asked by an online store to take a photo of my debit card

System

texranger wrote: »

email is not a secure medium, so i would never send anything like this via standard email.

But all the photo will show is the last 4 digits of her card. Even if it fell into the wrong hands I can't see it being an issue!

Nilrem

goater78 wrote: »

But all the photo will show is the last 4 digits of her card. Even if it fell into the wrong hands I can't see it being an issue!

Exactly.

The picture just needs the card with the last 4 digits and the name showing.

You can't do anything with that information, all it does is provide confirmation that
A: You have a card
B: It matches on two details that are very unlikely to match on random cards, with the information you've already provided the company via a more secure means.

It's an extremely common practice for a lot of stores based in the U.S. Canada and Australia when they ship outside of their own country, it's done because in general data protection acts mean that whilst say
Smith And Co in London can check your card number matches your name and home address with your card company. Jones and Co in NY can't, they can only confirm the card number and possibly expiry dates are valid.
The additional check lets them do a confirmation themselves.

The Likes of Amazon can get around it because they can afford to open an office in London and when needed do the check for their US store through that.

Some companies also like a copy of your driving licence or similar, as additional validation.
To date I've had to do it multiple times on different sites, and never had a problem.

The only thing the op needs to be sure are, is that they need to use a solid colour in paint or whatever their preferred image manipulation programme is to fully obscure the other digits (a simple block and solid fill in paint, with black works well and can't be undone if the image is then saved as something like a jpg).

Basically the information being presented in this manner is safe enough you could publish it in the Sun and unless you've got a very unusual name, and have a small card provider no one could do much if anything with it.

pogofish

visidigi wrote: »

its not dodgy = it sounds like them taking one more additional step to avoid fraud - I had to do this when ordering from the US - it seems to be a common process over there.

I think it is dodgy and so did my bank's security people when a company asked for this a while back.

IIRC, their response was along the lines of - "You have provided ample information for them to verify any transaction internationally and I can see no legitimate reason for them to require this extra info. However, I can see several potentially fraudulent applications!"

So I told the firm to put-up or shut-up and the order was processed, paid and the goods delivered with no problems but I won't be using that firm again.

baza52

pogofish wrote: »

I think it is dodgy and so did my bank's security people when a company asked for this a while back.

IIRC, their response was along the lines of - "You have provided ample information for them to verify any transaction internationally and I can see no legitimate reason for them to require this extra info. However, I can see several potentially fraudulent applications!"

So I told the firm to put-up or shut-up and the order was processed, paid and the goods delivered with no problems but I won't be using that firm again.

So you and the bank thought it was dodgy, yet the goods were delivered and the contract concluded. How does this prove your point?

Nilrem

pogofish wrote: »

I think it is dodgy and so did my bank's security people when a company asked for this a while back.

IIRC, their response was along the lines of - "You have provided ample information for them to verify any transaction internationally and I can see no legitimate reason for them to require this extra info. However, I can see several potentially fraudulent applications!"

So I told the firm to put-up or shut-up and the order was processed, paid and the goods delivered with no problems but I won't be using that firm again.

Actually IIRC (and this is from the CEO of a large online store has stated online in the past), the CC companies often do NOT give out certain information to "overseas" retailers.
They'll "ok" a card number and expiry date, but if you ship to something other than the card holders address (which some card companies will not let the retailer check!), and you can't show that you've taken the necessary precautions to check manually, the retailer is out of pocket if there is any question.
Even things like VBV and Securecode don't help, as from what I can tell they aren't commonly used outside the UK (in much the same say not everywhere even in the US uses chip and pin yet*)...

So you're probably fairly lucky the retailer shipped it to you, if their normal policy is to require verification for foreign customers.

It's not particularly different to the way that many UK retailers will flat out refuse to ship to anywhere other than the CC billing address on the first order, as although they have all the information required to do the order, but they don't have enough to reduce their liabilities as far as the merchant services company is concerned (and that's even after a UK company might have had you go through VBV or Securecode).
Hence a UK company might simply refuse to ship to anywhere other than the cardholders address, which they've got the ability to match with the card issuers details possibly automatically, whilst a US company might not have access to that address data automatically, and thus require some other way to verify that you've actually got the card in front of you.

It's actually quite, oddly interesting how differences in the data protection laws, card processing systems, and retailer liabilities can affect how orders are processed.

Given that a few years ago** I had my card number used by someone at some company I'd never heard of, and who processed it with just the card number and a partial name (no expiry, no cvv, no address), I actually like the idea that companies may take steps above and beyond the absolute minimum required to process payments.



*And even CVV numbers aren't always used in all systems.

**IIRC it was gotten from a leak at a petrol station.

visidigi

pogofish wrote: »

I think it is dodgy and so did my bank's security people when a company asked for this a while back.

IIRC, their response was along the lines of - "You have provided ample information for them to verify any transaction internationally and I can see no legitimate reason for them to require this extra info. However, I can see several potentially fraudulent applications!"

So I told the firm to put-up or shut-up and the order was processed, paid and the goods delivered with no problems but I won't be using that firm again.

Sorry but that is absolute rubbish.

And as for the bank agreeing with you, these are the same people who outsource all their admin to cheap labour in india who sell the numbers on in the first place! :rotfl:

The idea behind the process is to prove you are not buying with a bunch of numbers which you bought of some guy who works in an indian call center for the company you bank with

arcon5

pogofish wrote: »

I think it is dodgy and so did my bank's security people when a company asked for this a while back.

IIRC, their response was along the lines of - "You have provided ample information for them to verify any transaction internationally and I can see no legitimate reason for them to require this extra info. However, I can see several potentially fraudulent applications!"

So I told the firm to put-up or shut-up and the order was processed, paid and the goods delivered with no problems but I won't be using that firm again.

Spoof emails are a HUUUUGE scam these days... trying to obtain bank details, card details, personal information, account login ect ect. Not just spoof, but malware suchas key loggers.

The fraudsters will then use the details they have obtained to make purchases, by time the CC company have been notified of fraud then the goods have been shipped and the company at a loss.

Sending a photo/scan of the card proves the person is in possession of the card, so reduces risk SIGNIFICANTLY.

The advise given above is tosh and you should ignore it.

Now if they was asking for a scan/photo of back and front then you may have cause for concern, but the fact they asked for the front side with several blocks edited out is of no security risk -- unless you can guess correctly 12 digits

fluffnutter

texranger wrote: »

email is not a secure medium, so i would never send anything like this via standard email.

Not that I disagree but pretty much every transfer mechanism has insecurities, not just email.

scoped1

if it is a US site, the ones that have done this to me do it for the first time you use that card - once they have validated it with the photo etc they then clear that card for future use - so its actually only after you put the order through that it goes for verification and gets bypass if its been authorised before.

It's a site based from china called hobbyking.com

But all the photo will show is the last 4 digits of her card. Even if it fell into the wrong hands I can't see it being an issue!

i'm a guy!

They took my cvv number too, so isn't that what's usually used to prove you have the card in your possession?

anyway, i was just wondering is 4-6 weeks a normal amount of time to wait for a refund?

scoped

visidigi

its not China, its Hong Kong - and CVV was designed to help fraud but it became pretty much useless as soon as every retailer and his dog asked for it.

The only way to confirm you own or have the card is a photo.

My US store asked for it and driving license with address on - I had no problem sharing either (with non relevent information blurred of course).