London Midland PCI Compliance

Status
Not open for further replies.

WillPS

Established Member
Joined
18 Nov 2008
Messages
2,387
Location
Sheffield
On 25/7 I bought some tickets fro Rugeley Town (unmanned).

The machine went through all the motions of printing tickets but did not actually spit anything out (I checked carefully).

I used the Information Point where I was given a number to call to sort it out.

I phoned the number, who advised me to email in with a copy of the transaction on my card statement.

I emailed a redacted screenshot of my Amex app, with only the last 4 digits from my card number.

LM emailed back saying they'd need me to reply with my *full* card number.

Obviously I have just instructed Amex to dispute the transaction and I've got my money back now, but is there somewhere I can report this pretty basic PCI compliance failure to?
 
Sponsor Post - registered members do not see these adverts; click here to register, or click here to log in
R

RailUK Forums

gray1404

Established Member
Joined
3 Mar 2014
Messages
5,382
Location
Merseyside
You could phone London Midland and give them your full Amex card number over the phone, if you quote your LM case reference number. I understand you may not want to release that information to them by email.

However, Amex resolve disputes slightly differently to Visa and Mastercard. Amex aften resolve the matter over the phone on the spot and then take it up with the retailer concerned as a back office matter. I would personally call Amex and explain that you did not get what you paid for (the tickets) and that you have tried to resolve it with the retailer but it has, thus far, been to no avail. You will most likely find that the advisor you speak to will be able to resolve the matter on the spot by crediting the amount concerned back onto your Amex card.
 

WillPS

Established Member
Joined
18 Nov 2008
Messages
2,387
Location
Sheffield
You could phone London Midland and give them your full Amex card number over the phone, if you quote your LM case reference number. I understand you may not want to release that information to them by email.

However, Amex resolve disputes slightly differently to Visa and Mastercard. Amex aften resolve the matter over the phone on the spot and then take it up with the retailer concerned as a back office matter. I would personally call Amex and explain that you did not get what you paid for (the tickets) and that you have tried to resolve it with the retailer but it has, thus far, been to no avail. You will most likely find that the advisor you speak to will be able to resolve the matter on the spot by crediting the amount concerned back onto your Amex card.

Which is exactly what I did and what happened.

I am concerned that LM are asking for such details and I'd like to escalate it.
 

319321

Member
Joined
9 Jun 2015
Messages
318
In a recect Subject Access Request that I made to a Train Operating Company, they specifically acknowledged that they had my card details on file but couldn't provide them to me :
TOC Response To A Subject Access Request Where Debit/Credit Card Information Was Held said:
We are unable to recieve from our sub-processors and provide your credit card details to you in a PSI DSS compliant format, so these have been ommitted. This is for your own security and protection.

I'm just posting this so the OP knows that TOCs should be aware of PCI compliance issues, and at least one TOC seems to abide by it.
 

gray1404

Established Member
Joined
3 Mar 2014
Messages
5,382
Location
Merseyside
I had a similar situation when I was due some compensation for a delay with the Isle of Man Steam Packet Company. They requested my card number to do the refund...even though I booked with them.

What rules exactly are being broken here?
 

rs101

Member
Joined
13 Aug 2013
Messages
225
I had a similar situation when I was due some compensation for a delay with the Isle of Man Steam Packet Company. They requested my card number to do the refund...even though I booked with them.

What rules exactly are being broken here?

Straightforward breach of PCI compliance, think it's rule 4.2 - credit card numbers must never be sent via insecure methods such as email.
 

AlterEgo

Veteran Member
Joined
30 Dec 2008
Messages
13,491
Location
No longer here
Straightforward breach of PCI compliance, think it's rule 4.2 - credit card numbers must never be sent via insecure methods such as email.

Is the phone deemed secure?

How else would you be able to give them your full number?
 

najaB

Veteran Member
Joined
28 Aug 2011
Messages
24,761
Location
Scotland
Straightforward breach of PCI compliance, think it's rule 4.2 - credit card numbers must never be sent via insecure methods such as email.
That's an interesting one. I know they would be in breach of they sent the email, but are they in breach if the customer sends it? Agreed it is odd to request it via email.

Sent from my Nexus 4 using Tapatalk
 

WillPS

Established Member
Joined
18 Nov 2008
Messages
2,387
Location
Sheffield
Can they do a refund without the full number?
Yes, they should have a secure record of all transactions and can look any of them up and either void or refund it without the card, up to a set point (which is weeks/months, not a few days).

It's fair to ask for the last 4 digits as a way of verifying they have the correct transaction.

Is the phone deemed secure?

How else would you be able to give them your full number?
Yes, a standard voice call is considered a secure method of transmission for the purposes of PCI compliance.
 
Last edited:

IanXC

Emeritus Moderator
Joined
18 Dec 2009
Messages
6,006
I'm not certain in the case of Amex, but certainly in terms of the Visa and MasterCard schemes, any complaint by a consumer about the actions/behaviour of a merchant has to be undertaken via the card issued, who provides a form. FWIW I've never managed to establish the name of the form, let alone obtain one.
 

najaB

Veteran Member
Joined
28 Aug 2011
Messages
24,761
Location
Scotland
What is PCI?
Payment Card Industry Data Security Standard (PCI DSS) - a set of guidelines/rules that organisations which process payment card (debit/credit) data are required to adhere to.

Failure to meet the standards (which are audited by Visa/Mastercard/etc.) can result in the organisation being prohibited from taking payments.
 
Joined
21 May 2014
Messages
484
Yes, a standard voice call is considered a secure method of transmission for the purposes of PCI compliance.

Only so long as the call (or the portion of the call containing the card number) is not recorded. Many companies who record whole calls for `quality and training purposes` fall foul of this. It's quite a complex problem to solve.
 

najaB

Veteran Member
Joined
28 Aug 2011
Messages
24,761
Location
Scotland
Only so long as the call (or the portion of the call containing the card number) is not recorded. Many companies who record whole calls for `quality and training purposes` fall foul of this. It's quite a complex problem to solve.
As long as there a policies and processes that prevent unauthorised access to the recordings then they should be fine. Of course, proving that those polices and processes actually work is a different matter entirely.
 

Haywain

Established Member
Joined
3 Feb 2013
Messages
6,309
Proving it might be another matter, but businesses do get audited on their compliance with PCI DSS requirements, and probably penalised for failures.
 

najaB

Veteran Member
Joined
28 Aug 2011
Messages
24,761
Location
Scotland
Proving it might be another matter, but businesses do get audited on their compliance with PCI DSS requirements, and probably penalised for failures.
I don't think the payment card companies can actually impose penalties, but stopping the organisation from taking payments might be penalty enough.
 

EssexGonzo

Member
Joined
9 May 2012
Messages
620
I don't think the payment card companies can actually impose penalties, but stopping the organisation from taking payments might be penalty enough.



They can via the jointly owned company. I'be just started working for an organisation with real problems in this area - my job is to fix them.

And I have full visibility of the potential sanctions which include financial penalties.

The OP should go to the TOC concerned first and ask them some detailed questions. Depending on what they say, then escalation is possible. Based on what I've read, there's not an automatic breach here.
 

island

Veteran Member
Joined
30 Dec 2010
Messages
12,585
Location
0036
The OP mentions an Amex, so the standard will be DSOP not PCI-DSS.
 
Status
Not open for further replies.

Top