DATE: December 3, 1999

TO: All Senior Financial Officers (SFO's)

SUBJECT: Credit Cards Security Issue

Please be advised that sensitive data related to Acquisition and Travel credit cards should not be kept on the office computers' hard drives or on diskettes unless the hard drive and / or diskettes can be stored in a secure, controlled-access cabinet when not being utilized.

The sensitive information pertains to details such as card numbers, expiry date, names of cardholders, amount of credit available with the cards, applicable restrictions to the card and, other information that could be utilized by unauthorized individuals to commit fraud or other unauthorized transactions.

The same information is also contained on some of the management reports received by departments on a monthly basis. These reports should also be kept in a secure controlled-access location when not being utilized.

The above details can easily be utilized by unauthorized individuals to purchase goods over the telephone and internet or, to replicate the cards and utilize them for fraudulent activities. As you can appreciate, the consequences of these illegal actions can be important.

In addition, when the above mentioned data is being transmitted to banks in order to report changes such as new dollar limits for cardholders, name changes or other modifications, please ensure that the full card numbers are not included in your message. You should always exclude the first four digits of the card number from your message.

The above information will be incorporated into the Acquisition Cards Program - Management Guide.

Should you require additional information on this subject please do not hesitate to contact Robert Berniquez, Financial Management and Accounting Policy (FMAP), at 613-957-9672 or by Email at


J. Colin Potts
Deputy Comptroller General

Date modified: