[dalore]

So say a restaurant wants me to give them my card details to make a reservation but I'm in a crowded place (like on a train). I offer to email the details and they accept. I know it's bad but I would rather email my details then say it loudly over the phone and have everyone hear it. Now did they break PCI? Or not because I was the one who offered to send my details.

How does one send their credit card details securely to a brick and mortar store?

Via email I know it's insecure but if unauthorized charges do appear I can (and will) contest them and get a new card, so really the bank is taking on risk.

[jerf]

The credit card is designed for the use case of reading it out over the phone. Part of the reason they aren't free is that credit card usage includes insurance fees against fraud and such. By design, the credit card is designed to be used in an only "mostly secure" manner.

This goes back to the fact that security is not about building impenetrable walls around the thing being secured, and if there's the slightest breach the security is "failed". It's about raising the costs of penetrating the security above the value of penetration. When computers aren't involved [1], it's "hard enough" to gather enough cards to make fraud worthwhile, and even harder to get away with it. (Not impossible... just "hard enough".)

[1]: One of my favorite personal sayings: "To err is human. To fuck up a million times per second, you need a computer." Fraudulently obtaining ten cards by working as a waiter and stealing them over the course of a day is one thing, stealing 25 million in ten seconds from a computer is quite another.

[dalore]

If it can be read over the phone, or written on the outside of mail order catalogs. Why is it not ok to send it via email?

Reading it over the phone people around you can hear it, and say you have children who then go on to use it, are you going to call that fraud (and potentially have something brought against your children)?

[jdbernard]

Because the physical distance your voice can be heard is a much, much smaller pool of people, and it is safe to assume that it generally excludes credit card fraudsters. edit to add: This is also why it is suggested that you wait until you are off the subway to make a purchase over the phone, for example. Who knows who's listening.

Email is available world-wide. Email is not generally secure, and the message is not protected as it is sent on the wire. It is not very difficult for a determined attacker to harvest your email and scan it for common structured data like credit card details. The potential audience here is much, much bigger and is made up of many sharks.

If your kids use your card it is easy to control, you can probably return the purchases and clear up the matter yourself. If a mob in Russia gets your details and starts making fraudulent charges chances either Visa or your bank are going to have to just give you the money to cover the fraud with no realistic recourse of recovering it themselves.

[jerf]

"It is not very difficult for a determined attacker to harvest your email and scan it for common structured data like credit card details."

In particular, let me highlight that scan part. The attacker in question is probably not attacking you personally... the hacker is simply spreading a dragnet as wide as possible and running a simple RE over the whole thing. The odds that a hacker is attacking "your" email is low, the odds that your email is part of some dragnet somewhere is non-trivial, in a world of bot nets and rampant compromises.

[kapkapkap]

> I can (and will) contest them and get a new card, so really the bank is taking on risk.

No, they company you are purchasing from is taking the risk (hence why they are asking for the additional info). The company that you purchase from is almost always the one who covers the loss in cases of a chargeback caused by CC fraud, not the bank/CC company.

[dalore]

I'm confused. If I give my card to company A, but somehow along the line someone gets the details and uses it buy something at company B. And there was no way to link it to company A. How is company A having any risk whatsover?

I believe it's company B, the one who accepted a fraudulent order the one at risk. The company I have no relationship whatsover. My only risk is to check if I have charges I didn't make.

[vidarh]

company A to you is company B to someone else. The point is that the risk is not to the bank but to merchants.

For any given transaction the company does not know if they're "company A" and you're a genuine customer, or if they're "company B" being defrauded out of product with stolen details, so all merchants are taking on risk.

[nodata]

Call them before you get onto crowded trains.

[dalore]

The crowded train was an example (but a real life one). It's also demonstrating that they called me (and so I'm unable to pick the place).

[BillyMaize]

I always go directly to the companies website to give information like this. You can't fall for the dancing bunny if you never ever respond through email.

[dalore]

That would require them to have an e-commerce presence. I was wondering how one would give it to a brick and mortar store (meaning one without facilities to accept them online securely).

[res0nat0r]

Telephone call in a secure location.

[mikeash]

Why do people care so much about guarding their personal credit card details?

In the US, at least, there is zero liability to the cardholder for fraudulent purchases made without the cardholder's signature, by law. Reporting fraud is fairly easy, and getting a new card after your details have been stolen is free and takes just a few minutes on the phone. You're without your card for a few days while it works its way through the postal system, but that's why you have multiple credit cards.

Companies need to care about this a great deal because they're potentially liable for a lot in case of problems. But individuals have no real reason to care about the secrecy their own card details. Yet, people are constantly worried about it anyway. Why?