Stolen card or not?
August 8th, 2007 by admin Posted in Credit Card FraudDennis told me about this site where you could enter your credit card number or social security number and they will tell you if it was compromised or not.
My immediate reaction was that it was a joke, but then looking closer it got even stranger. Presumably this site has been featured on several TV spots and in the news, but how does it work and how does it protect your credit card data?
Well, from the FAQ, they say:
Even under the worst case scenarios, divulging this information alone is highly unlikely to lead to risk of identity theft.
In order for thieves to use a credit card number they must also have some of the following information: billing address, date of expiration, CVV2. In the case of social security numbers, credit fraud is only possible when that number is associated with a combination of the following information: name, address and date of birth.
Say again? Isn’t it the case that PCI focuses specifically on sensitive authentication data and the primary account number (PAN)? Billing address, or address verification system is not used in some parts of the world, expiration date can be guessed (not as easy with the new 10 year cards), and the CVV2 is only sometimes requested for card not present (CNP) transactions.
So who is checking to see if they are PCI compliant? Here is what they say about how they arrived at their 2 million entry database:
The information that powers StolenID Search is found online, by looking in places where fraudsters typically trade or store this kind of information. TrustedID abides by all state and federal laws in the collection and provision of this compromised information.
Hmm… this means that the credit card numbers could still be active and they may need a PCI audit. Does this make them a service provider?
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
7 Responses to “Stolen card or not?”
By DAG on Aug 9, 2007
Well taking it at face value, I would think they should be beholding to the Issuers of the cards they keep. And if they get card numbers from the wild then there is no contractual linkage. Not registered as a third party and not likely to be - unless some issuers investigate. A very interesting way to fly under the radar.
I wonder if they’ve revisited that statement about state laws since Texas and Minnisota passed PCI laws?
By Michael Dahn on Aug 9, 2007
Was the proposition in Texas ever passed? I thought it never became law…
By Mark MacAuley on Aug 9, 2007
The Texas law has been held up in Committee since 5/17 according to their site. & yays, no nays, 2 absent
By Mark Palmer on Aug 29, 2007
Mark M - You got the HB Committee vote right , but Texas did not pass the law. It died in the committee hearing as the Texas Legislative Session ended May 28, 2007. It was not passed into law. http://www.tlc.state.tx.us/gtli/sessions/dates.html
By Neon on Sep 3, 2007
When you give away the CVV then your credit card is not save anymore. Credit card numbers can be puchased in bulk from indian companies including all security features.
By kilauea on Sep 5, 2007
What about the stolen card feeds that retailers get? Do they fall under PCI and need encryption etc? (Given that they are all confirmed stolen and effectively in the public domain).
By Michael Dahn on Sep 7, 2007
Look at requirement 6.3.4 for guidance on this one. It specifies that only “live PANs” should be addressed. Be sure you know that the stolen card feeds are not old, such that the PANs are recycled and one day become “live” again.