Comment Re:PCI-DSS (Score 1) 217
Who says they're holding the PAN in plaintext? They can decrypt it to send it to the Feds as needed without keeping it in plaintext in their systems.
So your argument is that they're reconstructing the PAN within the remarks section of the PNR by inserting decrypted credit card information back into the record?
I was most surprised to see my credit card detailsâ"full card number and expiration dateâ"published unredacted and in the clear. Fortunately, that credit card number has long expired, but I was nonetheless appalled to see it out there. American Airlines, which had created that particular PNR in 2005, did not immediately respond to my request for comment on how or why such detailed personal information would show up here. (In other instances, the majority of the number was Xâ(TM)d out.)
And they're doing it voluntarily...
Line 4 revealed my long-expired and since changed credit card number, in full. As a security precaution, we've redacted it here.
[Cannot link directly to first PNR graphic in TFA, but look at lines 4 and 5] And they're doing it in a field/line that looks like it cannot be differentiated from the immediately following name information...
Pull the other leg.