Why Does BMO Use The Last For Digits Of Your Credit Card For Marketing Purposes?
I became aware of something that I truly find bizarre. One of my PR contacts got some marketing material from the Bank Of Montreal, or better known as BMO. In that marketing material were the last four digits of her credit card number. She found that to be very odd which is why she pinged me on this.
But it doesn’t end there. When she reached out to BMO on Twitter to inquire as to why they were doing this, they said this:
“I can advise that with marketing offer, we ask that you provide certain information, so we can track who is taking advantage of the offers we send out. This information is only used by BMO and not provided to any third parties.”
Here’s my take.
BMO offers MasterCard branded cards and the format of the card number goes something like this:
5191-23xx-xxxx-xxxx
So if I were some sort of miscreant, having the last 4 digits of a credit card makes life a whole lot easier to guess what a card number might be. Sure it may take effort to get the full card number. And then you have to get the expiry date and perhaps even the CCV (the three digit security code on the back of the card) to exploit the card for fraud. So it would take some work. But it is possible to do. Beyond that, simply having the credit card number can be enough to grab personal information to commit some sort of fraud that isn’t related to going on a spending spree with someone’s credit card.
Both of those outcomes would of course be bad for the customer.
The other thing that I will point out is that there are many ways to track if a customer takes advantage of an offer or not. There are many tools like Pardot which is made by Salesforce for example that can do this transparently. And I am pretty sure that using a credit card number, even a partial one, is not a good way way of doing this. So I was very interested as to why BMO decided to go with using the last four digits to track if a customer takes advantage of an offer. So I decided to ask them.
If I get an answer, I will update this story. But on the surface, this sounds like a bit of a risk to customers. And perhaps BMO needs to take a second look at this, as we live in times where everyone should be risk adverse.
UPDATE: I have a screen shot of the piece of marketing that this person received. I have removed all the personal information and noted where the last four digits of the credit card number is located with the words “Last 4 Digits Of Credit Card Number Above” which of course I have removed.
June 8, 2020 at 1:34 pm
[…] Straight Talk About Information Technology From A Nerd Who Speaks English « Why Does BMO Use The Last For Digits Of Your Credit Card For Marketing Purposes? […]
March 25, 2021 at 5:05 pm
According to the Payment Card Industry’s Data Security Standard, BMO has not done anything out of line (see below). In fact, they could have included far more digits than that. If another company allows a threat actor to misuse those 4 digits to carry out a social engineering attack, that’s on them not BMO. Note that nearly every credit card receipt contains the last 4 digits as well, in compliance with PCI-DSS 3.2.1 and most of those end up in trash/recycling bins. Including merely the last 4 digits in a private communication between the bank and the owner of the credit card is not the breach of ethics that you make it out to be. In fact, having a partial credit card number would be one indication that the customer could use to determine whether this is legitimate communication or just some random phishing attempt.
“3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN.”