61

Is there some place for a consumer to file a complaint concerning improper use of credit card information?

I gave my credit card to a towing company and they sent me a receipt via email with all of my credit card info in the notes field. The email sent is in no way secure.

Is there a government agency where I can file a complaint? I believe my credit card is now compromised and I am going to cancel it and get it reissued. I don't believe this company has a clue about the risk they are placing their company in.

Kyll
  • 103
  • 5
Jim Skov
  • 569
  • 4
  • 4
  • 7
    Would depend on your country, and possibly card provider. You could certainly let your bank know the reason for requesting a replacement. – Matthew Jan 27 '17 at 14:21
  • 53
    This is better reported to your credit card company. – schroeder Jan 27 '17 at 14:35
  • 6
    Can you elaborate on what you mean by "all of my credit card info"...? What specifically was on the receipt? – SnakeDoc Jan 27 '17 at 16:30
  • 1
    @SnakeDoc, I think it would be safe to assume the OP would mean, card type, number, name on the card and expiry date. – Octopus Jan 27 '17 at 19:12
  • Similar: https://security.stackexchange.com/questions/118733/major-uk-company-seems-to-be-handling-customer-card-data-recklessly, https://security.stackexchange.com/questions/17835/how-can-i-report-pci-dss-violations – André Borie Jan 27 '17 at 20:01
  • 7
    @Octopus I don't know that it's safe to assume that. Some people think first 6 + last 4 is a security risk, or zip code... My question would help clarify the OP's statement so that we can better provide advice. Getting all up in arms about PCI this and that is irrelevant if OP's understanding of what's secret and what's not is flawed. – SnakeDoc Jan 27 '17 at 20:07
  • 3
    What country are you in? You're asking about government agencies without telling us what your government is. – Lightness Races in Orbit Jan 28 '17 at 17:20
  • 1
    @Mehrdad Post here your credit card number then, plus expiry & CV3. No? Okay then, that disproves your point about card information not being private information then; it *is*. – AStopher Jan 29 '17 at 16:13
  • @cybermonkey: I wouidn't even post my last name here, that doesn't mean it's private information... – user541686 Jan 29 '17 at 20:19
  • @Mehrdad Sure it does, 'private' by definition refers to something that you don't want anyone else knowing. You're saying that you're willing to give everyone your card number, by that same definition. – AStopher Jan 29 '17 at 20:21
  • @cybermonkey: I can't help someone who's doing everything he can to miss my point. – user541686 Jan 29 '17 at 20:27
  • @Mehrdad What point? My point is that CC info *is* private information. If it isn't, why aren't you posting yours like I requested? – AStopher Jan 29 '17 at 20:33
  • @Mehrdad: You are correct that there is a legal definition for "private information", not just what you feel uncomfortable giving out. You are incorrect when you say that definition doesn't cover credit card numbers. – Ben Voigt Jan 29 '17 at 21:03
  • @BenVoigt: No, I wasn't taking any legal definition here. – user541686 Jan 29 '17 at 21:07

3 Answers3

56

(Note: Not a PCI QSA, just know some PCI and PII stuff)

Violating the Payment Card Industry Data Security Standard is not a violation of the law. The PCI DSS is an agreement between the payment card companies (VISA, etc) and the processors about how data will be secured.

The towing company is likely in breach of an agreement with their processor by doing this - and almost certainly would be more liable in case of leaked information.

If the email indicates the credit card processor, you could contact them. You could also contact the towing company directly. Lastly, as @Matthew suggests, you should let the bank know when you cancel.

A further possibility is to look at the Personally Identifiable Information statutes in your state (assuming you are in the US). PII statutes vary widely depending on your location, but they widely consider the credit card number (known as the PAN) as counting as PII (along with the other personal information presumably in that email). If your location has a privacy commissioner, you could raise it with that department. Most PII statutes have requirements that companies treat PII with appropriate care and there are some significant penalties for not doing so in many jurisdictions.

For PCI, you can look at this info sheet on reporting violations

crovers
  • 6,351
  • 1
  • 19
  • 30
14

I'll assume "Government" == "US" since it's NOS.

Is there a government agency where I can file a complaint?

Not really. The government has started to get involved in large breaches, but they don't deal with small things. PCI requirements, which govern the protections merchants must apply around handling card data, are consent-based non-governmental restrictions. You can't get arrested for violating PCI because it's not a law.

You could certainly try to complain to consumer protection agencies, which counts as complaining, but it won't do much.

You could file a lawsuit. It will almost certainly cost you more than you can expect to gain, win or lose.

I believe my credit card is now compromised and I am going to cancel it and get it reissued.

When you do so, make it clear that the reason you're doing so is the unencrypted transmission of plaintext card data by the merchant. There are fines for PCI non-compliance, and the only chance of them kicking in is if there's a breach or if a significant pattern of complaints arises. (That said, for a towing company, the chances of complaints rising to a level that would trigger fines is near zero.)

If you can figure out who they are, and can figure out how to complain to them, you can complain to the merchant's credit card processor. The same caveats apply about nobody listening to onesie-twosie complaints; only patterns of widespread misbehavior are likely to trigger a response.

