Information Security
pci-dss
Updated Thu, 02 Jun 2022 09:54:19 GMT

Groupon SG is Storing Customers' Credit Card Information


Today I was purchasing a gift from Singapore Groupon website. And then I realized that what I have to do is simply login and hit the "submit order" button, because they store my credit card information from my previous purchase.

By credit card information here I mean: credit card number, credit card validity date, and security number behind the card (CVV2). Which are more than enough for a thief to empty your bank account (more easily if it's a Debit VISA card).

I'm sure that they've stored my credit card information because I started with a "clean browser" by using Firefox's private browsing. As you can see below at the screenshot right after I clicked "Buy" on any of the deal, I don't have to enter anything, they have it all. Even they're showing the validity date on the screen:

enter image description here

I somehow kind of know that it's illegal to store customers' credit card information especially for being ready to use for the next purchase (so that they don't have to re-enter the information). But I couldn't find it on Master Card or VISA agreement.

Is there any official law about this, and where can we report something like this?

If it's really illegal, I would want them to at least being fined for what they've done.

[EDIT]

Here's what they've put on the FAQ page: http://www.groupon.sg/faq

Is Groupon safe?

Extremely. Your credit card number is transmitted by SSL directly to a secure electronic vault. At no time is your credit card information stored on our servers. Nonetheless, this security only applies if you log out of your Groupon account after use! It is your responsibility to keep your Groupon account secure.

The fact is, they store the credit card information, and you're even provided to register with Facebook account. One simple click "connect to FB", and you won't even need to enter any password to charge the credit card.

Even if it's legal, they have shown some careless quality in handling the payment process. They don't provide an appropriate interface to protect our security.

[UPDATE from latest answers] According to some answers on this post below, it turns out that it's legal to store credit card information, only that the website is supposed to follow the security standard from PCI-DSS. But it seems like there's no one who is responsible to ensure if every website is following the standard?

Not sure if this only happens on Groupon Singapore or all Groupons around the world.

https://stackoverflow.com/questions/8425707/groupon-sg-is-storing-customers-credit-card-information




Solution

I have emailed VISA AIS team, and here is their reply:

Thank you for reaching out to Visa AIS Team. With the information provided, we are unable to confirm if Groupon stores sensitive card information. The asterisk may not represent the actual CVV2 and your card account number is also masked . If you have any concerns regarding your credit card account, kindly contact your issuing bank to file an official compliant. Thank you.

Best Regards,

AIS Team

============================

I guess there's really nothing we can do then. However, I will manage to close my account on Groupon.

Thank you Greg for sharing your experience.





Comments (2)

  • +0 – If you are worried then remove your information after each purchase. This is what I do in the case of Amazon and other online retail stores like Walmart, Sears, ect. — Dec 08, 2011 at 17:43  
  • +0 – But there is no selection to "remove information" on Groupon. — Dec 09, 2011 at 02:46