Privacy Commissioner investigates Myki privacy mistake

August 9, 2012 |

The Victorian Privacy Commissioner is investigating a potential privacy issue involving Myki according to Zdnet.

The article provides:

A glitch in point of sales machines for Victoria’s Myki ticketing system has caught the attention of the Victorian Privacy Commissioner over concerns that the Transport Ticketing Authority may be compromising passengers’ privacy.

The Victorian Public Transport Users Association (PTUA) raised the privacy issue, providing images of receipts from Myki vending machines that contain customers’ full names, more than the last four digits of the credit cards used for transaction and the credit card expiry date.

Mastercard’s Security Rules and Procedures (PDF) clearly state that merchant members must omit the card expiration date and that only the last four digits of the card should be visible.

Additionally, although the Transport Ticketing Authority (TTA) is not listed as an adoptee of the Australian Security and Investments Commission’s ePayments code, the industry accepted code states that a paper receipt “must not include information that would increase the risk of unauthorised transactions”, including “a complete identifier” or “an expiry date for a device”. The code includes credit cards in its definition of devices.

Privacy Victoria told ZDNet that the acting Victorian privacy commissioner Dr Anthony Bedall will be seeking a briefing from the TTA regarding the ticketing system in light of the news.

According to PTUA president Daniel Bowen, the vending machines also print a receipt, even if a user doesn’t want one, and in the case where they do ask for one to be provided, two are printed.

“The way the receipts work is completely illogical. It is at odds to what people expect, and what is common practice for other retailers,” he said.

“And these receipts should not reveal full names, card expiry dates and so much of the card number.”

Card expiration dates are a necessary piece of information required for criminals to commit fraudulent card-not-present transactions over the internet. However, the full card number, as well as the card verification number or information from a similar verification process are required, and this information is not available on the receipts.

The TTA is currently urging passengers to start using Myki (PDF), since the current Metcard system is being withdrawn from service, despite the PTUA raising the issue with it previously. These cards can, however, be purchased through means other than the vending machines, including through retailers like 7-Eleven and online.



Leave a Reply