Comments on: Airline PCI Violation

By: DalPay Thorsten

DalPay Thorsten — Tue, 01 Jul 2008 23:10:00 +0000

John R.V. Jones wrote:
>Whatâ€™s raised my eyebrow was that they asked you for a
>signature – any merchant with a MOTO or online CNP
>account does not require a signature once they have the
>cardholderâ€™s info.

Yes the merchant can get an authorization (auth code) from one of the card networks without the cardholder’s signature but the liability for Card Not Present transactions is squarely with the merchant.

As any experienced Card Not Present (Mail Order/Telephone Order, Internet) merchant knows, such authorizations from the card’s issuing bank are sadly worth the paper they are printed on.

It sounds like this was a clumsy attempt at an authorization form by the airline. Certainly they should be admonished for the way that they got that ‘form’ to the cardholder, but without an authorization form with signature the merchant is wide open to chargeback risk.

The card associations need to provide better information to merchants as part of the authorization process and to accelerate liability shift away from the merchant if they want less of this kind of thing going on.

PCI DSS is important, but it and 3D-Secure and CVV are all band aids on the broader issue of merchant liability.

By: Neon

Neon — Tue, 04 Sep 2007 07:21:13 +0000

Get yourself a new credit card once a month to prevent the worst. Don’t link your credit card to your primary checking account. Don’t give away cvv.

By: John R.V. Jones

John R.V. Jones — Wed, 08 Aug 2007 08:18:45 +0000

You’re absolutely correct – the storing of the cardnumber and the CVV is a PCI Standard violation. What’s raised my eyebrow was that they asked you for a signature – any merchant with a MOTO or online CNP account does not require a signature once they have the cardholder’s info. I’d be looking out for a little fraud operation on the side, as there is no reason whatsoever for a signature. Who to report it to? That’s easy enough – if it’s an airline, they’re likely at least a level 1 or 2 merchant, and as such are required to have periodic audits by the card services. Call the company associated with your card, and tell them the problem you encountered, that it was a PCI violation, and you want to report it to the Qualified Security Assessors responsible for auditing that company, or rather to your card service provider preferably. They have gone to great lengths and expense to ensure compliance by all merchants, particularly L1′s & 2′s. I don’t think they’d look kindly at an operation that was so blatantly violating their standard.

By: Airline PCI Violation by travel.ZapiZapi.com

Airline PCI Violation by travel.ZapiZapi.com — Wed, 25 Jul 2007 09:46:23 +0000

[...] my flight dates and all that. In the end she asks me for my credit … article continues at Raffael Marty brought to you by travel and [...]

By: HJ

HJ — Fri, 20 Jul 2007 05:26:32 +0000

I’m wondering whether it is a violation of PCI DSS. PCI applies to the situation where credit card info is stored or transmitted over internet. In this case, MAYBE the card info is not stored as soft copy (the sales person can type the info into computer, do NOT save it, print it out, then clean all the cache), and it’s not transmitted over internet (transmission is through FAX).

By: dre

dre — Fri, 13 Jul 2007 22:53:34 +0000

Who does one report this sort of incident to?