Two nights ago someone logged into my Shop NHL account and purchased a $500 gift certificate using the credit card that was on file with my account. The gift card was being sent not to my email address, but to email@example.com. I found out about this because Shop NHL.com sent me an email at 11:45 PM last night informing me that they were processing my order.
I wasn’t even aware that my credit card was on file with Shop NHL.com. I’ve only made one purchase from the website, and it was a year ago.
It would seem Shop NHL.com is breaking PCI regulations and retaining the credit card security code. I don’t see how the order could have been processed without the security code, commonly referred to as the CVV2 code. To verify this assumption, I went through the process of adding a second credit card to my Shop NHL.com account, and it prompted me for the security code, as well as other information about the credit card.
Merchants are allowed to collect and store the credit card number as long as they use tokenization instead of the actual card number. They can store the first four digits and the last four digits, but they have to tokenize the remaining numbers. Credit card companies forbid merchants from having access to the full raw credit card number.
Merchants are allowed to collect and store the credit card expiration date.
What retailers are not allowed to do is collect and store the credit card’s security code. If they’re going to include the security code with the transaction, they’re required to have the card holder manually enter it each time. Otherwise, it defeats the intended purpose of the security code. This code only appears printed on the card. It’s not found in the magnetic strip or the chip. It’s only found printed on the card. Merchants can process a credit card without including the security code, they pay a higher rate when doing so. They also severely limit their chargeback protections when they fail to process e-commerce transactions without a CVV2.
I called Capitol One and reported the fraud. They immediately closed the card and told me they would FedEx me a new one. Their investigation will take anywhere from 30 to 90 days to complete. They returned the $500 to my available credit. Capital One is also sending paperwork for me to fill out. What a pain in the ass, all because Shop NHL.com has lousy security.
At the very least, they should have done the following:
- Require the customer to enter their billing street address and zip code on any purchase that involves digital goods. This information can be presented to the issuing bank along with the request for an authorization and checked to ensure it matches what is on file with the bank. Issuing banks will approve or decline transactions independent of the street address and the zip code matching their records or not, but if the approval message shows that the address or zip code did not match, the transaction can and should be voided by the merchant.
- Don’t store the credit card security code. Make the cardholder enter it on every purchase. Take advantage of all available security tools provided to them by the credit card industry. E-commerce and other “card not present” transactions are risky enough, especially for digital goods, without utilizing basic security put in place by the credit card industry.
- Compare the customer’s IP address to the IP address used for prior logins. Make sure the physical location corresponding to the IP address is not significantly different than the billing address on file with the credit card company.
- Don’t send digital gift cards to an email address other than the one on file for the customer. If I want to bestow a digital gift card to someone else, I’ll send them the digital gift card myself.
These are just the things I was able to come up with off the top of my head.
Not only is Shop NHL.com on the hook for this fraudulent purchase, but they’ll also be forced to pay for the fraud investigation.
Until Shop NHL.com gets its act together, I recommend removing any credit card information from your account and changing your login password.