Jump to content

I Caught CapitalOne.com Breaking the Law


Recommended Posts

Consumer complained on RipoffReport.com that he could not access his account information on Capital One's website because they require the "so called" Security Panel Code.

Security Panel Code is another word for "Capital One" makes their own rules and does not have to comply with the consumer protection specifications from VISA.

Ex-Employee needs to stop reading Capital One documentation and believing that it is gospel when in reality it is a fraud.

What does it do?

It's actually more about what it prevents. When shopping online or over the phone, the 3-digit code helps merchants ensure that the card is in the right hands. Merchants will request the CVV2 at checkout from the cardholder, and the information is sent electronically to the card-issuing bank to verify its validity. Within seconds the CVV2 results are returned with authorization. If it's returned invalid, merchants have the right to stop the transaction.

And for your added protection, merchants are prohibited from keeping or storing the CVV2 number after the transaction has been completed.

Your so called "Security Panel Code" is illegal. Logging into the Capital One website is not a Merchant Transaction and by storing the code in a database, Capital One has invalidated the whole purpose for the codes existance.

For this reason, it is obvious that Capital One asks for this so called "Security Panel Code" in order to further frustrate consumers who no longer have their card. Even worse, they try to get you to get a new card when because of their illegal behavior, they could just read to you the CVV2 code they illegally stored in their database.

Further Proof Capital One are a bunch of Crooks!!

After so called ex-employee challenged my response, I provided the proof.

"Sal, your post mentions that CCV2s are "sent electronically to the card-issuing bank to verify its validity." How is Capital One "illegally storing" these codes when THEY are the card-issuing bank that verifies the codes' validity?"

You are too much...I hope Capital One documented your transformation into a Certified Manipulator. How convenient of you to leave out the next sentence to try to change the meaning of the paragraph. Your little tricks don't work here sorry. ;-(

Merchants will request the CVV2 at checkout from the cardholder, and the information is sent "electronically" to the card-issuing bank to verify its validity. Within seconds the CVV2 results are returned with "authorization".

The Merchant Bank has a direct connection to the processing center Capital One uses like Vital Processing Systems would be an example. The Credit Card Terminal at your local general store does not connect to every credit card issuer bank that gets swiped. Common Sense is useful some times isn't it? Also, this connection is point to point and completely secure.

If your copy-and-paste job didn't really mean that card-issuing banks verify the CCV2 for merchants (and therefore must have a database to do so), but rather that Visa Intl/MC Intl/AmEx keep the database and do the verifying, how do you know that the card-issuers don't utilize the system for their anti-fraud measures (like during website registration) that merchants do?

The answer to this question is quite simple. The use of the CVV2 is only for verification purposes during a credit card transaction. It is not a "Signature Panel Code", which is quite laughable if this wasn't such a serious breach.

Capital One is in violation of their contract with VISA and has breached a primary security feature just to frustrate former customers who have cancelled their cards. By violating the Visa regulations, they have also violated the FTC Act as well. I have included a few of them for you to wrap your arms around. I have also provided the links to the relevant sections of the Visa Security Standards.

Federal Trade Commission

16 CFR Part 314

Standards for Safeguarding Customer

Information; Final Rule

§ 314.2 Definitions.

(a) In general. Except as modified by this part or unless the context otherwise requires, the terms used in this part have the same meaning as set forth in the Commission’s rule governing the Privacy of Consumer Financial Information, 16 CFR part 313. (B) Customer information means any record containing nonpublic personal information as defined in 16 CFR313.3(n), about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.

© Information security programmeans the administrative, technical, or physical safeguards you use to access,

collect, distribute, process, protect,store, use, transmit, dispose of, or otherwise handle customer information.

(d) Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted

access to customer information through its provision of services directly to a financial institution that is subject to this part.

Section 314.3: Standards for Safeguarding Customer Information

Proposed paragraph (a) of this section set forth the general standard that a financial institution must meet to comply with the Rule, namely to ‘‘develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards’’ that are appropriate to the size and complexity of the entity, the nature and scope of its activities, and the sensitivity of any customer information at issue. This standard is highly flexible, consistent with the comments, the Banking Agency Guidelines, and the Advisory Committee’s Report, which concluded that a business should develop ‘‘a program that has a continuous life cycle designed to meet the needs of a particular organization or industry.’

You can view all of the information provided below at:


Service provider levels defined

Service providers are organizations that process, store, or transmit Visa cardholder data on behalf of Visa members, merchants, or other service providers. Service provider levels are defined as:

1 All VisaNet processors (member and Nonmember) and all payment gateways.*

2 Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually.

3 Any service provider that is not in Level 1 and stores, processes, or transmits fewer than 1,000,000 Visa accounts/transactions annually.

Compliance validation basics

In addition to adhering to the PCI Data Security Standard, compliance validation is required for all service providers.

LEVEL 1 Annual On-Site PCI Data Security Assessment

a. Quarterly Network Scan

b. Qualified Data Security Company

c. Qualified Independent Scan Vendor

LEVEL 2 Annual On-Site PCI Data Security Assessment

a. Quarterly Network Scan

b. Qualified Data Security Company

c. Qualified Independent Scan Vendor

LEVEL 3 Annual PCI Self-Assessment Questionnaire

a. Quarterly Network Scan

b. Service Provider

c. Quarterly Network Scan

Payment Card Industry Security Audit Procedures

Link to this document at:


This document is to be used by those merchants and service providers who require an onsite review to validate compliance with the Payment Card Industry (PCI) Data Security Standard and to create the Report on Compliance. Note that these PCI Data Security Requirements apply to all Members, merchants, and service providers that store, process, or transmit cardholder data. Additionally, these security requirements apply to all “system components” which is defined as any network component, server, or application included in, or connected to, the cardholder data environment. Network components, include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP. Applications include all purchased and custom applications, including both internal and external (web) applications.

Protect Cardholder Data


Do not store the cardvalidation code [three-digit or four-digit value printed on the front or back of a payment card (e.g., CVV2 data or CVC2 data)].


Examine the following from the sample selected and obtain evidence that three-digit or four-digit card validation code printed on the signature panel (CVV2/CVC2 data) is not stored under any circumstance:

• Incoming transaction data

• Transaction logs

• History files

• Several database schemas

Feel free to bring more of your goons to try to attack me and my intelligence. You guys are a bunch of amateurs who think that others should just believe them because they have backup waiting in the wings to try to give them credibility.

Well I say, Bring it On!!


Link to comment
Share on other sites

This topic is now closed to further replies.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.. For more information, please see our Privacy Policy and Terms of Use.