DATE: December 3, 1999
TO: All Senior Financial Officers (SFO's)
SUBJECT: Credit Cards Security Issue
Please be advised that sensitive data related to Acquisition and Travel credit cards
should not be kept on the office computers' hard drives or on diskettes unless the
hard drive and / or diskettes can be stored in a secure, controlled-access cabinet when
not being utilized.
The sensitive information pertains to details such as card numbers, expiry date, names
of cardholders, amount of credit available with the cards, applicable restrictions to the
card and, other information that could be utilized by unauthorized individuals to commit
fraud or other unauthorized transactions.
The same information is also contained on some of the management reports received by
departments on a monthly basis. These reports should also be kept in a secure
controlled-access location when not being utilized.
The above details can easily be utilized by unauthorized individuals to purchase goods
over the telephone and internet or, to replicate the cards and utilize them for fraudulent
activities. As you can appreciate, the consequences of these illegal actions can be
important.
In addition, when the above mentioned data is being transmitted to banks in order to
report changes such as new dollar limits for cardholders, name changes or other
modifications, please ensure that the full card numbers are not included in your message.
You should always exclude the first four digits of the card number from your message.
The above information will be incorporated into the Acquisition Cards Program -
Management Guide.
Should you require additional information on this subject please do not hesitate to
contact Robert Berniquez, Financial Management and Accounting Policy (FMAP), at
613-957-9672 or by Email at Berniquez.Robert@tbs-sct.gc.ca
J. Colin Potts
Deputy Comptroller General
|