Advertisement
Boards Golf Society are looking for new members for 2022...read about the society and their planned outings here!
How to add spoiler tags, edit posts, add images etc. How to - a user's guide to the new version of Boards

CVV2 sent unencrypted

  • #1
    Registered Users Posts: 7,266 ✭✭✭ RangeR


    What are peoples thoughts of a company requesting the CVV sent in unencrypted form?

    Specifically, there is a parking enforcement provider that sends a text message [at an additional cost] reminding you that your parking is about to expire. They suggest replying to the text message to extend the parking but to include the CVV as an authenticator.

    I deem this as being in contravention of PCI DSS as this sensitive authentication data [SAD] should never be stored after authorisation nor transmitted in the clear.

    The company in question doesn't think that they are in violation.

    Just wondering with the InfoSec community think?


Comments



  • The CVV was brought in to stop someone reading/memorising/photographing/etc the front of your card and going off on a spending spree. Giving anyone your CVV is a bad idea. Sending it, unencrypted is a seriously bad idea.

    I'm with you, this sounds like very shoddy practice by this company and I'd be calling them up on it. Most places use the last 4 digits of the front of the card as the reference number, not the CVV.

    Email them and quote PCI-DSS. Or email them and quote plain common sense. Let us know how you get on.




  • denartha wrote: »
    Email them and quote PCI-DSS. Or email them and quote plain common sense. Let us know how you get on.

    Cheers for the input. It's nice to know that I'm not the only one who thinks this is a serious issue.

    Unfortunately, I pointed this out to the company in question, via email, two odd weeks ago. They said that it wasn't a problem, that they are PCI DSS compliant and sent me some blurb from their FAQ relating to the veracity of their compliance, including a pdf cert dated 2015 :)

    They have since removed all PCI related claims from their site and cut off all contact.

    I'm following up with them through other channels.


Advertisement