Fortnum & Mason’s PCI Weakness: Customer Service

Written by Evan Schuman
January 25th, 2012

Historic British retailer Fortnum & Mason—with roots dating back to 1704—is finding that PCI compliance doesn’t end with IT. The chain had to confess last week that a customer service rep was asking customers to E-mail their full credit-card data—including CVV—to process routine refunds.

Clearly, one errant employee is something every chain has (for many, it’s more like several thousand errant employees, but let’s not go there). But this example brings up a too-often overlooked PCI fact: Compliance is an issue for every employee. That means training and quite a few new policies and procedures. Mobile payment, being a disruptive factor, will only make things worse, because it creates many more opportunities for payment-card data to be captured/retained against the rules.

The Fortnum & Mason situation, which—to the best of our knowledge—was first reported by Computerworld UK, started out with what undoubtedly seemed to be a reasonable customer service customer interaction.

The rep understood enough about PCI and payment-card procedures to know that such data cannot be preserved. The problem happened when the rep took the next step.

Fortnum & Mason “does not process direct crediting automatically due to encryption measures.” So far, so good. “I understand you do not want to give out your details, however. We do not keep them on file due to security reasons.” Again, everything is looking good.

The rep then said: “The only way I can refund you is if I do have them. We will instantly destroy your details as soon as you are refunded.” And there we have the double-whammy of PCI boo-boos: The rep understood that such data can’t be stored, but somehow didn’t see how asking for it to be E-mailed would undo that.

Then there’s the card data security coup de grâce: The rep’s belief that the ability exists to “instantly destroy your details as soon as you are refunded.” Setting aside the data backups for both the retailer and the customer, there’s the issue of sending that information across multiple E-mail servers and the Internet in plain text. The rep even acknowledged “encryption measures,” but didn’t see how this request—which the customer had the good sense to refuse—contradicted it.

A Fortnum & Mason spokesperson, Sarah Street, issued a statement that fessed up. The retailer had initially denied that customer service had sought the payment-card data, but it then corrected that statement.

“We have now fully investigated the claim that a customer was asked for their credit card details via E-Mail and we can confirm that an error was inadvertently made in an effort to expedite a refund,” the statement said. “We apologize for causing concern for this genuine human error, done with best intentions to aid the customer. It is against our procedures and we have taken action to ensure that this will not occur again.”

It was a good, contrite statement and fully appropriate.


One Comment | Read Fortnum & Mason’s PCI Weakness: Customer Service

  1. Walt Conway Says:

    This is a great example of “customer service” trumping security. I disagree with one conclusion, however. Based on my experience, this is most definitely not an “isolated problem” as you state. Rather it is something I and QSAs like me run into regularly.

    Part of the cause is a lack of training. As you point out, PCI compliance requires employees be trained not to do things like asking for payment cards over email. That the customer service rep did that is bad enough. Worse is the Fortnum & Mason spokesperson foolishly stating both how important their customers’ security is AND that the company is PCI compliant.

    This situation also has me wondering if they also have a call recording system that captures and stores card data, too. Just for quality purposes, of course…

    It is disappointing that a leading retailer like Fortnum’s would be so casually dismissive of their customers’ security.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.