Posted by John Kindervag on February 5, 2010
The Attorney General of New York is investigating a large group of online retailers to see if they have been sharing your credit card data with third parties without your knowledge or permission. In a press release, the AG's Office details the scheme, including the fact that you may unknowingly be giving someone other than the retailer you are shopping with your credit card number:
"Information about joining the membership program and its ramifications, including the fact that the consumer is agreeing to transfer his or her credit or debit card account information, is buried in fine print and cluttered text."
My gut tells me that this violates the spirit, if not the letter, of the PCI Data Security Standard. According to the PCI DSS:
"Additionally, merchants and service providers must manage and monitor the PCI DSS compliance of all associated third parties with access to cardholder data."
It is probably safe to assume that the business agreement around the data sharing identified by the New York AG's office did not include language surrounding PCI compliance.
An MSNBC story on the investigation puts it this way:
"Here’s where things really get smarmy. Even though you did not give that second company any account information, they will bill the credit or debit card number you used to make the original purchase. You didn’t have to provide your account number because the “trusted” retailer gave it to them for a cut of the action."
My guess is that this is being done outside of the security and PCI folks at these companies. In fact, this type of usage of credit card information is one of the biggest areas of push back our clients get internally. We often hear complaints from security teams that they are having difficulty enforcing PCI and other security initiatives because marketing and business intelligence management claim that they "need" credit card numbers to run their businesses. Really bad idea. No one "NEEDS" credit card numbers for anything except completing a transaction. They may "USE" credit card numbers for other business purposes, but they do this at the risk of their entire organization. True credit card security will only happen when there is a fundamental mindshift in organization so that they understand that credit card numbers (or any other personal or private information for that matter) is not theirs to use in any way they want, especially for marketing purposes.
Expect to see other states get involved. Nothing will shut this practice down faster than legal departments being forced to respond to a whole bunch of subpoenas.