Please don't ask for front/back images of credit cards from customers -It's unethical



Today I was given my first introduction into DreamHost, and unfortunately, it is an ugly one. I’m not sure if this is a standard practice or I am just the lucky winner of making things difficult. I recently left a competitor ( and decided after reading some really good reviews on Dream Host that it should be a great company. So today I gave it a try and instantly received this as my first introduction to your company:

[quote]Thanks for signing up!

Your account has been flagged for manual approval. No worries, we’ll be happy
take care of this for you, we’ll just need some additional information first!

Please provide a photo of the front of the credit card used to open the account,
so the cardholder’s name, expiration date, and the first and last 4 digits of
the card are clearly visible. Please block out the middle 8 digits for security.[/quote]

I had to reread the email 3 different times in shock and then rego through the entire registration process to see if this is an expectation of all customers as I have never had a company request this before. Normally, if there is any question on a credit card transaction a company will either A) Wait until it completely posts or B) do a 3 way conference call with a customer and their bank to ensure the transaction is legitimate. The only exception I have ever seen is the airline industry who requires a manual check upon checkin of the associated credit card of purchase and the value of those transactions are in the hundreds or thousands of dollars (not a $15 to $60 transaction).

As an IT security expert this bothers me for multiple reasons. First and foremost, billing transactions are encrypted with hash codes to protect the transaction. However, who has ever seen a support ticket system where the images are encrypted? I haven’t. Yet, that is exactly what this email is encouraging me to do. Upload a front / back image of a credit card to that very system.

I really hope I’m just having an unlucky day with the company and this practice is not standard. Either way, you should review it as the current practice is not ethical, secure,[/quote] or appropriate in my opinion.


Hi Brafis, sorry to hear that you had troubles getting your account authorized in full. We regret that some accounts don’t get approved immediately and we constantly improve our systems to reduce that percentage.

Unfortunately DreamHost, like other firms doing business online, have to implement checks to prevent fraudulent transactions. Online hosting is quite different business than airline ticketing: once an account is approved on DreamHost, it has the power to use resources for thousands of dollars immediately, while the first payment is due after days. If that account used a fraudulent credit card number, DreamHost will not receive payment, ending up with losses.

DreamHost has a series of filters in place that authorize automatically around 95% of new account creations. This is common practice in the industry. Only around 5% of new signups are held by the fraud-prevention system and these are dealt by DreamHost Account Verification team.

People in this team and the whole Support team are specifically trained to deal with sensitive data all the time. We recognize that sending images of a credit card is still not as good as we would like the system to be and we’re working to improve it. Be assured though that your data is treated at the highest level of confidentiality, like any other data you entrust DreamHost with.


While not a security pro, I am a fairly experienced CTO who opens a lot of different accounts with EQUAL OR GREATER potential for misuse (AWS, Heroku, Sendgrid) without any issue and yet ran into the same issue that you did at dreamhost which is, candidly, bizarre / suspicious behavior on dreamhost’s part.

If the only way though their process is a picture of a credit card, their process is wrong, period.

The solution was simple - open an account at fastcomet without the drama - but it’s still a shame I was looking to do some business with dreamhost until this first whiff of their service.