I buy a lot of books over the Internet, where many dealers have a
practice of asking Credit Card details to be emailed to them in two
tranches; and some specifically ask for the second to be emailed after
a delay of at least 20 minutes.

I have never had any problem.

But, how did this practice start?

---

Clarification of Question by probonopublico-ga on 09 Aug 2003 22:13 PDT

OK ... I'm giving up on this one.

But many thank for your comments.

Don't know the history, but it makes sense when you think about it.

If a merchant has to process a credit card transaction, they have to
get your number somehow.

The logical choice would be to just telephone the merchant and give it
to them the credit card number over the phone.  The problem with that
is many merchants do not make it easy for you to call them.  You have
to dig and dig on their website to get their phone number. In some
ways, it is understandable. It costs money to have a customer
telephone support center and I would imagine many of them do not have
the financial resources. If they can't afford to give you a basic
secure server, it stands to reason that they probably can't afford
live telephone customer service either.  Also, I think many consumers
dread calling a phone number that they have to navigate through
'telephone menu hell.'  Of course, this is a pre-judgement on their
part, but in many cases that's what you get when you call a phone
number (sadly).

So, the next logical choice to communicate this information would be
fax or email.  Of course, the ratio of people who have fax machines
versus email is probably fairly small, so email seems the likely
candidate.

For the most part, it is widely understood that email is an unsecure
form of communication, so it stands to make sense that merchants would
try to lower risk (and give the customer a perceived (or real) sense
of security) by splitting a credit card number into two parts to avoid
a whole number from being intercepted.

Just my 2 cents. =)

Hi, Respree

Many thanks for your 2 cents ...

Do you take PayPal?

Regards

Bryan

My pleasure.

While I do have an online store, and accept credit cards through a
secure server, I do not accept PayPal.

Not that my store is big, but I've noticed the merchants who do accept
PayPal are smaller merchants or individuals, who do not appear to be
set up to accept credit cards on their own secure server (probably for
cost and administration reasons).  For us, the PayPal service would be
redundant (and probably confusing), since we accept VISA/MC/AMEX
transactions on our site anyway.

I wasn't able to find out the history of this practice, but I did find
a couple of interesting twists:

Here's a method which asks you to split the credit card data into two
parts, each to be emailed to a separate address, on different servers:

"As an extra security measure we suggest that customers split their
credit card details (number and expiry date) into two separate emails
and send half in each email to us at the following email addresses
which are operated through different servers owned by different
internet companies and downloaded by us separately."

Shades Stamp Shop
http://www.newzeal.com/steve/ordernfo.html

This is a clever method that should thwart packet-sniffers:

"Using Two Emails and Code to Transmit your Card Number

There is a clever, veritably foolproof method of sending your credit
card information across the net.  It is utterly indecipherable to any
program or hacker unless they are permanently sitting undetected on
your ports for long periods.  As a general rule, use of Zonelabs
firewall makes this extremely difficult as your PC is then virtually
invisible on the network.
  
The technique is based on the observation that hackers and credit card
criminals use programs called packet sniffers which recognise strings
of digits, not words, to harvest credit card details from the
Internet.  Other programs (which will remain unnamed here!) are
alerted by distinctive words and phrases, which we judiciously refrain
from using in our email transmissions.

It works this way.  The credit card number is split into two equal
sections of eight digits each, and is written using words, not digits,
and placed at the end of text verse such as a nursery rhyme.  By
sending the information in two separate emails, two packets of digital
data are sent along completely different routes, arriving at the same
destination, but foiling any attempt in transit to capture the
complete number.
Let's encode the following card number (fictitious) 4325 0754 4365
0866 expires 04/02

EMAIL #1

Mary had a little lamb four three two five,
Its fleece was white as snow,
And everywhere that Mary went zero seven five four,
The lamb was sure to go.

EMAIL #2

Little Miss Muffet sat on her tuffet four three six five,
Eating her curds and whey,
Along came a spider zero eight six six,
And sat down beside her,
Zero four zero two.

As long as the numbers are placed at the end of the line and you use
two separate emails, it is clear that this method offers excellent
protection from hackers.  You should know that once your order is
processed and paid for, we keep a hardcopy of your order in archive
but all details of your valid credit card number on our computer are
deleted.  Note:  Always remember to include the expiry date of the
card, as this is vital information for validating the transaction.

We are indebted to Pat Currie of Madison, WI for suggesting this
excellent idea!"

Printed Electronics
http://www.printedelectronics.com/buying/buying_pay.html

If you do send your card number this way dont forget to ask the
recipient to erase the number from the e-mail before they send a
reply.
All to often people will leave your original message attached to their
reply.

The security of this method is far from foolproof really, and doesn't
seem that likely to be much of an increase in security as opposed to
sending all the information in one email.

The exception to that was the case where the emails are sent to
different addresses on different servers.

Generally speaking, if someone had gained enough privilege (either
liegitimate or otherwise) to access one email from the merchant's
account, it is almost no more trouble to capture many.

That said, more of a concern is who has your access to your credit
card details once it is received. And how it is stored. Most
high-profile credit card thefts have been from a stored credit card
database, rather than through intercepting their transmission.

Regards
Sycophant-ga