Boards are fundraising to help the people of Ukraine via the Red Cross at this horrific time. Please donate and share if you can, you will find the link here. Many thanks.

CVV2 sent unencrypted

  • 16-07-2018 11:19am
    Registered Users Posts: 7,265 ✭✭✭ RangeR

    What are peoples thoughts of a company requesting the CVV sent in unencrypted form?

    Specifically, there is a parking enforcement provider that sends a text message [at an additional cost] reminding you that your parking is about to expire. They suggest replying to the text message to extend the parking but to include the CVV as an authenticator.

    I deem this as being in contravention of PCI DSS as this sensitive authentication data [SAD] should never be stored after authorisation nor transmitted in the clear.

    The company in question doesn't think that they are in violation.

    Just wondering with the InfoSec community think?


  • Registered Users Posts: 10,657 ✭✭✭✭ denartha

    The CVV was brought in to stop someone reading/memorising/photographing/etc the front of your card and going off on a spending spree. Giving anyone your CVV is a bad idea. Sending it, unencrypted is a seriously bad idea.

    I'm with you, this sounds like very shoddy practice by this company and I'd be calling them up on it. Most places use the last 4 digits of the front of the card as the reference number, not the CVV.

    Email them and quote PCI-DSS. Or email them and quote plain common sense. Let us know how you get on.

  • Registered Users Posts: 7,265 ✭✭✭ RangeR

    denartha wrote: »
    Email them and quote PCI-DSS. Or email them and quote plain common sense. Let us know how you get on.

    Cheers for the input. It's nice to know that I'm not the only one who thinks this is a serious issue.

    Unfortunately, I pointed this out to the company in question, via email, two odd weeks ago. They said that it wasn't a problem, that they are PCI DSS compliant and sent me some blurb from their FAQ relating to the veracity of their compliance, including a pdf cert dated 2015 :)

    They have since removed all PCI related claims from their site and cut off all contact.

    I'm following up with them through other channels.