I Notified a Major Credit Card Processor of a Security Issue and They Blamed Me

in #security8 years ago (edited)


Image credit: postoffis

Note: I have been advised to use the phrase "credit card gateway" instead of the name of the company where applicable. I am writing this because I was unsatisfied with the response I received from the credit card gateway and feel that others should be aware of some potential security issues when using credit cards online or in person.

How Secure is your Information?

Recently I received a receipt from a merchant that I've never used from a location I've never visited. My first thought was that someone had my credit card number and they were having themselves a good time at my expense. But after looking the receipt over I quickly realized it had another persons name and last 4 digits of their credit card and I was somewhat relieved.

I figured this person or the merchant may have mistakenly entered my company's email address prior to sending the receipt. No problem, mistakes happen. Then I received another and another, all from different merchants and customers. Now it became a bit of a concern. One time I can write off as a mistake, but numerous merchants and customers making this mistake is unlikely.

So I did what most anyone would do, I emailed the credit card gateways Fraud Department to let them know they may have a serious security issue on their hands. After all, we don't currently use this credit card gateway and haven't for years, and the information I was receiving included the following :

  • Customers location on a Google Map where the transaction took place.
  • Date and Time of the transaction.
  • Customers First & Last name.
  • Customers credit card used.
  • Last 4 digits of the credit card.
  • Credit card authorization code for the transaction.
  • The merchant's name and location.

Basically I could track any of these customers as they shopped at this credit card gateways merchants. I knew the last 4 digits of their credit card, which cab company they used, where they went and at what time.

I made several attempts to contact this credit card gateway and received no replies. After 2 months of this going on I went back into our old emails from 2014 and found a contact email address from someone in the credit card gateway's Fraud Department who appeared to be a human that would actually read my email and I contacted them about the issue.

What happened next surprised me. The following day I received an email from the credit card gateway's Customer Support, not their Fraud Department. After a few sentences I was able to determine that the credit card gateway's representative did not fully understand the implications or fully read my email. In my email I alerted them to the fact that we do not use their credit card gateway at our business and that we were receiving several of their merchants customer's information.

The credit card gateway's representative didn't see an issue with this at all on their end and instead blamed my business because one or more of our representatives had entered our email address in a field when processing cards through that credit card gateway in 2014. Their remedy to this situation was :

I looked at your account when you were using it in 2014 and noticed that you’ve sent your customers’ receipts to yourself after accepting payments. Please refrain from sending customer receipts to your own email address or phone number. Our system associates receipt delivery information with the card used for the purchase so customers don’t need to enter their email address or phone number when they purchase something from another [the credit card gateway's] merchant.

And then they added this bit of information that was rather alarming :

If you enter your own email address or phone number instead of allowing customers to input their information, your email address or phone number will be associated with their credit card and you may automatically receive their receipt anytime they pay a [credit card gateway] merchant. What you are seeing is a receipt for a purchase one of your customers made with another merchant.

[Emphasis mine.]

That's right, this credit card gateway is not getting the customers preferred email address and phone number from the customer, but from the merchant. Even worse they are then tying that possibly incorrect information to the customers credit card indefinitely and sending it wherever the merchant specifies no matter where that customer shops in the future. As I said it's been over 2 years since we used this credit card gateway and yet we're receiving other merchants customer information in 2016.

We did not have the customers in question email address or phone number on file, most likely because the customer chose not to supply this information to us during checkout. But now we unfortunately have a lot more information on these customers and we were able to obtain this information without having an active account with this credit card gateway.

I can only assume, while we were using this credit card gateway, at the time of purchase if the customer did not want to supply an email address or phone number to us, one of our representatives simply entered our information to get through the checkout process with this credit card gateway. Or they did this to have a receipt for the customer handy in case they asked for one at a later date, which happens often when someone needs to be reimbursed or for tax purposes.

So this credit card gateway's representatives solution to all of this was for us to stop entering our information, which is going to be hard to do since we stopped using them in 2014. There was no indication that the representative was going to pass this information on to someone who deals with security issues, it was simply our fault for this happening.

The fact that my email went to a Customer Service representative instead of someone who deals with security issues was bad enough. I sent my email to their Fraud Department and they passed it along to Customer Service without even addressing my concerns themselves. That's a big red flag in itself.

After reading their reply I went to see what this credit card gateway's security is all about and found this on their website :

"[Credit card gateway's] approach to security is designed to protect both you and your customers."

From my experience they're not following through on that promise or this one :

"We monitor every transaction, we continuously innovate in fraud prevention, and we protect your data like our business depends on it—because it does."

TL;DR

If you as a customer are dealing with a merchant that uses this processor as their credit card gateway, be sure you either give them your email address and phone number or ask them not to supply any information at all into those two fields. Otherwise your information can end up just about anywhere that merchant desires, because according to this credit card gateway's representative, they have given all control of your account information to the merchant and not to you the customer.

Sort:  

That is really bad news. Of course they don't want to you to name them publicly, then they will have to fix it. A financial company refusing to deal with a security issue that exposes a full last name, credit card numbers\code, gps location, and store deserves to be named and publicly shamed. Bad publicity is often times the only reason companies fix problems like this.

Please post their name for the customers sake. A different account asking a question about the company would be one way to do it indirectly.

I think it's hidden in the image and the image name.

Wow! So whats keeping a disgruntled employee from inputting their own email and tracking customers future credit card purchases? Creepy....