Argos email receipts contain your Card No. CCV, Name and Address

How can this possibly be within PCI DSS compliance rules ? - do they not apply to everyone taking Mastercard/visa ?

"Now it's emerged that those very same confirmation emails contain a web link - ironically intended to direct customers to Argos's security page - which contains the customer's full name, address and credit-card details in the URL itself."<p>I'm speechless... I may not understand PCI compliance fully but surely anyone with any brains could see that is a bad idea. I mean why would you reveal someone's credit card details in the URL. Not to mention emailing it. This beggars belief.<p>Edited for typos and readibility.

Perhaps there's a role for a site that names-and-shames poorly implemented ecommerce sites. I've recently been asked to enter my visa into a site without https.<p>There shouldn't be any excuse for this sort of thing now.

Some developer has clearly mis-understood the 'stateless' part of HTTP. The protocol is stateless, but the resources are NOT stateless. You don't have to and shouldn't send all of the information your service needs through the protocol; all you need to send is sufficient information to fully identify the resource you're working with. In this case, that would be the customer id number, which is your key into a database that has the real customer information.<p>Oh, and DON'T STORE UNENCRYPTED CC NUMBERS, AND NEVER STORE THE SECURITY CODE. That should be so obvious. If I were building a system like this, and I was required to store the CC number at all (which I'd prefer not too but many retailers do it) I'd encrypt it using the security code, and I'd modify my http logs to filter those codes out of the log. That way I couldn't decrypt the CC number without asking for the code, and I'd never have the code stored anyplace on my system.

In the US, isn't this exactly the sort of data that, when a bank or other entity exposes it in a "breach" (lost employee laptop), is required to be reported to the government? My understanding of this law is common knowledge, not lawyerly and knowledgeable.<p>Maybe if you dribble it out, on purpose, it's not considered a breach.

Wrr, websites that do this irritate the living hell out of me. It's only after you've ordered or signed up that you discover that they've decided to pollute your inbox and history like this, leaving you with the job of cleaning up properly.

&#62; Argos said that it "takes the security of its customers’ data extremely seriously<p>The straightness of face or otherwise was not reported