Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

CVV2 sent unencrypted

  • 16-07-2018 11:19am
    #1
    Registered Users, Registered Users 2 Posts: 7,265 ✭✭✭


    What are peoples thoughts of a company requesting the CVV sent in unencrypted form?

    Specifically, there is a parking enforcement provider that sends a text message [at an additional cost] reminding you that your parking is about to expire. They suggest replying to the text message to extend the parking but to include the CVV as an authenticator.

    I deem this as being in contravention of PCI DSS as this sensitive authentication data [SAD] should never be stored after authorisation nor transmitted in the clear.

    The company in question doesn't think that they are in violation.

    Just wondering with the InfoSec community think?


Comments

  • Posts: 11,614 ✭✭✭✭ [Deleted User]


    The CVV was brought in to stop someone reading/memorising/photographing/etc the front of your card and going off on a spending spree. Giving anyone your CVV is a bad idea. Sending it, unencrypted is a seriously bad idea.

    I'm with you, this sounds like very shoddy practice by this company and I'd be calling them up on it. Most places use the last 4 digits of the front of the card as the reference number, not the CVV.

    Email them and quote PCI-DSS. Or email them and quote plain common sense. Let us know how you get on.


  • Registered Users, Registered Users 2 Posts: 7,265 ✭✭✭RangeR


    Email them and quote PCI-DSS. Or email them and quote plain common sense. Let us know how you get on.

    Cheers for the input. It's nice to know that I'm not the only one who thinks this is a serious issue.

    Unfortunately, I pointed this out to the company in question, via email, two odd weeks ago. They said that it wasn't a problem, that they are PCI DSS compliant and sent me some blurb from their FAQ relating to the veracity of their compliance, including a pdf cert dated 2015 :)

    They have since removed all PCI related claims from their site and cut off all contact.

    I'm following up with them through other channels.


Advertisement