{"id":105,"date":"2007-07-12T00:34:35","date_gmt":"2007-07-12T05:34:35","guid":{"rendered":"http:\/\/raffy.ch\/blog\/2007\/07\/12\/airline-pci-violation\/"},"modified":"2007-07-12T00:35:10","modified_gmt":"2007-07-12T05:35:10","slug":"airline-pci-violation","status":"publish","type":"post","link":"https:\/\/raffy.ch\/blog\/2007\/07\/12\/airline-pci-violation\/","title":{"rendered":"Airline PCI Violation"},"content":{"rendered":"<p>Today I was booking my airline ticket to Kualalumpur, Malaysia for my trip to <a href=\"http:\/\/conference.hitb.org\/hitbsecconf2007kl\/?page_id=59\">Hack in the Box<\/a> in September. I called the sales lady for the airline and talk to her about my flight dates and all that. In the end she asks me for my credit card information. Number, expiration date, and then the CVV number on the back of my card (the security code, as it is called sometimes too). I hesitate for a second, trying to remember what I just learned from the <a href=\"https:\/\/www.pcisecuritystandards.org\/\">PCI<\/a> auditors we had in house. I couldn&#8217;t really remember when a merchant needed that number, but after a second I realized that it would be okay to give it to her. It&#8217;s about the same as on a Web page, where you enter that information. They can use the CVV to run a authorization with the credit card company. Well, I thought that would be it. Wrong!<\/p>\n<p>A couple of hours later I get a pretty ugly Excel spreadsheet back. I am asked to print it out, sign it, and fax it back to them. I had a look at the form and I wondered what was going on. Well, there was all my information in this spreadsheet, including CVV number!  They even &#8220;encrypted&#8221; my credit card number in the spreadsheet. I am just kidding. It was all in plain text. The only funny thing was that the credit card number field was not formatted as a string, but a number, so it looked like it was encrypted. *grins*. But back to serious. I was quite upset. All my information in this document. I have to assume that this excel document is on the sales person&#8217;s desktop, along with probably dozens of others. Hmmm&#8230; Maybe I should send an email with a link that points to a site that contains a &#8230; Let&#8217;s not even go there.<\/p>\n<p>The next thing I did was digging up  the PCI standard. And here it was, section 3.2.2:<br \/>\n<code>3.2.2 Do not store the card-validation code (Three-digit or four-digit value printed on the front or back of a payment card (e.g., CVV2 and CVC2 data))<\/code><br \/>\nA clear violation!  And you know, this is pretty much the first thing you should address; the way of authorizing credit card transactions. Just plain wrong! Darn!<\/p>\n<p>I wrote them an email asking for a contact in their security department. So far, no luck, just the sales person telling me that she needs all that information to complete the transaction. Whatever. Either she needs my signature, but then no CVV, or the CVV and no signature. But not both! I wonder how this is going to continue.<\/p>\n<p>[tags]pci, compliance, vioaltion,security[\/tags]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today I was booking my airline ticket to Kualalumpur, Malaysia for my trip to Hack in the Box in September. I called the sales lady for the airline and talk to her about my flight dates and all that. In the end she asks me for my credit card information. Number, expiration date, and then [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-105","post","type-post","status-publish","format-standard","hentry","category-security-information-management"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/105","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/comments?post=105"}],"version-history":[{"count":0,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/105\/revisions"}],"wp:attachment":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/media?parent=105"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/categories?post=105"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/tags?post=105"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}