Warehouse online sending CVV number in confirmation email

Forums › Off topic › Warehouse online sending CVV number in confirmation email

isaacmercer

6 posts

Wannabe Geek
+1 received by user: 7

#295866 30-Apr-2022 16:27

Just ordered something from warehouse online and got my confirmation email just before.

I was shocked to find the first 6 and last 2 digits of my card, plus the full expiry date and the full CVV number just printed in plain text at the bottom. Considering most other stores send only the last 4 (if anything) it'd be pretty easy to work out the whole card from this email.

Surely this is insanely bad practice... Thoughts...

1 | 2

18671 posts

Uber Geek
+1 received by user: 7805

Lifetime subscriber

#2908674 30-Apr-2022 16:33

Surely this is insanely bad practice

It is. It probably breaks your card company's processing terms too. Is the warehouse or the market & an associated retailer?

isaacmercer

6 posts

Wannabe Geek
+1 received by user: 7

#2908794 30-Apr-2022 17:50

gzt: Is the warehouse or the market & an associated retailer?

Just the gol ol' thewarehouse.co.nz

alasta

6888 posts

Uber Geek
+1 received by user: 3362

Trusted

Subscriber

#2908795 30-Apr-2022 17:53

Report it to Visa or Mastercard. The Warehouse Group seems to be quite dysfunctional, and this is the only way they'll learn.

xpd

Geek of Coastguard
14115 posts

Uber Geek
+1 received by user: 4574

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#2908802 30-Apr-2022 18:44

Recent order I placed with Warehouse didnt have all that info...

First few digits, last 2, name and expiry and that was it.

XPD / Gavin

LinkTree

Linux

12173 posts

Uber Geek
+1 received by user: 8467

Trusted

Lifetime subscriber

#2908806 30-Apr-2022 19:02

Should only need to be last 4 digits of card used

neb

11294 posts

Uber Geek
+1 received by user: 10018

Trusted

Lifetime subscriber

#2908814 30-Apr-2022 19:52

alasta:
Report it to Visa or Mastercard. The Warehouse Group seems to be quite dysfunctional, and this is the only way they'll learn.

The issue has been passed on to the appropriate folks at the Warehouse.

Geekzone support

Support Geekzone with one-off or recurring donations Donate via PressPatron.

Kyanar

4089 posts

Uber Geek
+1 received by user: 1684

ID Verified

Trusted

#2909541 3-May-2022 01:37

Incidentally, the first six digits are called the BIN, and all they identify is the issuer and card type (i.e. that it's an ASB Visa Debit or Westpac Business Mastercard for example). Those first few characters aren't really a secret because anyone who sees the card can instantly guess what they are just based on the branding - even without seeing the number. Having the first six and last two still means there are eight missing digits, which is too many to calculate given that technically you only have seven of the digits (the last digit is a checksum). Including the CVV is an unforgivable violation of PCI-DSS though.

0x994c1d

5 posts

Wannabe Geek
+1 received by user: 3

#2909595 3-May-2022 10:37

Hey man,

Is this from an online order? or the email they send you after you make your order?

MikeAqua

8024 posts

Uber Geek
+1 received by user: 3817

#2909618 3-May-2022 12:03

*makes note to self not to online shop at The Warehouse.

Mike

isaacmercer

6 posts

Wannabe Geek
+1 received by user: 7

#2909669 3-May-2022 14:38

Just an update on this, heard back from warehouse support over the weekend and they're investigating but they of course said it's not normal to have sent this info out in the order confirmation email. Their response also contained a screenshot of their order system to verify which details they're storing - which also happened to have my CVV in plain text.

Thought it was potentially because my name and CVV were in the wrong way around - but the payment has been made and approved so can't have been.

Cancelled my card because the numbers are now, by the looks of it, circulating among quite a few people at TWG working on this issue - hopefully will hear something a bit more concrete back soon.

Nate001

677 posts

Ultimate Geek
+1 received by user: 465

#2909671 3-May-2022 14:44

xpd:

Recent order I placed with Warehouse didnt have all that info...

First few digits, last 2, name and expiry and that was it.

What is the point of including this in the confirmation email? Seems unnecessary unless I'm missing something.

HP

Shop now for HP laptops and other devices (affiliate link).

Detruire

1788 posts

Uber Geek
+1 received by user: 84

#2909678 3-May-2022 15:14

isaacmercer: Just an update on this, heard back from warehouse support over the weekend and they're investigating but they of course said it's not normal to have sent this info out in the order confirmation email. Their response also contained a screenshot of their order system to verify which details they're storing - which also happened to have my CVV in plain text.

Thought it was potentially because my name and CVV were in the wrong way around - but the payment has been made and approved so can't have been.

My TW confirmation emails show (partial) number/name/expiry, so I think it's more likely that the CVV was in both fields. While an incorrect CVV leads to a failed payment, an incorrect name doesn't seem to matter (in most cases) IME: I usually put my initials in the name field, and I've only had a few payments denied (seemingly) because of this.

rm *

Inphinity

2780 posts

Uber Geek
+1 received by user: 1184

#2909688 3-May-2022 15:38

isaacmercer: Just an update on this, heard back from warehouse support over the weekend and they're investigating but they of course said it's not normal to have sent this info out in the order confirmation email. Their response also contained a screenshot of their order system to verify which details they're storing - which also happened to have my CVV in plain text.

Thought it was potentially because my name and CVV were in the wrong way around - but the payment has been made and approved so can't have been.

Cancelled my card because the numbers are now, by the looks of it, circulating among quite a few people at TWG working on this issue - hopefully will hear something a bit more concrete back soon.

For reference, storing the CVV in any form after authorization is a breach of PCI DSS compliance requirements.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41025

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2909745 3-May-2022 16:15

isaacmercer: Just an update on this, heard back from warehouse support over the weekend and they're investigating but they of course said it's not normal to have sent this info out in the order confirmation email. Their response also contained a screenshot of their order system to verify which details they're storing - which also happened to have my CVV in plain text.

Thought it was potentially because my name and CVV were in the wrong way around - but the payment has been made and approved so can't have been.

They should not store the CVV anyway. If you have a screenshot showing they have the CVV in their database, report to your credit card company ASAP.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

richms

29097 posts

Uber Geek
+1 received by user: 10205

Trusted

Lifetime subscriber

#2909754 3-May-2022 16:40

Now the card is cancelled can you put what the email looked like? I havent seen it on any I have had, but TBH I dont trust them so have used zip on all my recent orders since they got rid of paypal.

Richard rich.ms

1 | 2