I don't believe this company has a clue about the risk they are placing their company in.

Well, they aren't really. The system only punishes egregious failures, not line-item non-compliance. Small merchants are effectively on the honor system, and aren't subjected to an impartial audit. It's not fair, but neither is life.

To be honest, it's likely that the most effective response you could have would be to approach the merchant, tell them that sending a PAN (card number) via unencrypted email is not allowed by their credit card processing agreement, and ask them to modify their systems to mask all but the last 4 digits. If you do so in a polite and non-aggressive manner, they might even do it. (If you approach them in a negative or rebuking manner, you should expect nothing to change except their willingness to tow you the next time you break down).

gowenfawr
  • 72,355
  • 17
  • 162
  • 199
  • 5
    Credit card issuers typically have an online form where you can report noncompliance. This includes things like a minimum transaction amount required to use a card (this is prohibited), and quite likely the situation described here by the OP. – Darren Ringer Jan 27 '17 at 20:53
  • 1
    _"I'll assume "Government" == "US" since it's NOS."_ Why is US the default case? – Lightness Races in Orbit Jan 28 '17 at 17:19
  • 8
    @LightnessRacesinOrbit because most Americans never feel the need to specify; the rest of the world is generally better about it. If it's possible to do so, I'm recognizing the popular bias but not suggesting any legitimacy to it. – gowenfawr Jan 29 '17 at 03:37
  • @gowenfawr: To be fair, the US has a complicated mess of jurisdictional issues between the feds and the states (and the counties, and in some cases the municipalities), so specifying which jurisdiction you actually want is more complicated than in some countries (and if you say "the American government," people yell at you that the US is not America, and then assume you're talking about the feds). There are other federal republics, of course, but Americans are particularly lazy. – Kevin Jan 29 '17 at 06:59
  • You could file a lawsuit? For what? You haven't suffered any damages, and if someone had stolen your card number you wouldn't have been responsible for the charges. It's literally none of your business if they're violating their agreement with the credit card company. I don't see what grounds you have to sue anybody. – user541686 Jan 29 '17 at 11:52
  • @gowenfawr: Okay I can accept that :) – Lightness Races in Orbit Jan 29 '17 at 13:41
  • @Mehrdad you could go to small claims and sue for credit monitoring. You could sue for emotional distress. Filing a lawsuit is easy; filing one that's got a chance to win is harder, and thus my comment that it would be costlier than its worth. To be clear, it's not an option I was recommending or validating. – gowenfawr Jan 29 '17 at 15:12
  • @Kevin everything you say is true. I will point out, however, that the major difference between Federal and State law _on Wiretapping_ is the party-consent argument; Federal is one-party and some states are all-party consent required. But even by that stricter yardstick, workplace monitoring where both the employer and the employee have consented (...via banner) would be permitted. – gowenfawr Jan 29 '17 at 15:14
  • @gowenfawr You're legitimising it every time you pander to it. – Puppy Jan 29 '17 at 17:24
6

Warning: USA-centric answer, the question asks about a government without specifying a jurisdiction :(

Yes, sort of.

If "all credit card info" includes the expiration date or digits of the card number other than the last five, having that on a receipt is a violation of FACTA, which also allows you to sue them yourself.

The FTC website has details.

The most relevant portions:

According to the federal Fair and Accurate Credit Transaction Act (FACTA), the electronically printed credit and debit card receipts you give your customers must shorten — or truncate — the account information. You may include no more than the last five digits of the card number, and you must delete the card’s expiration date.

and

Noncompliance could open a company up to an FTC law enforcement action, including civil penalties and injunctive relief. In addition, the law allows consumers to sue businesses that don’t comply and to collect damages and attorney’s fees.

But FACTA only applies to "electronically printed" receipts, and the courts found in Simonoff v. Expedia that this doesn't include e-mail.

However, the Gramm-Leach-Bliley Act also requires that businesses safeguard customers' financial information, and the FTC gives a relevant example:

Take steps to ensure the secure transmission of customer information. For example:

  • When you transmit credit card information or other sensitive financial data, use a Secure Sockets Layer (SSL) or other secure connection, so that the information is protected in transit.
  • If you collect information online directly from customers, make secure transmission automatic. Caution customers against transmitting sensitive data, like account numbers, via email or in response to an unsolicited email or pop-up message.
  • If you must transmit sensitive data by email over the Internet, be sure to encrypt the data.

It certainly sounds like they aren't being diligent in this area, and there surely would be no problem with filing an FTC complaint.

Ben Voigt
  • 754
  • 1
  • 11
  • 17
  • Warning, you left out critical information in your question so instead of commenting and asking for clarity, I'll just randomly assume? – Puppy Jan 29 '17 at 17:25
  • 1
    @Puppy: It ultimately doesn't matter that the original poster is in the USA. I am assuming that this Q&A will be read by visitors in the USA with the same question, and a USA-centric answer will help them. Besides, the very first comment on the question told OP that their country matters, why should I leave another identical comment? – Ben Voigt Jan 29 '17 at 21:00