I often order stuff online with small companies. Some of them don’t have an secure website to pay, so they will ask me for my credit card info in an e-mail. I have a Mastercard, just for ordering on-line. But I have been taught to pay online only on websites where the adress starts https, and not give out my CC number otherwise, for fear of identity theft.
Is that sensible, or can I safely e-mail my CC info to an empolyee of the company? How about my cvc number? Date of expiration?
The danger of your email being intercepted is far less than someone going through your garbage and getting an unshredded bill and other unshredded info.
If you’re concerned then simply send the credit card number via four emails. and send the CVC number via three emails.
Or you could just buy a Visa card and load money onto it. That way you can only lose what you put on it.
There really is no need for the ID number from the back. Why? Because the merchant has to be set up to do online purchases to use this. Merchants pay for different levels of protections and if I get your CVC number and don’t pay my merchant bank for the protecton, (Which costs a lot more) it’s of no use to me anyway.
There are lots of free checkout systems and secured server service is cheap. So my question is what kind of business have this set up?
It’s like in the old days our hotel would allow you to fax the front and back of your card and an authorizaton form. Of course that’s garbage. That went 100% against our merchant agreement. But unless the customer disputes the charge, there’s no issue with it. If they did then it’s a “card not present” (CNP) and the hotel would lose.
Each merchant banks sets out specific terms to take credit cards and the levels of protection are very different for what you need.
It’s as safe as giving your physical credit card to an employee in meatspace. Maybe they’ll run the transaction that you want, and maybe they’ll steal your number. Most of them won’t commit fraud.
There’s nothing magical about an SSL-enabled website (https), either. It just means the connection between your browser and the server is encrypted. For all you know, the imbeciles who wrote the e-commerce package that they’re using store credit card numbers in plaintext on an unsecured shared-hosting box in some dude’s basement.
So it comes down to how trustworthy you think the company is. Also, consider that if you save your outgoing emails, someone who guesses your password may find your credit card info. Same for the merchant if they keep the plaintext numbers in their email system or invoice records.
ETA: I should add that in the US, at least, one is not liable for fraudulent activity on their credit card. You report the card as compromised and the company sends you a new one and hands off the fraudulent charge to their investigation unit. The only thing you have to worry about is changing your account information with all the merchants who keep your card on file.
I’m pretty sure Dutch/European regulations are similar.
I would not send a credit card number through e-mail. E-mails pass through multiple servers on the way to their destination and any of them could be compromised. It’s even conceivable that the e-mail is in a queue during a system backup so that a long-term copy is kept somewhere. Then you have the possibility of malware on the end receiver’s computer.
That said, the odds are very low that the e-mail is intercepted. I guess it’s a matter of risk tolerance. It’s kind of like wearing a seat belt in a car or a helmet on a motorcycle.
Personally, I would simply not do business with a company that wanted you to e-mail credit card information. It’s just unprofessional, and I wouldn’t trust them to follow through in fulfilling the order. Call them, fax it over, or use something like PayPal that offers a buffer. Some of my credit card companies even give me the ability to generate a temporary card number that is good for one use only, and I might be willing to e-mail that to someone.
How would that work? I would divide my number in three pieces and send each piece of four numbers in a separate e-mail?
I could do that. So it would be safe to give the info to some guy on the phone?
That should be safe, and it’s what I’d do. Obviously, there’s no guarantee you can trust the guy on the other end, but at least you can be pretty sure no one is tapping the phone line. 
I look at it this way: I am not paranoid that someone is going to intercept the email and steal my credit card number, but just the fact that they asked me to send it that way makes me wonder how responsibly they handle that information once it gets to them. George in sales probably opens up your email and pastes the info into a big spreadsheet called CustomerCreditCards.xls which then sits unsecured on his computer until the next time he opens up ElfBowling.EXE that came in an email attachment from his sister-in-law and it turns out to be a trojan horse that lets a bad guy login to his computer and browse around.
So not only would I not email it to them, I wouldn’t call them with it either. If a company is doing business online, I think it’s their duty to either put the effort into good e-commerce practices or farm that aspect of their business out to a third party who knows how to do it right. Although in certain cases, like if they’re selling something you absolutely can’t get anywhere else or you really like them for some other reason, I might do it over the phone if they assure me they don’t store the information after the transaction is done.
Tangentially-related extreme case: One reason I moved my retirement accounts out of Fidelity was that once when I was having trouble with their web site, the tech support person told me that in order to access my account, he was going to have to temporarily change my password to “1234567fidelity”, but “only for a few days,” and wanted to know if that was ok. After picking my jaw up off the floor, I said no, that would not be ok. That’s like your bank asking you if it’s ok if they hide all your money in a brown paper bag in the alleyway for a few days while they investigate a problem with their vault. I didn’t actually think anything bad would happen if they did that, but just the fact that they wanted to means they shouldn’t be trusted with my sensitive info and/or life savings, in my opinion.
This. Ask your bank if they offer this service.
Sometimes, not only do you get a one-time-use virtual number, you can enforce the dollar amount, merchant, and expiration date as well. And in the worst-case scenario, even if the merchant charges you only what they said they would and never deliver the product, the virtual card is just as protected from fraud as your regular card. One call to your bank should sort it out.
They won’t. Almost nobody uses credit cards in the Netherlands anyway. (People have debit cards, and if they pay in a store, they do so through ATM with a PIN-number). Ordering online really is a pain.
The company is this one. A friend of mine, also in the Netherlands, wants to set up herself as a color stylist, and these people offer a career pack that she needs and can’t get anywhere else.
Its incredibly dangerous. A plain text email exists:
In transit it:
Its pretty easy to call them and give it over the phone.
I assume it’s a regular email and not a paypal email request?
yes, regular e-mail.