Ever wondered what the safest way to have a customer e-mail credit card data to you is? There isn’t one. In fact, asking a customer to transmit credit card information to you via e-mail can land you in very big trouble with the credit card companies. Like $500,000 big.
I am floored how common the practice still is among booksellers to request a customer to e-mail their credit card information to them. And doubly so at the number of poor folks who readily do so!
This is really, really bad. Its tantamount to handing a diamond thief the keys to a jewelry store. Actually, scratch that. Its tantamount to handing your run-of-the-mill juvenile delinquent the keys to your jewelry store, because the basic fact is that it takes almost zero know-how to rip off credit cards out of e-mails.
What about breaking it in two parts, you say? Absolutely not. Four parts? Eight? Never. If they can already grab the e-mail as it goes by, do you really think its a challenge for them to grab a few e-mails in a row?
Folks, seriously, don’t ask for and don’t send credit card data by e-mail. You are likely compromising yourself and the other party. Identity theft and credit card fraud aren’t fun to go through when you’re a victim.
Still not convinced? You’ve probably heard of this little thing called PCI/DSS. Its the credit card industry’s attempt to reduce fraud and tighten cardholder security. Its actually not a little thing. Its a huge thing with very serious, strict requirements, and very serious penalties for non-compliance. And they don’t like it when merchants have customers e-mail credit card numbers.
And, when you break their PCI/DSS rules, you can be liable for fines up to $500,000 and permanent, personal revocation of your card processing privileges. Meaning you will never again be able to own a business that processes credit cards.
If you’re not familiar with PCI/DSS yet, there are a lot of requirements which you need to be aware of. While you’re familiarizing yourself with those, though, if you’re in the habit of asking customers to e-mail credit card numbers, immediately stopping that practice would be a good first step towards compliance.