Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all,
Vanilla are planning an update to the site on April 24th (next Wednesday). It is a major PHP8 update which is expected to boost performance across the site. The site will be down from 7pm and it is expected to take about an hour to complete. We appreciate your patience during the update.
Thanks all.

CVV2 sent unencrypted

Options
  • 16-07-2018 12:19pm
    #1
    RangeR
    Registered Users Posts: 7,265 ✭✭✭


    What are peoples thoughts of a company requesting the CVV sent in unencrypted form?

    Specifically, there is a parking enforcement provider that sends a text message [at an additional cost] reminding you that your parking is about to expire. They suggest replying to the text message to extend the parking but to include the CVV as an authenticator.

    I deem this as being in contravention of PCI DSS as this sensitive authentication data [SAD] should never be stored after authorisation nor transmitted in the clear.

    The company in question doesn't think that they are in violation.

    Just wondering with the InfoSec community think?


Comments

  • Options
    #2
    [Deleted User]
    Posts: 0 [Deleted User]


    The CVV was brought in to stop someone reading/memorising/photographing/etc the front of your card and going off on a spending spree. Giving anyone your CVV is a bad idea. Sending it, unencrypted is a seriously bad idea.

    I'm with you, this sounds like very shoddy practice by this company and I'd be calling them up on it. Most places use the last 4 digits of the front of the card as the reference number, not the CVV.

    Email them and quote PCI-DSS. Or email them and quote plain common sense. Let us know how you get on.


  • Options
    #3
    RangeR
    Registered Users Posts: 7,265 ✭✭✭RangeR


    Deleted User wrote: »
    Email them and quote PCI-DSS. Or email them and quote plain common sense. Let us know how you get on.

    Cheers for the input. It's nice to know that I'm not the only one who thinks this is a serious issue.

    Unfortunately, I pointed this out to the company in question, via email, two odd weeks ago. They said that it wasn't a problem, that they are PCI DSS compliant and sent me some blurb from their FAQ relating to the veracity of their compliance, including a pdf cert dated 2015 :)

    They have since removed all PCI related claims from their site and cut off all contact.

    I'm following up with them through other channels.


Advertisement