Credit card security isn't a laughing matter these days. It's certainly not difficult to find people who have had their credit cards compromised and fraudulent transactions charged to their account. Typically this has been as a result of physical card security being compromised by the use of a card skimmer attached to an ATM (numerous instances in Auckland), a compromised EFTPOS terminal recording card details (a major burger retailer in Queen St, Auckland), or by staff who have access to credit card records randomly copying numbers down for use (a foreign call centre for a major telco). Banks have complex systems monitoring transactions in real time and will often detect card fraud and put a hold on your card well before you're even aware there could be an issue. While card fraud normally doesn't leave the card holder out of pocket due the liability limits banks have in their terms and conditions, having to get a new card can often be a real pain if you have automatic payments such as bills set up on it.
Having had my card compromised while in Australia in the middle of 2012 and then spending an entire afternoon dealing with the consequences while trying to enjoy a relaxing long weekend away means I have zero tolerance to anybody in the industry dealing with credit cards who isn't willing to comply with industry guidelines. As far as I'm concerned you deserve to be named and shamed if you're accepting credit cards and failing to comply with industry guidelines.
The Payment Card Industry (PCI) Security Standards Council are responsible for creating data security standards for cardholder data. Known as the PCI Data Security Standard (DSS) this document covers the requirements and security assessment procedures that should be used in the banking and payments industry to ensure that card security remains a top priority. It's common to refer to being "PCI complaint" when your systems are complaint with this standard.
It's therefore surprising so see a large business like Wellington Airport failing to comply with industry PCI standards governing credit card security, and more so the fact this lack of security has now existed for several years in their car park ticketing machines.
Despite what some may think, a credit card number, or Primary Account Number (PAN) as it's technically known as, isn't just sixteen random numbers. Each card issuer has a unique Bank Identification Number (BIN) which comprises the first six digits of the card. The next nine digits are the account number, and the last digit is a check digit calculated using the MOD 10 algorithm, otherwise known as the Luhn Algorithm, calculated off the prior fifteen digits. This algorithm isn't complex, and it's easy to calculate this check digit with a piece of paper and a pen.
PCI DSS requirement 3.3 covers the storage and use of PAN numbers
3.3 Obtain and examine written policies and examine displays of PAN (for example, on screen, on paper receipts) to verify that primary account numbers (PANs) are masked when displaying cardholder data, except for those with a legitimate business need to see full PAN.
Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).
As you can see the PCI DSS requirements are that the first six and last four digits are the only digits that should be displayed on a receipt. Why? Because displaying any more than this leaves your card number open to being compromised.
The first six digits are unique to your bank, so displaying these poses no real security risk. The last digit is a check digit, and the prior three prior digits are only 1/3 of your account number. Using a MOD10 calculator to calculate the remaining six digits still leaves a vast number of possibilities, so many in fact, that it poses no great security risk.
Wellington Airport receipts display the last six digits of the PAN, as pictured below (I've crossed two out so you can't see them). This now only leaves four digits that need to be generated, and literally leaves only a handful of possibilities for the card number. For all intent purposes you may as well be displaying the full PAN, as a card card can be compromised with access to the first six digits and the last six digits of the PAN.
A Wellington Airport parking receipt by itself isn't going to let somebody exploit your credit card - as they're only displaying the last six digits of the PAN. Combined with another receipt from a PCI compliant terminal or retailer however and your card number can be compromised. Considering many people throw receipts away together it's entirely possible that somebody could gain access to two receipts which would enable them to reconstruct your credit card number.
So a small tip from me - if you use your credit card at Wellington Airport be careful what you do with your receipt. It could be the most expensive car park you ever use!
Update 05/01/2012 :
Fellow Geekzone Moderator Nate spent some some time whipping up some code using the MOD 10 algorithm to generate possible card combinations. By entering an incomplete credit card number and X's to signify the masking all possible full PAN numbers are displayed. These could then easily be submitted automatically to a payment gateway to establish the valid number. If PCI compliant PAN masking of six digits is followed the 100000 possible combinations make this a a virtually impossible task. With non PCI compliant PAN masking such as that used by Wellington Airport this could be done in a matter of minutes with access to appropriate payment gateways.
Other related posts:
No, AT aren’t stealing your money. How Stuff confused a nation.
The perils of using Airbnb during big events
How to remotely control your heat pump from your phone for under NZ$25
comments powered by Disqus