I'm writing this post as I'm facing a personal, ethical dillemma and I would like feedback on the best way to approach this situation, particularly from a philosophical point of view.
I work for a small-business. I'm part-time, doing "grunt" work type stuff while I pay for college. I worked in this particular field before on a much larger scale so this is pretty easy stuff for me. While I'm certainly not lazy, and I do my job, I'm also not "super loyal company man" that I have been for other full-time jobs. I guess I feel more detached from this job then I have other jobs in the past.
Anyway, we have employees who must take orders from customers and we use a paper-based system. We also happen to take these orders over the phone and occasionally the customer pays with a credit card. The credit card number and expiration date are written on the back of the paper "ticket".
I also know for a fact that these tickets are passed between 3-6 people, leave the premises and, at least on one occasion, get thrown in the garbage. Not shredded and thrown in the garbage, just thrown in the garbage.
Knowing the very rudimentary basics of PCI compliance I see this as a huge legal and financial bomb waiting to explode.
Not only this but personally I just don't feel this is right. Customer's are entrusting us with this information and anybody willing to go take a dumpster diving trip at the local dump can potentially find a thief's treasure trove of credit card data. This is highly unsettling.
Obviously, I'm going to be talking to my employer about this. But, this is where the ethical problems come into play.
I don't feel that I'll be able to persuade the owner why they should change this practice or that the cost is worth it. The owner is rather lackadaisical when it comes to things, in my opinion, and would simply brush off the possibility of something happening with this information as highly unlikely.
How far should I take this without being unreasonable while still being ethical?
Is simply informing the owner of the complete and utter lack of regard for customer data safety enough? Even though deep down in my gut I don't think it is? Even though deep down I want to scream at some compliance regulatory body to come fix this debacle?
I'm torn between not wanting to harm the owner's business while at the same time ensuring that the current policy towards credit card data is discontinued.
In short:
Is it more unethical to be the whistleblower, possibly doing great harm to this business, or stand-by and do nothing?