1

A large and reputable online store shows the credit card details of the customer in full on the order confirmation and receipt page (after payment has been processed).

This is the first time I have seen this occur on any online store, as usually it is just the first 6 and last 4 digits from the credit card that are shown as part of the order confirmation.

Surely, this is not PCI compliant and puts customers at risk? But what general methods could an attacker use to exploit this and thus compromise/steal the customers credit card details?

It seems like a pretty significant flaw in their website and payment system...

2 Answers2

8

It is not PCI compliant (emphasis added):

Never store the personal identification number (PIN) or PIN Block. Be sure to mask PAN whenever it is displayed. The first six and last four digits are the maximum number of digits that may be displayed. This requirement does not apply to those authorized with a specific need to see the full PAN, nor does it supersede stricter requirements in place for displays of cardholder data such as on a point-of-sale receipt.

Two threats come to mind:

John Wu
  • 9,101
  • 1
  • 28
  • 39
-1

No really, showing the PAN to the customer -- who already knows what it is -- is not a breach of PCI DSS. It is quite unnecessary and bad practice, but it doesn't increase the number of people that had access to the PAN (the card number is known to the customer that just entered it) and it doesn't bring any more components into PCI DSS scope (because everything that is used to display the PAN was just used to accept it) and the customer's PC/browser is not in the merchant's scope.

However, it probably breaks individual card scheme rules which typically say "customer receipts must only show a maximum of the first six and last four digits of the PAN" - and this was to stop customer receipts being thrown away in the trash and picked up by dumpster diving.

So bad programming, bad UX because it is unnecessary to show something to someone who already knows it (given the transaction was successful there's no need for the customer to see the card number entered) and a breach of Visa/MCW/Amex rules. Not a breach of PCI DSS - the customer's browser isn't included in the merchant's scope..

withoutfire
  • 1,000
  • 4
  • 7
  • Client browser can certainly be in scope, so that claim is too sweeping to be true. How do you reconcile the direct citation from the PCI-DSS in the other answer where it is required to mask the PAN? – schroeder May 18 '17 at 08:25
  • A couple of reasons: 1. The standard dictionary meaning of _personnel_ (as in "only personnel with a legitimate business need") is 'people employed in an organization' - the intent is clearly people employed by the merchant. 2. Because PCI DSS doesn’t apply to what the merchant shows to the cardholder who already knows the PAN (for example see the note on 3.3) - that's a card scheme rule thing. If I was the QSA then I’d strongly advise it was bad practice, unnecessary and would cause conversations like this -- but I wouldn't deem it non-complaint with DSS. – withoutfire May 24 '17 at 13:26
  • My reading of 3.3 backs up the claim that the PAN needs to be masked, even for the cardholder – schroeder May 24 '17 at 13:32