking a vendor to make changes it should be based on reality not fear and scenarios we imagine could exist but don't - it's just picking a fight irrationally.

Posts 2829
Don Awalt | Forum Activity | Replied: Mon, Jan 1 2018 8:37 AM

Denise:

Happy New Year, Don. Anything might happen, so why be careful. Agree completely.

Ha ha. Don Quixote.

Posts 245
BriM | Forum Activity | Replied: Mon, Jan 1 2018 10:16 AM

Don Awalt:
I have not found this to exist, as it's specifically prohibited by the standards that technology vendors and retailers follow (PCI Security Standards Council).

Could this be a US-only prohibition?

I'm in UK, and just looked through my current credit card receipts. Almost all have only the final four digits shown, but I have one that shows the first six, plus final four - leaving only six digits missing. That was from a major tyre fitter here. I also believe I recall seeing a receipt in the past that had only 4 digits masked, but don't have an example at the moment. Certainly, I've noticed some variation although final 4 does seem to be by far the most common.

Posts 2829
Don Awalt | Forum Activity | Replied: Mon, Jan 1 2018 10:22 AM

It's global, founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. So I guess if the accounts you see the might be in violation of the compliance standards, the repercussions I mentioned will come down ultimately on the merchant through the affected card-issuing bank.

Posts 1002
JohnB | Forum Activity | Replied: Tue, Jan 2 2018 1:49 AM

BriM:
I'm in UK, and just looked through my current credit card receipts. Almost all have only the final four digits shown, but I have one that shows the first six, plus final four - leaving only six digits missing. That was from a major tyre fitter here. I also believe I recall seeing a receipt in the past that had only 4 digits masked, but don't have an example at the moment. Certainly, I've noticed some variation although final 4 does seem to be by far the most common.

I have personally never noticed more than 4 shown here in the UK. In fact I have seen very few do it at all. I think Amazon show it on their site when logged in as do Western Union. It seems to be the main Card companies (Visa etc) who seem to make the main security decisions rather than the card issuer. They also seem to largely determine what additional checks the card issuer (eg the bank) has to carry out on specific transactions so they may well be very unhappy about traders revealing more than 4 digits.

As you will be aware, it is also a breach of rules for the trader to retain the check digits on their computer system - that has not stopped some of them doing it in the past however. 

Page 1 of 1 (14 items) | RSS