13

I'm writing this post as I'm facing a personal, ethical dillemma and I would like feedback on the best way to approach this situation, particularly from a philosophical point of view.

I work for a small-business. I'm part-time, doing "grunt" work type stuff while I pay for college. I worked in this particular field before on a much larger scale so this is pretty easy stuff for me. While I'm certainly not lazy, and I do my job, I'm also not "super loyal company man" that I have been for other full-time jobs. I guess I feel more detached from this job then I have other jobs in the past.

Anyway, we have employees who must take orders from customers and we use a paper-based system. We also happen to take these orders over the phone and occasionally the customer pays with a credit card. The credit card number and expiration date are written on the back of the paper "ticket".

I also know for a fact that these tickets are passed between 3-6 people, leave the premises and, at least on one occasion, get thrown in the garbage. Not shredded and thrown in the garbage, just thrown in the garbage.

Knowing the very rudimentary basics of PCI compliance I see this as a huge legal and financial bomb waiting to explode.

Not only this but personally I just don't feel this is right. Customer's are entrusting us with this information and anybody willing to go take a dumpster diving trip at the local dump can potentially find a thief's treasure trove of credit card data. This is highly unsettling.

Obviously, I'm going to be talking to my employer about this. But, this is where the ethical problems come into play.

I don't feel that I'll be able to persuade the owner why they should change this practice or that the cost is worth it. The owner is rather lackadaisical when it comes to things, in my opinion, and would simply brush off the possibility of something happening with this information as highly unlikely.

How far should I take this without being unreasonable while still being ethical?

Is simply informing the owner of the complete and utter lack of regard for customer data safety enough? Even though deep down in my gut I don't think it is? Even though deep down I want to scream at some compliance regulatory body to come fix this debacle?

I'm torn between not wanting to harm the owner's business while at the same time ensuring that the current policy towards credit card data is discontinued.

In short:

Is it more unethical to be the whistleblower, possibly doing great harm to this business, or stand-by and do nothing?

Reid
  • 408
  • 4
  • 9
  • 1
    Not really about philosophy. I miht bring this up on programmers, or perhaps it security, as you are more likely to get a specific constructive response. (This site is about arguments and ideas, not business or legal advice.) –  Jul 24 '11 at 15:50
  • PCI-DSS says that any credit card data leaks that are caused by a uncomplaint company can include huge fines. Ethically speaking this is not a safe system for the customers personal data even though it is hand writen. – jer.salamon Jul 24 '11 at 23:57
  • 2
    Sorry for the unproductive comment, but thank you for caring enough about this to act upon it! – tomeduarte Jul 25 '11 at 00:49
  • I have had similar situations in the past. In my experience, depending if you can find actual legal grounds, you have to make the decision to either notify your management or notify a governing body. One or the other. If you attempt to do both, you're throwing anonymity out the window and could potentially cause yourself issues with future employment. – Ormis Jul 25 '11 at 18:43

3 Answers3

10

If your compliance or regulatory body is perceived as PCI, you are incorrect. They make the rules and guidelines, but in this situation it is your companies' acquiring bank (the bank that issued your merchant number and processes your payments).

What is the volume of cardholder data that is being taken off premises or thrown away without shredding? From your description it seems rather low. What level (how many transactions per year) is your company? They will be subject to at least an SAQ (self assessment questionnaire) where the owner is signing his name to abide by the rules of PCI (this is of course if your acquring bank is actually doing anything about PCI and requiring this of your company).

The best thing in my opinion is to make the problem easy to fix. After all, it sounds like purely a procedural / operational problem. If you offer a solution instead of a problem, my guess is that you could get a lot further not only in solving the problem (assuming you are looking to solve it) and perhaps some kudos from your boss (if you care about that).

A cross-cut shredder is about $50. I'm sure you could find a locking cabinet to store cardholder data on hardcopy until it is shredded on craigslist or second-hand for $10-20. It would take about 20 minutes to draft policy for employees not to take cardholder data off premises and to only discard cardholder data in said locking cabinet. The 6+ people seeing the data is not in violation of PCI if they have a need / are authorized to see it.

If you really want to solve the problem, provide a cost-effective solution to your boss along with your concerns.

eficker
  • 644
  • 1
  • 6
  • 13
  • kudos on reinforcing bringing your employer solutions instead of problems. (+1) But i will say that if you only spend 20 minutes to draft a policy, you're not creating an effective policy. – Ormis Jul 25 '11 at 18:35
  • 20 minutes on a full internal security policy, no. But a document that simply states how to handle cardholder data in printed form could be achieved. It may take longer to create a mechanism for distribution and for employee accountability, but a lot of the time just making people aware how to handle sensitive data is a big step in the right direction. – eficker Jul 26 '11 at 15:19
5

Disclaimer: I am not qualified to offer legal advice. If you need legal advice please consult with an appropriate practitioner.

I don't know what country or legal jurisdiction you are in, but there may be required reporting laws. i.e. If you are aware of illegal or unethical activity (which this may or may not be) you may be legally required to report it.

Ethically you need to bring this activity to the attention of someone who will attempt to rectify it. The customers are placing their trust in this company and their trust is being betrayed. From a utilitarian viewpoint it sounds as if many more customers are being harmed than there are employees being careless.

Unless reporting is required by law, I think it is fair to bring it up to a manager within the company before referring to compliance or regulatory authority. You may be right in your prediction about management response, but you may also be wrong, which is why it is fair to give them an opportunity to correct the problem.

The biggest problem I see is potential backlash against you if you notify your management, they do nothing, and then you refer the problem to a compliance or regulatory authority. If you are not concerned with potential backlash then I would proceed by notifying your management. If you are concerned about potential backlash then you may want to think about bypassing your management and going directly to the compliance or regulatory authorities.

this.josh
  • 8,843
  • 2
  • 29
  • 51
1

Usually in these situations the people who make the business decisions get into the rut of "Nothing bad will ever happen to me?" or "Who would want to target this small company, when there are big fish out there." It's honestly and truly a business decision.

If this owner is this aloof, I would almost think you guys have a bigger problem with employees putting those slips into their pockets instead of the trash since there is no accountability.

This is obviously a very tricky line you must walk, if you are feeling uneasy about where you are working because of what they are doing ethically. The best thing is probably for you to look for another job. The problem is that, while you are right, you also have no credibility. How would you view someone who works for you on a part-time/limited basis came to you and told you that your business processes are wrong. Granted, probably easier in a smaller company than a larger one, but it's most likely shooting in the breeze. If you get an exit interview, be sure you let them respectfully know the "why."

It is not going to change until someone with greater power than your owner tells them it's got to change.

M15K
  • 1,182
  • 6
  • 7