HSBC print PAN in plaintext on statements

My HSBC credit card statements that are sent in plaintext through the post – by far the most insecure transmission mechanism. They include my full 16 digit PAN (card number), printed multiple times on every page.

I’ve attempted to address this with HSBC on Twitter, and their response every time is that you need more than the 16 digit card number in order to be able to pay for something with my card.

Expiry date. Yes, that’s true. I’d imagine that would be some random month in the future within 1–2 years from now? And I think I have around 5 attempts before the card gets blocked?

And security code. This is quite simply untrue. Amazon any other merchants can choose, at their own risk not to require this in order to improve conversion rates.

How does Amazon bill me without the CVC / CVV / CVV2?

Finally, I’d also question whether printing PAN is a violation of the PCI-DSS security standards.

PCI DSS requirement 3.3 states “Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).

PCI Compliance Guide Frequently Asked Questions | PCI DSS FAQs

I only write this rather tedious piece because I’ve addressed it with HSBC on multiple occasions and in each case their response is the same. At least this way it can be easily shared until they finally do something about it.

Given they are currently running an online campaign about “Fraudsters”, now would seem like the perfect time to clean up their act.

Over to you, HSBC :)