It was reported that Fortnum and Mason’s had a Payment Card Industry Data Security Standard (PCI DSS) issue resulting from an employee asking a customer to email their credit card details so that a dispute could be resolved.

Fortnum & Mason

“We have now fully investigated the claim that a customer was asked for their credit card details via email and we can confirm that

“We apologise for causing concern for this genuine, human error, done with best intentions to aid the customer. It is against our procedures and we have taken action to ensure that this will not occur again.”

Fortnum & Mason said in a statement

Human error whether it is trying to help a customer or trying to finish on time is often the weakest link in the security chain.

If the credit card details had been emailed or the phone call recorded it could have a huge impact on an organisation’s compliance posture because all those systems involved and the connected systems will fall into the scope of PCI DSS.

For example:  The email could potentially put many systems into the scope of PCI DSS that were previously out-of-scope,

  • the customer service person’s desktop maybe storing emails locally
  • the email server
  • the email back-ups and other back-up systems is the data is shared across tapes/drives/SANs/etc.
  • the CRM solution if the email systems is integrated e.g.
  • etc.

Education and technology can reduce the chances of this happening but it requires constant management and monitoring.

An older post of mine contains a lot of advice for organisations that wish to address the non-IT issues facing organisations that operate a call centre or deal with customers over the phone orders or disputes.

The post “Call Centre Security and PCI Compliance” is here.