Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Risk... in the most obscure places - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Risk... in the most obscure places

I read an article yesterday about various stores and markets requiring a state-issued driver's license or identification as proof of identification for returns.  When the return is made,  identification is presented to the vendor, and it is scanned into their system to be stored with the transaction.  On the surface, this seems reasonable, except for scanning and *storing* the identification; now it is probably not such a good idea.  The vendor is now collecting more information than we would probably like to give, such as name, address, drivers license#, and other details, depending on the issuing state.


The need for identification, whether physical or virtual, is real.  Stores and markets most likely (not getting into the legal here) have some right to ask for a form of identification when conducting certain transactions, and I agree with that requirement.  30 years ago, when using a bank check to make a purchase, vendors would require a valid credit card, which they would write on the check. (youch)  The capture and storage of information, of which the consumer may not even be fully appraised of, is the issue here.


So we are here today to discuss ways we can do this better.  My initial thought was that a scan of the identification into the system, to read what is magnetically written, and display it on a screen for the merchant.  Compare that to what is printed and the photograph, and document the verification of ID was valid.  We still trust employees that work for us, so let’s leverage that.  In this we have a solution in which no information is stored, only displayed for the merchant to verify against what is printed.

I open the floor to any comments, questions, queries, quibbles, complaints, or concerns.  Mostly I am hoping for solutions thought.

tony d0t carothers --gmail


150 Posts
ISC Handler
Sep 15th 2015
Not diminishing the issue, but it seems like more of a privacy than a security issue. As I understand it and very simply, Privacy is about making sure the good guys are doing the right things while security is the part of privacy that makes sure we protect what we build from the bad guys. My thinking is that tackling this as a security project oversimplifies it.

135 Posts
I agree, it is certainly a privacy issue, and we agree that the role of security/privacy is to educate the good guys on how to protect data. As a security professional in this instance, I would recommend a method for noting verification of identification without storing the privacy data, as an alternative. Certainly not worthy a security project, however once the business decides to store personal data, then it becomes a security item, as we need to be aware that there is additional sensitive data being added to the portfolio.

Great comments, and thanx for supporting the ISC.

150 Posts
ISC Handler
I can't speak for the entire country, but in Ontario, Canada, I have never been asked for this kind of authentication. My purchases are, with VERY rare exceptions, done on credit card, and as such a return is always done on the credit card. We never get asked to prove who we are for exchanges ... the receipt is all that is required.
1 Posts
The privacy issue aside, there may be more to this.
In the case of collecting the data when a return takes place may have fraud detection and response implications.
I am not an expert in how retail operations deal with product returns, but the act of collecting the drivers license information seems burdensome when an accurate receipt is provided as evidence at the moment the product is returned to the store. There might be a real reason for collecting that information.

IMHO, If there is a justifiable reason for collecting the drivers license information for the return of a product:
- There should be publicly available vendor attestation as to why the information is collected, how it will be used, and how long it will be retained.
- There should be publicly available vendor attestation as to the expectation of privacy one can have and vendor commitments to protecting the data while they hold and use it.

30 Posts
Having worked in Retail Loss Prevention (for one of the world's largest retailers) and in Privacy and Information Security, I would very heartily agree with you that there needs to be notification of what will happen to the customer's private information. According to the retailer I worked for, a Driver's License number is required only when making a return of an item without a receipt. In the case of theft, that information would be used by Loss Prevention and the Police department to apprehend the suspect. In the case of my former employer, anyone who had access to the POS Records could see the full DL# and any other information that was entered on the terminal. As far as I was aware, the information was saved indefinitely as well. I think part of the problem is that Retail records are not held to the same standards that, for example, medical or financial records are. Granted, medical and financial records are more sensitive, but with information like this, retailers need to beef up on their cyber security.

1 Posts
What if we used a valid digital certificate to sign the receipt? No need to store personally identifiable information. Just a signature which could be verified if needed with the public key of the signature holder...

9 Posts
I understand the need to prevent fraud and so on, but in Australia to return an item to a store you are typically only asked to produce the original store receipt. No receipt = no return. Its as simple as that. (However, I do know of one major store that will even accept a photocopy of the receipt for returns. That's because they use thermal paper for their receipts, and they are aware that quite often the original receipt can be illegible after a very short time.)

The exception is when a credit card was used for payment, then the same credit card must be provided for the refund. You can't make a purchase on one card, and get the money refunded to a different card.

Notwithstanding, it certainly isn't standard practice here to allow your photo ID to be copied and retained in order to return a faulty item to a shop.
Ian B

6 Posts
Quoting Anonymous:I can't speak for the entire country, but in Ontario, Canada, I have never been asked for this kind of authentication. My purchases are, with VERY rare exceptions, done on credit card, and as such a return is always done on the credit card. We never get asked to prove who we are for exchanges ... the receipt is all that is required.

I also live in Ontario, Canada and while this is true we are asked to provide name, address, and phone number when returning an item. How many people just give valid information that is then stored who knows where, and possibly attached to the credit card number that was used to make the purchase.

69 Posts

Sign Up for Free or Log In to start participating in the conversation!