SCA To End Emailing of Credit Card Numbers

The SCA will soon stop asking local event organizers to pay for venue insurance certificates by sending their personal credit card number to the corporate office via email, as it had been doing for the last two decades.

Instead, event organizers will be asked to process those credit card payments on the new membership portal operated by NeonOne, as hinted when the new higher costs for certificates were announced in April.

This change will be well received by Internet security enthusiasts among the membership, who have complained for many years about the practice of sending credit card numbers by email.

My correspondence with Society officers is attached below.

[Update, June 23:] True to their word, the new insurance-ordering instructions have been posted and no longer invite people to send credit card information by email. Hopefully the online ordering process will soon become the default.


From: Mathghamhain Ua Ruadháin
To: Society IT Manager
Cc: Society VP Corporate Operations
Date: June 14, 2023

Hello,

I am writing to report an Internet security issue.

It appears that the Corporate Office has a practice of encouraging people to send credit card numbers via email.

This was done earlier this year when the member portal was down.
https://www.sca.org/news/membership-portal-delay-manual-processing-available/

And it continues to be done for ordering insurance certificates.
https://www.sca.org/news/revised-insurance-ordering-instructions/
https://www.sca.org/wp-content/uploads/2019/12/insurancecert.pdf

In the case of insurance certificates, this has apparently been standard practice for at least a decade.

My understanding is that this issue has previously been reported by other members, repeatedly and over the course of many years, but that the Society has continued the practice regardless.

While it’s possible to reduce the risk of sending credit card information by email, it takes some effort, and I suspect that most people don’t carry through — so lots of Scadians have plain-text credit card numbers sitting in their “sent mail” folder months or years later, meaning that if their email account is ever hacked the attacker will gain access to those numbers retroactively — not to mention that some members are still using less-secure email services which are vulnerable to interception of messages in transit.

It would be reassuring to know that the SCA has taken suitable steps on their end to protect credit card numbers which were previously transmitted — for example, have these messages been expunged from online email archives, and is two-factor authentication required for all accounts which have access to that mail stream?

Aside from the interests of the individual members, even occasional transmission of credit card numbers via unencrypted email is a clear violation of requirement 4.2 of the credit card industry’s PCI DSS standard. 
https://www.pcidssguide.com/pci-dss-requirement-4/

It’s very likely that the SCA has repeatedly filled out annual PCI DSS SAQ questionnaires that required it to certify that it did not ever engage in this practice. Ongoing DSS violations are grounds for costly fines from the card issuers, which start at $5,000 per calendar month and escalate every 90 days to reach $50,000 per month — and if the SCA has filed incorrect SAQs, those fines can be assessed retroactively. 
https://www.pcidssguide.com/what-are-the-pci-compliance-fines-and-penalties/

Even if the card processors chose not to impose those penalties on a not-for-profit, such violations can lead to suspension of an organization’s ability to process credit card transactions in any form, which would do major damage to the Society’s interests.

It appears that the new member portal now supports ordering insurance certificates online, and we can hope that Neon has done a decent job of securing that system, so the handling of credit card numbers by email no longer serves any real purpose and it should be possible to discontinue it immediately.
https://sca.app.neoncrm.com/np/clients/sca/giftstore.jsp?actionType=search&categoryIds=11

Please keep me informed as to the Society’s progress in addressing this issue — thanks!

In service to the dream,

— Mathghamhain Ua Ruadháin


From: Mathghamhain Ua Ruadháin
To: Society IT Manager
Cc: Society VP Corporate Operations, Society Webminister, Board Ombudsman for IT
Date: June 21, 2023

Hello again,

It’s now been a week since I reported an internet security issue through the communications channel I was encouraged to use for this purpose, and I haven’t received any reply at all.

Can I at least get a one-sentence email acknowledging that my message was received?

Are there mitigating factors that I might not be aware of that make this issue less problematic than it seems?

Do you have any preferences regarding public disclosure that I should be aware of?

In service,

— Mathghamhain


From: Society IT Manager
To: Mathghamhain Ua Ruadháin
Cc: Society VP Corporate Operations, Society Webminister, Board Ombudsman for IT
Date: June 21, 2023

My apologies. It was received and immediately passed along upstream. Per the people in charge of this area, this was a practice that was temporarily implemented during the membership portal downtime, but it has now been discontinued. There are still some forms out there that mention this method (i.e. the insurance forms, which still also have the wrong costs on them). We are working on getting those forms updated. We do still sometimes receive credit card information and similar information unsolicited. There are ongoing internal discussions on how to discourage this.

Thank you for bringing this to our attention.


From: Mathghamhain Ua Ruadháin
To: Society IT Manager
Cc: Society VP Corporate Operations, Society Webminister, Board Ombudsman for IT
Date: June 21, 2023

[…] it has now been discontinued. There are still some forms out there that mention this method (i.e. the insurance forms, which still also have the wrong costs on them). We are working on getting those forms updated. 

Okay, that’s excellent — thank you for letting me know! 

A number of people have recently expressed concern about this issue in conversations online, and they will be reassured to know that the issue is finally being resolved. 

We do still sometimes receive credit card information and similar information unsolicited. There are ongoing internal discussions on how to discourage this. 

Hopefully this will become less frequent after the new insurance certificate ordering instructions are posted to the website.

Thank you again for following up with this information — I know you folks are busy over there, and I really appreciate you taking the time to let me know that my message had been received.

In service to the dream,

— Mathghamhain


From: Society IT Manager
To: Mathghamhain Ua Ruadháin
Cc: Society VP Corporate Operations, Society Webminister, Board Ombudsman for IT
Date: June 22, 2023

I wanted to let you know the new form went up today, though there a caching issue we are still addressing. 


From: Mathghamhain Ua Ruadháin
To: Society IT Manager
Cc: Society VP Corporate Operations, Society Webminister, Board Ombudsman for IT
Date: June 23, 2023

That’s excellent — thank you for the work you and the entire team there put in to making this all possible — I know it is not easy, but I really appreciate it.

— Mathghamhain

Leave a Reply

Your email address will not be published. Required fields are marked *