Bike24.de asking for photo of my credit card

ryanincontrol

Just wondering if anyone had the same experience before with a German bike shop asking for a photo of your credit card for verification purposes?
This is my second transaction with Bike24 the first one went through smoothly but for some reason they need confirmation for this one although I used tha same credit card.
I'd rather avoid sending a photo as much as possible but if it's safe to do I might consider it.
I've attached a copy of their email to me:

Dear Mr. *****,

we thank you for your order at Bike24.

Due to requirements of our credit card aquirer we need to ask you for an image of your credit card.
Your name has to be visible. You may black out parts of the number, but please ensure that at least 4 digits remain visible.
For your and our safety we have to verify that the card is actually yours in order to prevent credit card fraud.

As an alternative you can also pay by cash in advance.

Order number for questions: **********


Sincerely yours,

Alexandra M�ller
Bike24 GmbH

Enderstra�e 92a
01277 Dresden
Germany

ilovedirt

Well this is just me, and I don't know much about these things, but I'd probably tell them to bugger off...

ddraver

Dunno, I ve not seen this before either, but from my experience in NL, the Europeans seem to be more strict and more inquisitive when it comes to general card security. My Debit card will only work in NL and very few places accept credit cards part from national chains or large/luxury good shops. i have to use a card reader to log in to internet banking every time and then again every time I make a payment, even if it's between my own accounts. They have a lot of problems with phishing and skimming it seems, more so than in the UK.

That said, if you black out the numbers, they can't use it for nefarious purposes...

cooldad

But if you went into a shop, you'd give them your whole card with no qualms?

ilovedirt

cooldad wrote:

But if you went into a shop, you'd give them your whole card with no qualms?

Good point, I guess I'm just a bit over-cautious when it comes to giving people details over the internet, especially after i got done for £500...

benpinnick

Seems reasonable to me - a fairly simple way to stop certain card fraud - I suspect they've had alot of attempted fraud recently so are extra wary.

spongtastic

Easy way to find out if it's a requirement of their aquirer is to look on the website to see who handles payments and phone them.

Stevo_666

If they are OK with you blacking out the first 12 digits of the long number then there's no real security issue even if someone else did intercept the email.

mrmonkfinger

Its quite normal for larger sums, IME, although what info they gain from this I'm not sure.

Stu Coops

This is qiute common with small companies in Germany apparently, a mate of mine buys a lot of gear and is asked regular for CC image.

benpinnick

Stu Coops wrote:

This is qiute common with small companies in Germany apparently, a mate of mine buys a lot of gear and is asked regular for CC image.

In germany the %age of purchases on cards is tiny by comparison to here - they do most stuff by wire transfer. Its a good way to validate (albeit not 100%) that the person making the order actually has a card to match, rather than a spreadsheet full of stolen card numbers.

craigw99

+1 for above - black out at least 4 numbers and its no different to an order confirmation

Plyphon

I had to do this when ordering bike bits from the USA once.

I wasn't suspicious as I've known the store owner personally for many, many years - it's just part of US regulation there regarding overseas sales etc.

No idea if it's the same for Germany, just saying it's not unheard of.

Thankfully, these days most places I buy from overseas use PayPal - much, much simpler.

mrmonkfinger

Plyphon wrote:

these days most places I buy from overseas use PayPal - much, much simpler.

brave... credit cards offer guarantees, paypal doesn't

Plyphon

mrmonkfinger wrote:

Plyphon wrote:

these days most places I buy from overseas use PayPal - much, much simpler.

brave... credit cards offer guarantees, paypal doesn't

PayPal offers a lot of security on purchases (For example in PayPal's terms it state you are not responsible for unauthorized payments from your account.), and have a great dispute process, combined with the fact PayPal is a separate organisation to my bank from which I can cancel the direct debit too and stop payments if something goes wrong - I feel safe.

But then again I'm not buying AK47's and landmines on the black market - just Wellgo MG1s from Chain Reaction Cycles.

Of course there are still dangers with PayPal - as there are with credit cards - but there are procedures in place to get your money back if something goes wrong (just like there is with a credit card.)

Either way you face risks - the biggest security you have when buying online is common sense and research. If something looks too good to be true - it 99% of the time is.

ryanincontrol

I sent them an email why this is the case and the reply was:

Dear Mr. *****

Unfortunately some orders are automatically tested. You ordered twice within a
short period of time. Thats why our credit card aquirer needs to see an image
of your credit card. Your name has to be visible. You may black out parts of
the number, but please ensure that at least 4 digits remain visible.

As an alternative you can also pay by cash in advance.

