Warehouse online sending CVV number in confirmation email

Forums › Off topic › Warehouse online sending CVV number in confirmation email

isaacmercer

6 posts

Wannabe Geek

#295866 30-Apr-2022 16:27

Just ordered something from warehouse online and got my confirmation email just before.

I was shocked to find the first 6 and last 2 digits of my card, plus the full expiry date and the full CVV number just printed in plain text at the bottom. Considering most other stores send only the last 4 (if anything) it'd be pretty easy to work out the whole card from this email.

Surely this is insanely bad practice... Thoughts...

1 | 2

16820 posts

Uber Geek

Lifetime subscriber

#2908674 30-Apr-2022 16:33

Surely this is insanely bad practice

It is. It probably breaks your card company's processing terms too. Is the warehouse or the market & an associated retailer?

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

isaacmercer

6 posts

Wannabe Geek

#2908794 30-Apr-2022 17:50

gzt: Is the warehouse or the market & an associated retailer?

Just the gol ol' thewarehouse.co.nz

alasta

6657 posts

Uber Geek

Trusted

Subscriber

#2908795 30-Apr-2022 17:53

Report it to Visa or Mastercard. The Warehouse Group seems to be quite dysfunctional, and this is the only way they'll learn.

xpd

Geek @ Coastguard NZ
13657 posts

Uber Geek

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#2908802 30-Apr-2022 18:44

Recent order I placed with Warehouse didnt have all that info...

First few digits, last 2, name and expiry and that was it.

Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

LinkTree - kiwiblast.co.nz - Lego and more

Support Kiwi music! The People Black Smoke Trigger Like A Storm Devilskin

NZ GEEKS Discord______________________________

Linux

11164 posts

Uber Geek

Trusted

Lifetime subscriber

#2908806 30-Apr-2022 19:02

Should only need to be last 4 digits of card used

neb

11294 posts

Uber Geek

Trusted

Lifetime subscriber

#2908814 30-Apr-2022 19:52

alasta:
Report it to Visa or Mastercard. The Warehouse Group seems to be quite dysfunctional, and this is the only way they'll learn.

The issue has been passed on to the appropriate folks at the Warehouse.

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#2909541 3-May-2022 01:37

Incidentally, the first six digits are called the BIN, and all they identify is the issuer and card type (i.e. that it's an ASB Visa Debit or Westpac Business Mastercard for example). Those first few characters aren't really a secret because anyone who sees the card can instantly guess what they are just based on the branding - even without seeing the number. Having the first six and last two still means there are eight missing digits, which is too many to calculate given that technically you only have seven of the digits (the last digit is a checksum). Including the CVV is an unforgivable violation of PCI-DSS though.

0x994c1d

5 posts

Wannabe Geek

#2909595 3-May-2022 10:37

Hey man,

Is this from an online order? or the email they send you after you make your order?

MikeAqua

7767 posts

Uber Geek

#2909618 3-May-2022 12:03

*makes note to self not to online shop at The Warehouse.

Mike

isaacmercer

6 posts

Wannabe Geek

#2909669 3-May-2022 14:38

Just an update on this, heard back from warehouse support over the weekend and they're investigating but they of course said it's not normal to have sent this info out in the order confirmation email. Their response also contained a screenshot of their order system to verify which details they're storing - which also happened to have my CVV in plain text.

Thought it was potentially because my name and CVV were in the wrong way around - but the payment has been made and approved so can't have been.

Cancelled my card because the numbers are now, by the looks of it, circulating among quite a few people at TWG working on this issue - hopefully will hear something a bit more concrete back soon.

Nate001

625 posts

Ultimate Geek

#2909671 3-May-2022 14:44

xpd:

Recent order I placed with Warehouse didnt have all that info...

First few digits, last 2, name and expiry and that was it.

What is the point of including this in the confirmation email? Seems unnecessary unless I'm missing something.

Detruire

1755 posts

Uber Geek

#2909678 3-May-2022 15:14

isaacmercer: Just an update on this, heard back from warehouse support over the weekend and they're investigating but they of course said it's not normal to have sent this info out in the order confirmation email. Their response also contained a screenshot of their order system to verify which details they're storing - which also happened to have my CVV in plain text.

Thought it was potentially because my name and CVV were in the wrong way around - but the payment has been made and approved so can't have been.

My TW confirmation emails show (partial) number/name/expiry, so I think it's more likely that the CVV was in both fields. While an incorrect CVV leads to a failed payment, an incorrect name doesn't seem to matter (in most cases) IME: I usually put my initials in the name field, and I've only had a few payments denied (seemingly) because of this.

rm *

Inphinity

2780 posts

Uber Geek

#2909688 3-May-2022 15:38

isaacmercer: Just an update on this, heard back from warehouse support over the weekend and they're investigating but they of course said it's not normal to have sent this info out in the order confirmation email. Their response also contained a screenshot of their order system to verify which details they're storing - which also happened to have my CVV in plain text.

Thought it was potentially because my name and CVV were in the wrong way around - but the payment has been made and approved so can't have been.

Cancelled my card because the numbers are now, by the looks of it, circulating among quite a few people at TWG working on this issue - hopefully will hear something a bit more concrete back soon.

For reference, storing the CVV in any form after authorization is a breach of PCI DSS compliance requirements.

freitasm

BDFL - Memuneh
78924 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2909745 3-May-2022 16:15

isaacmercer: Just an update on this, heard back from warehouse support over the weekend and they're investigating but they of course said it's not normal to have sent this info out in the order confirmation email. Their response also contained a screenshot of their order system to verify which details they're storing - which also happened to have my CVV in plain text.

Thought it was potentially because my name and CVV were in the wrong way around - but the payment has been made and approved so can't have been.

They should not store the CVV anyway. If you have a screenshot showing they have the CVV in their database, report to your credit card company ASAP.

My technology disclosure

richms

27898 posts

Uber Geek

Trusted

Lifetime subscriber

#2909754 3-May-2022 16:40

Now the card is cancelled can you put what the email looked like? I havent seen it on any I have had, but TBH I dont trust them so have used zip on all my recent orders since they got rid of paypal.

Richard rich.ms

1 | 2