Australia's biggest banks are posting credit card numbers in clear view on mailed customer statements in a direct violation of credit card security regulations.
(Credit: Darren Pauli/ZDNet Australia)
Placing numbers where any mail thief could grab them is a fundamental breach of the troubled Payment Card Industry Card Data Security Standard (PCI DSS), according to sources in the industry.
The industry standard, drafted by card issuers Visa, MasterCard and American Express and enforced by banks, is a series of security rules to which any business dealing with credit card transactions must adhere.
The standard is a collaborative industry effort to reduce financial fraud by mandating baseline security measures that essentially must accompany any credit card transaction. A call centre operator, for example, would be required to destroy a paper note if it was used to temporarily jot down a credit card number, while a website that stores transaction information must ensure it is adequately secure.
Non-compliant large businesses — or Tier 1 organisations bound by strict rules — face hundreds of thousands of dollars in fines, and risk losing their ability to process credit cards. The fines scale according to the number of credit card transactions processed.
But St George and the Commonwealth Bank have breached rule 101 of the standard by sending out potentially millions of paper statements to letterboxes that clearly detail credit card numbers in full.
The credit card numbers are listed as an account reference, and match that shown on cards number-for-number.
The breach has been known to card issuers for years, but they have failed to push the banks to change their practice.
Sources within the issuers working with PCI DSS compliance say they want the banks to truncate, or scramble, the numbers but they have since received a cold response.
Commonwealth Bank said that it was considering this as an overall security issue, but internal and external assessments led it to believe that it was compliant with the PCI DSS standard.
St George had not responded at the time of writing.
ANZ Bank has truncated the last four digits of its account numbers detailed on paper statements so they do not match Visa and MasterCard credit cards.
The bank said it made the change in 2001 during a "large investment" to improve credit card security. Its customers use a single account number for all credit card dealings with the bank.
These PCI DSS requirements are breached by putting numbers on statements. (Screenshot by Darren Pauli/ZDNet Australia)
IP Payments director Mark Lewis said the banks were hypocritical by allegedly ignoring the PCI DSS breach while enforcing the regulations on merchants.
"The banks have been beating their drum that everyone should be PCI [DSS] compliant when the standard came into effect. It is hypocritical," Lewis said. His company offers PCI DSS compliance services, which includes means to truncate credit card numbers as they appear on printed statements.
"The systems are so old that changing those numbers would be a nightmare. At the end of the day, these systems are 30 years old, much older than PCI [DSS], and the banks are struggling to keep them compliant." Yet he didn't think banks could rest on that excuse.
While the paper statements omit credit card expiry dates or Card Security Value numbers, the former can be simply guessed or ascertained through social engineering, according to PCI DSS experts.
Since credit cards expire inside of four years, a fraudster can use a process of elimination to determine the date. They need only enter the number associated with each month over that period into a website until one works.
"It is potentially a huge risk," Lewis said. "The volume of numbers going out if someone was to cotton on to it would make it an ideal target." He said a criminal would attempt to intercept the statements, by exploiting potential vulnerabilities in the production and distribution process.
Only some online and telephone-based payment systems require the Card Security Value number located on the back of credit cards. This cannot be guessed but could be acquired from banks by masquerading as a victim using their identity credentials lifted from the statement and internet websites.
Sense of Security chief operating officer Murray GoldSchmidt said the banks are dealing with more risky fraud vulnerabilities.
"Some 72 per cent of fraud is card-not-present, or online fraud, — the amount of fraud through other means, is smaller and could be at a level.
"Online databases of credit cards are clearly an easy way for criminals to extract large amounts of data in the time it would take to steal a few [paper] statements."
A source at another card issuer agreed that the standard was focused on "frying bigger fish", although they did say that putting the numbers on statements was a clear breach of standard requirements.
Industry has struggled to adhere to the standard since its introduction some five years ago, even after the November 2010 deadline meant non-compliance would bring financial penalties. Banks have allegedly been absorbing penalties, a practice Lewis expects will continue into the near future.