Best Regards,

Alexandra Müller
Bike24 - Service Team

ryanincontrol

Thank you for all the replies. Since this is something not unheard of I think I'll give it a go.
Will report back if I have any problems.

mcnultycop

cooldad wrote:

But if you went into a shop, you'd give them your whole card with no qualms?

I wouldn't. I'd put it into the chip and pin machine then take it out myself.

cooldad

Maybe I'm just older and remember the days you actually signed stuff.

cloudynights

i come from times when the only payment was by good old cash

MDobs

and i remember the days you had to walk to the next village and barter your cow for a handful of beans...

diy

Pretty odd this since it would probably breach the PCI-DSS requirements that the merchant is required to adhere to. Its not law or anything, but taking a copy of the card is likely to breach the PCI-DSS. The issue is of course that this photocopy could be stored insecurely and re-used fraudulently.

Perhaps put text over the image relating to the transaction reference so that it couldn't be re-used for other purposes. Or write to them telling about PCI-DSS https://www.pcisecuritystandards.org/se ... standards/ and the fines merchants can get for breach.

Anonymous

Worst security on cards is USA. Just swipe the card and that's it. No signature, no PIN. Can get a lot a petrol with a stolen card! . Even used a cash machine that didn't ask for a PIN!

Wherever a signature is used there it's never checked.

Have been asked to fax(!) an entire copy of the card to an American company before.

MountainMonster

diy wrote:

Pretty odd this since it would probably breach the PCI-DSS requirements that the merchant is required to adhere to. Its not law or anything, but taking a copy of the card is likely to breach the PCI-DSS. The issue is of course that this photocopy could be stored insecurely and re-used fraudulently.

Perhaps put text over the image relating to the transaction reference so that it couldn't be re-used for other purposes. Or write to them telling about PCI-DSS https://www.pcisecuritystandards.org/se ... standards/ and the fines merchants can get for breach.

Surely though, if you block out the important information such as the majority of the card number, and the expiry date, there is no breach?

I have had this in Austria a few times, as nobody uses credit cards for inland purchases, so it can be very hard to determine if fraud is happening simply due to the minimal amount of use cards get online there.

lhoward1976

Wot diy said.

DSS covers "sensitive data" or whatever the term is... which is not just the card number and expiry date - It includes your name on the card. The acquirer is also bound by PCI-DSS.

The "check you've really got the card" thing is precisely what the CVV code on the back of the card is for. If they've got that, and assuming they've also done the address check to make sure your billing address is the same as the address you've given them, why would they need a pic of your card?

I'd suspect it's somebody in the chain that doesn't know how to do things properly, or has chosen not to do things properly. I'd be VERY surprised if it's the acquirer asking for this.

Anonymous

Do the yanks even have the CVV thing? They have such crap security I can see why they ask for a photo of the card. Of course you could just have a stolen card.

Talking of card security... Amazon. Number and expiry date. That's it. Really never confident about them storing my card details. Had a card hit before through Amazon, and was a card I never used. Someone just had enough details to buy loads of things with it on there without the card.

lhoward1976

I *think* PCI-DSS states the CVV code shouldn't be stored anywhere... if Amazon required CVV details for transactions, they couldn't do the one-click purchasing thing as they can't store it for use during the one-click bit, and they can't ask for it either, otherwise it'd be "one-click and three key-presses" - which is nowhere near as catchy.

I assume not using CVV makes Amazon liable for any fraudulent purchases through their site (otherwise what incentive would there be for merchants to use it?), they've weighed it up, and have decided that the additional volume of sales they get through the one-click system out-weighs the additional losses from fraudulent transactions.

All supposition, of course ;-)

ddraver

Is PCI-DSS German though? (as in is it a euro or International thang?)

diy

Global. It was created by visa and master card and then amex jumped on late. Its basically a way for them to off-load fraud liability to merchants if they do no not comply with the rules. Version 1 was pretty tough, but they have softened the interpretation along with better trained auditors now. Its been a few years since I have involvement in this stuff, so it may have moved on. Basically you have to encrypt card details and ensure separation of duty for access (one has access to the vault, one to the audit trail and one for admin). The encryption has to be reindexed monthly from memory. Most merchants use a combination of tokens (a hash that is unique to the card number) or masking (e.g. ****4567) and then keep card details in a separate encrypted store.

The idea being that no admin can download the database with the card details and 3 people have to collude to commit fraud.

rebel_brown

deadkenny wrote:

Had a card hit before through Amazon, and was a card I never used. Someone just had enough details to buy loads of things with it on there without the card.

Same thing happened to my Dad, some thieving little gypo helped themselves to £500 worth of kids toys via Amazon! Luckily enough he managed to get the money back, though.

Anonymous

Been hit a few times now, but card companies have sorted it out no problem every time.