Risk: A Day in the Life of My Private Information
I was at home the other day thinking about whether I should cook dinner or order out. As with most of those people I know, 'order out' almost always wins, as it did in this case. Even though it wasn't football season, pizza was on my mind with regular crust, pepperoni, black olives and of course, jalapeƱos. I have an account online with a chain pizza company, so I logged in, selected my usual and went to check-out. I selected credit card as my method of purchase and entered my card number and usual three to four digit CVV/CVC code on the back of the card. None of this is abnormal, but when the pizza delivery person arrived with my pizza he asked to see the card and proceeded to swipe it through an old school carbon copy device. I stopped him and asked why this was necessary, to which he answered, "Our online system is not working right now, so we have to swipe the cards manually". Call me paranoid, but I didn't like this change of plans, nor did I like someone I didn't know walking away with a copy of my credit card in their back pocket. So I called the manger and got approval to pay cash instead. But this started me thinking.
How is the credit card carbon copy any different than a standard purchase online? Do I know who has access to my data? How will my data be used within the company? How effective are the company's data security policies? Has the company had data breaches before?
Of course, I had none of these answers about any of the companies I purchase from, so I went on to work through a short exercise to see how many times I share my credit card with others without knowing much or anything about how the data will be used or protected.
There are certainly days when I don't use credit at all and others when it's all I use. For the purposes of my exercise I chose a few days during work travel to Hong Kong.
1) Airline check-in - I swipe my credit card to identify myself to the automated kiosk check-in. Do they stored any private data from that, clearly the airlines authenticate me via the card at the very least.
2) Breakfast - My flights to Asia depart in the morning, so Starbucks, swipes my credit card for purchases.
3) ATM - I hit my bank's ATM make a modest withdrawal for the trip - Debit/credit card usage.
4) Hong Kong Immigration - My passport is provided and scanned, and my completed arrival form is entered and stored.
5) Train Ticket - Purchase express train ticket with credit card.
6) Currency exchange - Passport must be provided and scanned.
7) Hotel check-in - Credit card and passport must be provided and information collected.
8) Dinner in the city
My personal solution:
As I said, there are days when my private data isn't shared much and days when it's shared frequently. The point of this exercise for me was to identify places or times when I could avoid sharing my information and hopefully minimize my risk of data theft by paying with cash. If I can minimize the companies that receive my personal data, it makes selecting which companies that are 'Card Worthy' easier. For example, I only use banks that I know have better data security than most and I try to only purchase from companies who I know have security measures in place to protect my data.
Sadly, lists of secure companies are not easily available for most consumers. Consumers can however consider whether companies with prior breaches should have their business. I'll also note, that many companies that have a breach, if they survive it, usually try to correct the problem that lead to the breach.
Below is an article from the Privacy Rights Clearinghouse that lists a chronology of data losses since 2005. I sometimes search this list if I am considering a new bank or major purchase.
http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP
I also, regularly monitor my credit card statements and have informed my credit card companies to keep my accounts in a high risk fraud category. This high risk category does present some frustrations when making unusual purchases, but nothing compared to having your identity stolen.
I don't carry any more cash on me than I did previously, but I will likely visit my ATM more frequently as I spend less with my credit card.
