Diesel Website Wants Color Scan Of Your Credit Card Via Email

I know credit card fraud is rampant, but I’m not sure sending full scans of your card through email is the proper way to fix things.

Here’s the notice a tipster received when he recently tried to place an order through dieselonlinestore.com:

Thanks for shopping at Diesel Online Store.

We confirm your order [...] is currently on hold to allow our Payment Department to conduct the necessary payment verification.

The e-mail you received is part of the anti-fraud procedure used by Diesel Online Store in order to protect its customers from possible fraudulent activities.

To allow us to release your order, please send a colour scanned copy or a picture of the front and back of the card used for the order to payment@dieselonlinestore.com.

We guarantee all the data you send will be destroyed as soon as the payment has been verified, in accordance with our Privacy Policy.

Please reply to payment@dieselonlinestore.com providing the requested information within six days from when the order was placed. If we do not receive any communication from you within this time frame your order will unfortunately have to be cancelled.

We remain at your disposal should you require further assistance.

Comments

Edit Your Comment

  1. KhaiJB says:

    and the simple answer is…

    no.

  2. cmp179 says:

    Isn’t that one of the reasons for requiring card holders to provide that three-digit number on the back of the card. I think the reason they started doing that was to make sure you actually had physical possession of the card. Not that it always works, but requiring a customer to scan the card and send the scan to the company is absolutely ridiculous.

  3. angelmvm says:

    Why destroy it? Shouldn’t they just send it back?

    Yes – I am joking.

  4. cape1232 says:

    Sounds like fraud to me. Is the recipient sure it actually came from them? The recipient should call the company to verify this is a real request from them. And then refuse!

  5. incident man stole my avatar says:

    and how do I send a scan of a virtual card? BofA, yes I know they suck but I wanted a Ravens card, allows me to create a number exclusively for use at one website.

  6. humphrmi says:

    Dear Diesel Online,

    Please provide me with your private PGP keys so that I can encrypt the email containing a picture of my credit card.

    On the other hand, go to hell.

    • Alex says:

      If they’re requesting a scanned copy of a credit card instead of a more secure verification system, they probably don’t know what PGP is.

    • jessjj347 says:

      Why would any company request secure data through email…
      I assume this must be poor policy that the software engineers/programmers/ whatever tech people there are have no say in.

  7. Excuse My Ambition Deficit Disorder says:

    This brings up a thought I had the other day…we have gift cards from the credit card companies…why don’t they have virtual gift cards…or…why don’t our banks allow us to generate random card numbers from their websites for our debit cards that can only be used once online…just a though….

    • DariusC says:

      BOFA does and I used it with a website that wanted me to sign up for a monthly deal… I used a virtual card number and cancelled after I ordered what I needed. If they try to charge me, it will not go through :)

      • Dover says:

        I did this a few weeks ago and another charge did go through even though it was for more than the limit on the virtual card and I had canceled the virtual card. BoA kept bouncing me back and forth between customer service and technical support and nobody knew how to handle it. I called the merchant, they did indeed have the virtual card number, and they agreed to refund the money. I was extremely pissed at BoA for this incident.

    • outoftheblew says:

      Um, many credit/debit do allow you to generate a number to use once on a website.

  8. EcPercy says:

    Call them and tell them thanks, but that they can go ahead and cancel the order… Sounds like a scam. Never heard of any company asking to have a color copy of your card.

  9. dolemite says:

    If I wanted to go through all that hassle, I’d just mail them a check. Defeats the half the purpose of credit cards (convenience).

    I expect it doubles or triples the time it would take to receive an item too.

    • Extractor says:

      I used virtual credit cards with Publishers Clearing House until now. They had an offer for TV guide that doubled the subscription. They weren’t going to get my routing #’s and account #’s from checks so they got a money order. First MO Ive bought in over 8 years.

  10. Christine says:

    hmmm…. I don’t think so……

  11. backinpgh says:

    Yeah, and how many people are going to intercept that email while it flies through cyberspace from me to them? I don’t think so.

