Onus on merchants to minimise credit card abuse: Banks

SINGAPORE — When Mr Darren Neo called Canadian Pizza in March, he was surprised when the call centre officer asked for his full credit card details, including the card’s CVV security number.

He was in for a bigger surprise when his order was handed to another branch of the company: His credit card details had been passed on as well, without his permission.

“I know I can track any misuse, but it’s still a frightening thought, knowing my details are out there,” said the 25-year-old civil servant.

While there are no regulations prohibiting a company’s employee from passing on credit card details internally, banks told TODAY they include security measures in their agreement with merchants to deter fraudulent transactions and also keep a lookout for such offences. The onus, however, is on merchants to ensure there are systems in place to minimise abuse.

Experts also agreed such practices are not a big cause for concern on the part of consumers as merchants will be held accountable for the misuse of credit cards in such cases.

Mr Owen Hawkes, KPMG partner in forensic services, said the practice poses a higher risk of misuse, as with passing payment card details in any unencrypted form. However, he noted that banks here had taken the initiative to adopt a variety of measures, such as using transaction-monitoring software and sending customer notifications by SMS, to address the risks of unauthorised transactions.

Mr Seah Seng Choon, executive director of consumer watchdog Consumers Association of Singapore, thinks merchants should not be allowed to pass a customer’s credit card information within the company if the customer’s permission has not been sought first.

Ms Wong Chung Yee, head of cards at OCBC Bank, said some business segments allow customers to place orders over the phone to provide more service channels. However, some firms implement measures such as placing CCTV cameras near the service counter, where staff take phone orders, or requiring employees to key in the card information directly onto their merchant terminals, she added.

When contacted, Canadian Pizza said it engaged an external call centre to handle its calls and telemoney three years ago. “There is a level of security we have practised along the way and we’ve instructed (it) to do this and that. But, then again, how its practices are depends on how it engages the telemoney system,” said Mr Ismail Marican, Canadian Pizza’s group operations manager.

He added that it would be engaging another call centre, which would start in September, as the previous one had “questionable” performance standards. When contacted, the call centre in question declined to comment.

A check with other home-delivery merchants showed some do not process credit card payments over the phone and that those that do so have security measures in place.

Mr Andrew Ing, chief operating officer of The Lo & Behold Group which owns Extra Virgin Pizza, said the company’s delivery crew are required to take along a wireless credit card terminal to assure a customer that details have never been shared.

Mr Chinmay Malaviya, managing director of foodpanda Singapore, said for orders placed over the phone, the customer care agent would key the customer’s card information into the system, but he would not have access to the details after payment had been processed. Its phone system can trace the agent who processes an order and all hotline calls are recorded.