So, this is the time of year we renew our "enhanced" medical insurance. We pay annually, rather than go through the hassle and cost of the various "payment plans" available.

For the past five years, at least, the process has been different *every* *single* *year*. So, I just go to the HQ office to get it done.

In past years, I could speed up the process (very slightly) by filling out a form on the back of the bill, noting that I'm paying by credit card, and giving the credit card details. (I use a card that I don't use for everyday transactions.) This year, when I filled out the form, there was no space for the credit card number (although there was space for the expiry date and my signature). I thought this was rather odd, but ...

So, I get to the office, wait to be called, and finally get called. This year a I get a twofer: a trainee is shadowing the agent I'm dealing with. I say that I'm here to pay by credit card, and pass over the forms. The agent says that they don't take credit card data at customer service anymore, only over the phone. But, she says, she knows that sometimes she can get someone to do it over the phone with her, and she places a call.

While we are waiting to find someone (in accounting?) willing to do this, I'm chuckling over the silliness of some new policy about credit card retention. And, since chuckling is not the reaction they are used to getting when someone is faced with yet another bureaucratic delay, I have to explain that I am an infosec maven, and why this type of thing is amusing. Someone in IT or (more likely) senior management has been terrified by some new requirement and has instituted a new process that will probably be, at best, minimally effeective. Is it PCI-DSS? Is it (more likely) GDPR? And, while I'm doing this, I'm getting out my credit card, in preparation, and placing it on the desk.

The agent, while she is trying to get the right person in accounting, is looking at a screen which obviously has my account info on it. She glances at my card and notes, "So you're using the same card number, but it's got a new expiry date."

At which point I just guffawed out loud. The new credit card retention policy obviously says that you can't write the credit card number on a form, and can't make space for it on a form, and can't send it through the mail on a form, but obviously my card number (she said it was only the last three digits) and card expiry date show up on her screen. (And, presumably, somewhere in the back end my complete card number is available.)

Oh, SET? Twenty years ago the major credit card companies created Secure Electronic Transactions, a system designed for use of credit cards over the Internet. It provided a code to retailers that verified the user had a card and the charge would be honoured, but never actually gave the vendor the card number. (In a way, it was kind of a quick one-time form of digital currency.) They got to within three months of rolling out the system when someone noticed that the only problem SET actually solved was vendor fraud. But vendor fraud was, basically, a non-issue. So SET never did get released.

Well, with all the concern these days about credit card retention and data breaches, maybe it's time to give SET a second look ...