Australia's biggest banks are posting credit card numbers in clear view on mailed customer statements in a direct violation of credit card security regulations.
Placing numbers where any mail thief could grab them is a fundamental breach of the troubled Payment Card Industry Card Data Security Standard (PCI DSS), according to sources in the industry.
The industry standard, drafted by card issuers Visa, MasterCard and American Express and enforced by banks, is a series of security rules to which any business dealing with credit card transactions must adhere.
The standard is a collaborative industry effort to reduce financial fraud by mandating baseline security measures that essentially must accompany any credit card transaction. A call centre operator, for example, would be required to destroy a paper note if it was used to temporarily jot down a credit card number, while a website that stores transaction information must ensure it is adequately secure.
Non-compliant large businesses — or Tier 1 organisations bound by strict rules — face hundreds of thousands of dollars in fines, and risk losing their ability to process credit cards. The fines scale according to the number of credit card transactions processed.
But St George and the Commonwealth Bank have breached rule 101 of the standard by sending out potentially millions of paper statements to letterboxes that clearly detail credit card numbers in full.
Refer here for more details.