  12. Tim says:

    My first reaction to this is that it’s a scam:

    - A legitimate retailer would NEVER ask you to e-mail something sensitive like this (e-mail isn’t all that secure)
    - A legitimate retailer would probably not ask you to reply either, since hitting “reply” might actually send it to another address
    - Scanning your card … yeah, we’ve been over this already
    - Though dieselonlinestore.com redirects to the Diesel Online Store, the store’s URL is not actually dieselonlinestore.com. I can’t find any e-mail addresses on the site, but there’s a good chance they aren’t “@dieselonlinestore.com”

    Also, it says clearly on the store site: When you e-mail us, please do not include any Credit Card information as it is not safe to transfer your personal information via e-mail.

    Looks like a probable scam. If it’s not a scam, Diesel is still doing some stupid things, and you shouldn’t send the card scans.

  13. vaguelyobscene says:

    I just called the Customer Care on Diesel, and they said yes, if it is your first time ordering, they ask you do that.

    And officially taking Diesel off a list of companies that is run by intelligent people.

    • BuyerOfGoods3 says:

      Bravo! Initiative! I shall NEVER use Diesel. Ever. (Yes, I am serious. Stupid polices = No vote from my wallet)

      If anyone who works for Diesel is reading this — You should be talking to Marketing right about now.

    • Rectilinear Propagation says:

      Holy shit snacks!

      Hey Diesel! If your company policies resemble phishing attempts then you are doing it wrong.

  14. RaysPizza says:

    Wait… my scanner only makes color copies… total rubbish!

  15. qbubbles says:

    http://www.complaintsboard.com/complaints/diesel-c327609.html this is from 4/02/2010 and its basically the same run around, only it comes directly from the store… since we talked to them. I’d still ask if it’s a scam, though. And let them know how ridiculous their request is.

  16. 24NascarDude says:

    Try sending them a picture with a guy giving them the middle finger. Or, send them a picture of a piece of paper with “credit card” scribbled on it (bonus points if it includes some profanity).

    But, seriously, like the others said, that just reeks of a scam. If it is legit, I would not want to do business with them.

    Also, if you have indeed placed an order with diesel, you may want to run an anti-virus scan on your computer. Someone may have put a trojan on it and detected that you ordered something via diesel, thereby knowing to send you the email.

  17. PhelpsG says:

    Hmm. A quick check of their site reveals $290 faded jeans and $90 t-shirts. Maybe I’m just not hip to current fashion, but it looks like their target audience is either people with more money than sense (and who are happy to scan their credit cards) or people so outraged at the prices that they feel justified in trying to scam Diesel (hence requiring ridiculous anti-scam demands!)

  18. MarkSweat says:

    “We guarantee all the data you send will be destroyed as soon as the payment has been verified, in accordance with our Privacy Policy.”

    Except for any copies stolen, since e-mail is, by natue, insecure.

  19. GrayMatter says:

    Interesting: They ship all over the world, including the United States. But they do not ship to that “foreign country” Puerto Rico. (http://store.diesel.com/chooseYourCountry.asp) and then check the link to where it says “If the country you wish to ship to is not listed, click here”

  20. kathygnome says:

    That looks like a phishing scam to me.

  21. Coalpepper says:

    Interesting solution to the problem of card fraud, but no. Not only am i concerned with the security of that image, how much security does that really provide? After all, they’ve no idea what my card looks like, so a fake card with that number can be made on any blank, so a fake shouldn’t be all that hard to make.

  22. ParingKnife ("That's a kniwfe.") says:

    Forget about whether it’s shady, it’s work. I have scanner I use all the time but I don’t want to go through that extra step when I’m shopping. I’d rather take my business elsewhere.

    In the immortal words of my friend Mike from high school, “I can’t be bothered.”

  23. bitslammer says:

    My guess is he was hit by a cross-site scripting attack from another website he had open in browser when he did the Deisel order, or wrose, he may have a keylogging trojan in which case he’s really in trouble.

    It would be against PCI terms to have customers send in that data via email.

