Various forum members have already posted about fraud they suspect can be traced back to FrontGate here. While none of us can prove the exact source of where fraudsters stole our CC info, after much research and due diligence, I believe there is more merit to each of our suspicions than I wish were true.
I will first qualify the claims below by saying they are all based on the conclusions of an outsider without true visibility into FrontGate policies, processes, or operations. Instead, they are based on conversations with Visa, FrontGate, my bank, American Express, and online information provided by each of those parties.
Here’s a list of companies
who choose to be PCI compliant and have a Qualified Security Assessor (QSA) independently report to VISA, compliance on an annual basis. While not all ticket sellers are on the list, familiar names that are
include Ticketmaster, Tickets.com, and TicketNetwork. These companies are proactively telling their consumers that their credit card processing is safe, secure, and compliant. If in fact, FrontGate is complying with both PCI and the individual credit card company standards, it would be nice if they could provide this compliance to their consumers so we could dismiss these suspicions.
So, onto my findings:
On the surface it appears that FrontGate is violating PCI and Visa Merchant Guidelines through the storing of CVV2 and CID codes
. Those are the 3 and 4 digit codes on the back of your Visa and the front of your Amex that are used for “Card Absent Transactions” to help ensure the card is in possession of the purchaser at the time of an online, phone, or mail-order transaction. Because of the sensitivity of these codes, Visa and PCI clearly state “A cardholder’s CVV2 may never be stored as a part of order information or customer data. The storage of CVV2 is strictly prohibited subsequent to authorization”, which reduces the risk that both the CC# along with CVV2 falls into the wrong hands.
A reasonable time to hold the code for authorization is up to 24 hours given a reasonable business purpose.
To be handy, FrontGate has provided us with a “My Account” page, where we can update our billing and STORED CREDIT CARD INFORMATION, which includes a field for CVC/CVV Code. As we know, FG does NOT transmit this information right away, but instead processes this information in batch once per month and then again 10 or so days later for those CCs that were declined.
I’d suggest they may be validating the card at the time of account update and then dropping the CVV2 code, but when I attempted a fake CVV2 code, the page indicated ‘Your account has been updated’, further supporting the idea they save this code until the monthly batch. Maybe FG is collecting the CVV2 code, but not using it at all? If that’s the case, then they should drop the field on the account update page.
For recurring payment plans, Visa (and others such as Amex) offer the Visa Account Updater (see card acceptance guidelines), which allows for submittal of the CVV2 code during the initial payment and allows for the bank to update the merchant automatically of CC changes. VAU doesn’t appear to be used by FG, but rather separate transactions are processed each month, further supporting that CVV2s are being submitted monthly from a stored source. VAU would provide for a much more secure option.
I called FrontGate and spoke with different customer service agents (who may or may not know what they are talking about) and each claimed that all of this information is stored online and processed the following month. Asked specifically about the CVV2 code, they said “yes, all of it”. None of them seemed to be familiar with laws preventing the storage of the code.
Moving on, the Privacy and Security disclosure
on the Coachella Payment Plan site is a rollforward of their standard policy related to one-time purchases.
Credit Card Information: We store all information that we collect through the ordering process excluding the actual credit card number. We do NOT store credit card numbers in our database, nor is the credit card number stored at any point on our server, it is transmitted directly to gateway (currently authorize.net). Please click here to review their privacy and security policies.
This is further indication that security / privacy for the Coachella Payment Plan wasn't top priority considering they didn't even bother to update the disclosure relevant to the new process.
And finally, if you check your "My Account" page on FG, you'll see that the URL secure.independenttickets.com is used. Google this
I sent an email to GV about this, but haven't heard back. I really hope I'm wrong and none of this is true, and that FG is just doing a bad job of communicating their security compliance to its customers.