PCI-DSS compliance is not a requirement for other than level 4 merchants.
Wrong!
http://www.pcicomplianceguide.org/pcifaqs.php#2Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.Unless they are a level 4 merchant, they are not breaking their agreement by requesting a copy of the card- and they may not be even if they are a PCI compliant level 4 merchant, if all they are requesting is a copy of the statement showing the mailing address.
Not true!
...All merchants, small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data.and
Q: Do organizations using third-party processors have to be PCI compliant?
A: Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.You are entitled to your opinion, but if they are asking for a copy of the statement showing billing address, I do not think that unprofessional or moronic at all.
Apparently its not just unprofessional and moronic, it might not even be legal:
https://www.privacyrights.org/fs/fs15-mt.htmWhat personal information can’t a merchant collect when a consumer pays with a credit card? (Song-Beverly Credit Card Act of 1971)
• Merchants cannot request or require that the consumer write any personal information, including address and telephone number, on any form associated with the credit card transaction when the consumer uses a credit card to pay for goods or services.
• In addition, the merchant cannot ask the consumer to provide personal information that the merchant then records.
• Merchants cannot use forms with pre-printed spaces for personal information.
Are there any exceptions?
Yes. A merchant can collect personal information when:
• The credit card is used as a deposit.
• The credit card is used for a cash advance.
• The personal information is needed for something incidental but related to the use of the credit card. An example would be the address to which the purchased product is to be shipped.
• The merchant is required to collect information under a federal law or regulation.
• The merchant is contractually obligated to provide personal identification information in order to complete the credit card transaction.
• The card is used to "pay at the pump" for gasoline, limited to Zip Code information which may be used solely for prevention of fraud, theft, or identity theft.
The idea that sending such would be grossly negligent and rescind a customer's liability protection is bollocks, sorry.
You may think so but the reality is it is indeed plain stupid. That email is completely insecure is a well-known fact, and you really must have spent the last decade or so in a coma to not know that.
In addition, PCI-DSS has very clear requirements when it comes to the handling of CC data, which are violated by Tequipment's procedures.
It comes across to me that you feel that companies who do not do business in a manner you agree with somehow deserve to be ridiculed stupid morons and run out of town.
No, but I think that companies who demonstrate such a huge contempt for the security of their customers and ignorance about even the most basic rules of information security should be named and shamed so that anyone who thinks about dealing with them knows what to expect.
I disagree. I think everyone ought to be free to buy from them or not. I also disagree that it protects them from nothing. Most crime is crime of opportunity. Most credit card fraud comes from people who had the card in their possession (like a petrol station attendant or a server at a restaurant). That card information gets copied and used - often online. In most cases, the thief does not have the billing address, and likely would not know what the statement was supposed to look like. Furthermore, if pressed to provide such, most thieves will move on to an easier target rather than attempt to keep the scam alive.
You're a bit stuck in the 90's I fear. FYI: a lot of stolen CC data comes from fishing or break-ins into inadequately secured systems (one of the more noteworthy of recently was the Sony PSN hack). That means that criminals get most of the data they need, including birth date and full address details.
If Tequipment wants to protect themselves against fraud then they could just ask their payment provider to check if the transaction is genuine. This would trigger a request to the customer's CC provider to contact their customer and verify the transaction. Simple, efficient, and effective. I would guess most customers wouldn't mind to wait a few days instead of having to give up sensitive data over insecure email.
In addition, and aside from that photos of a CC and a scan of a statement prove nothing except the merchant's incompetence, I question the claimed need for international orders because Tequipment apparently thinks that CC fraud is much more likely abroad. It isn't. In fact:
US is main source of EU credit card fraud - Europolhttp://www.bbc.co.uk/news/world-europe-20945810The report can be found here:
https://www.europol.europa.eu/sites/default/.../1public_full_20_sept.pdfIn fact, it seems US CC fraud rates are at a similar levels as other Strongholds of Highly Secure Banking like Mexico, and even worse than China!
http://www.forbes.com/sites/halahtouryalai/2012/10/22/countries-with-the-most-card-fraud-u-s-and-mexico/When sellers like Tequipment do stupid things like asking customers to provide all their details over insecure plain text email, this is not really surprising, is it?
If also comes across to me as quite arrogant for us to imagine that all of these large companies who enact such measures are simply too stupid to think it through and understand that it does nothing to protect them
Yeah, well, that's the thing: none of the large US companies do shit like that, they know that they are much more likely to be defrauded in the US than from their international customers, they take PCI-DSS seriously, and know how to use the wide range of legitimate fraud protection measures that are available to merchants.
It's just some of the small shops that think they could get away with an amateurish and laissez-faire approach to trading, that laws and regulations don't apply to them and who don't understand that they have to adapt to their customers and not vice versa.
Going back to the restaurant analogy - I don't feel the need to go to local restaurants I don't like and tell them I will not be dining there.
Yes, but again you miss the point that we're not discussing this on Tequipment premises. This is not Tequipment's forum, they are not the landlord here.
Interesting that people always categorize Americans (second time this thread). Especially so considering the quantity of misinformation being tossed about in the thread, and the link from a prior poster illustrating that a Dutch company was doing exactly the same thing. There goes that theory!
You mean as Tequipment and you suggest that non-American buyers are much more likely to be fraudsters than Americans (which apparently is wrong anyways, as we've seen!)? Let's talk about categorizing again, shall we?
But at the end of the day, I highlight American companies for the simple reason that I only have seen such dodgy methods with US sellers. Don't get me wrong, I'm pretty sure there are enough black sheep in other countries as well, but in this thread we are talking about the dodgy methods of a certain US reseller (Tequipment). I'm sure should any non-American seller act similarly that we'll see a similar thread about them.
Home
Help
Search
Login
Register
