Letter to Card Company

Let's see what this gets, it's a letter prompted by the card fun this evening.

My particular card is a Tesco one, but it's run by Royal Bank of Scotland. I wonder what they'll say? Probably something bland and non committal.

Dear Sir/Madam

I am writing to express a fundamental concern about your security systems.

This evening I arrived home to find a message asking me to ring the "credit card centre" as soon as possible. The number given was not one I recognised.

When I rang the number, I was immediately asked for my card details and I was a little surprised. To give out card details, including security details to someone who phones up and asks for them is a fundamental security flaw.

Even if in this instance it was legitimate, this approach is open to abuse as you are effectively suggesting to your customers that these details should be given out to anyone who phones up and leaves a phone number.

The man I spoke to tried to find out from my name why the message was left, but could not get into the system without these details.

I tried to explain my concern to him, and asked whether I could simply ring the number on the back of my card. As I was trying to explain this he was saying that if I could not give him my security details then he'd have to terminate the call and I would not be able to use my card.

This is most definitely not appropriate. There was no way that I was going to give these details to someone when I could not verify who I was talking to – and I should not have been pressured to do so.

What should have occurred is that the original message on the answering machine should have asked me to telephone "the number on the back of my Tesco Personal Finance credit card, or on the top of the statement". In this way I could have been sure who I was talking to. In the end I rang this number and the issue was dealt with. I mentioned this to both people I talked to on the phone, but did not get the impression that they even understood the issue.

I appreciate that you need to validate spending from time to time, but in an era of "phishing" scandals I feel that to be left an unusual number on the answer-phone is a huge error, as it could be repeated by the dishonest without raising alarm bells in the customer's mind – especially when the solution mentioned above is so easy. The customer should be told never to give out these details except when they phone the number on their statement/card.