  24. sqeelar says:

    After you send the scan of your credit card, Diesel will send you a scan of the shirt you ordered. This is a perfect world in 2D.

  25. tedyc03 says:

    Could this be their way of limiting chargebacks? Card-not-present fraud goes against the merchant, but card-present fraud the banks eat. Could this be their way of shifting the burden for fraud?

  26. Lucky225 says:

    5.8.1 Honor All Cards

    A Merchant must honor all valid Cards without discrimination when properly presented for payment.

    http://www.mastercard.com/us/merchant/pdf/BM-Entire_Manual_public.pdf

  27. intense_jack says:

    If this is how Diesel runs their business, and they are in the US, they are going to get hosed in a PCI audit. This practice (assuming this isn’t a scam) would leave sensitive data all over their email server (Exchange most likely) in an insecure fashion. Not to mention that email isn’t secure in the first place.
    I work in the IT Security/Compliance field and this is either a scam or a gross violation of PCI compliance. Most likely this is a scam, if not the authorities need to audit this company and charge them the $10,000 fine for each instance of these insecure transactions.

  28. mattarse says:

    I’ve had a similar experience with a company – however I wasn’t bothered by it – and they were asking for a copy of an ID not the card. Essentially I live in Europe and ordered something on a US card with a US address to be shipped to another address in the US. They emailed me that I had tripped there fraud system and to either contact them or the order would be cancelled. When i called and discussed the situation they were willing to process the order if I would scan a copy of my license.
    Although I wasn’t entirely comfortable doing this I could understand why I had tripped the fraud warnings on the order so I did it.

  29. StevePierce says:

    We do this for overseas sales. It cuts own on fraud big time. We did have one singapore company actually provide us with a copy of the front and back of the card. It was forged, it didn’t even have the right bank name on the front on the card. They just photoshopped numbers onto a different card.

    Yet when we ran the numbers through, the card cleared for nearly $10,000. We called the 800 number on the back of the card to verify the card, Bingo, fraud card.

    If customers don’t want to provide copies of their credit card, no worries, they can buy elsewhere.

    It isn’t the customer that is on the hook for credit card fraud. It isn’t the banks. It is the merchant that eats the loss.

    • ariven says:

      Disregarding the fact that email is a completely insecure medium, exposing data sent to every computer between the sender and you, and with any one of them compromised you have now exposed your customer to risk of identity theft…

      The REAL question I have is why would you run the charge on a card where you could tell they were photoshopped onto the card?

  30. sopmodm14 says:

    that can’t be right….its not a spoof site for diesel is it ?

    info that gets sent are encrypted, and even then, there are still security penetrations

    its not worth the merchandise at this great an identity theft risk

  31. BrazDane says:

    I had this happen too with a small travel agency. They wanted a faxed copy of my wife’s credit card which we wanted to sue to pay for some airline tickets. When we complained about it, they told us something like “Well, we weren’t asking for your PIN, so it is perfectly safe”. DUH! This is especially stupid because we were buying plane tickets, which had to have all our info on them anyways AND the agency could probably cancel them anytime if the CC turned out to be stolen.

    Needless to say, we told them to cancel the tickets they were holding for us and bought them somewhere else.

  32. cupcake_ninja says:

    I’d send them a color scan of my middle finger.

  33. perfectly_cromulent says:

    I think there should be a video example about fraud done in the style of Animaniacs “good idea/bad idea” with this as a top Bad Idea.

  34. UltimateOutsider says:

    If this isn’t a scam it’s got to be a violation of their agreement with the credit card companies. No way in hell would they allow merchants to accept scans of signatures and CIVs.

  35. stormbird says:

    I asked noted consumer expert Will Smith about this.

    http://www.youtube.com/watch?v=im_5QdHp04E

  36. ariven says:

    Another thing to keep in mind.. in some areas it is illegal to send unencrypted credit card information via email.. Arizona is one state that it is, and I have to guess that others have a similar law. This makes Diesel’s request even more egregious..