BigTimeRestaurants - Website sends customer's credit card data via email
In 2012, I conducted an online transaction with a non-local restaurant to purchase a gift card which they mailed directly to my intended recipient. The issue is that my personal credit card information was transmitted from their so-called “secure” webform to their back-office administrator VIA EMAIL. Not only did the admin openly admit this when I called … but then she sent me via POSTAL MAIL a copy of the “receipt” which was merely a printed copy of that very same email from her inbox which includes the form-names and their values!! To clarify, the printout contains the actual data that is being sent from their website’s “form-to-mail” system for manual processing by the back-office administrator. Instead, the form-data should be securely captured into a database where the administrator would then have a secure web-based interface to view and process that data.
It's sad that companies put their own reputation, as well as their loyal customer's data, at such risk due to negligence, lack of concern and proper handling.
In summary, (1) their webform's data is being transmitted in CLEAR TEXT via email from their website's order-form to their admin’s inbox … and then (2) it’s being printed out and sent to customers via POSTAL mail. Credit card numbers are printed in FULL (no “xx” masked characters).
This sounds a lot like what is discussed in this article: www.dataprivacymonitor.com/payment-card-industry/r />
The restaurant is BigTimeRestaurants.com of West Palm Beach FL. I feel that they should take every precaution to protect their restaurant chain’s reputation, as well as their end-customer’s financial data. Does anyone care at BigTimeRestaurants care that their customer's cardholder data (pii - personally identifiable information) is being handled so recklessly and without application of PCI DSS guidelines?