No, people almost always phone with this type of info. Even then the hesitation is there in disclosure.

I've gotten it before. Not the SSN but definitely the whole cc info.

I'm always paranoid that I am going to forget to redact that in my replies. I also try to nicely caution them against sending that info in an email.

If I had a penny for every time someone mailed me: "Hi my useername is abc and password is xyz" - I'd be rich...

There is definitely a subset of the human race who think it necessary to quote their password/pin at the slightest opportunity. That is balanced by the ones who imagine that the Russian mafia will empty their account if they ever use a card on-line.

Got Paypal user ID and the password a few years back and full credit card info a few times..

Although it's not a "funny" thing . . . still made me chuckle . . . saw an RFP for a project on eLance a few days ago that included FTP access and password. They edited it rather quickly when a kind provider warned them, but still . . .

Yet, at the same time, the FTC is imposing a new act Nov 1 putting the thumbscrews on banks, creditors, and any business that manages sensitive data (see my thread in Professional Webmaster Issues.) Though it's the users that are usually the problem, the responsibility falls on us. So overwhelming . . .

Wanna hear a worse story? We had a chargeback, we asked the bank for details of the chargeback. They emailed us the cc#, full billing address all in a PDF in email. YIKES

Less obvious...

When replying to a customer who emails potentially sensitive non-financial info such as telephone # (which may be unlisted) or a residence address, do you delete that info in your response to them?

We do, especially for female customers. I'll replace her phone number (123-456-7890) with 123-nnn-nnnn. We obliterate those numbers even though our shopping cart order confirmation email to her contained the phone and address she entered when placing her order.

What's the best practice for handling such info?

Most of my customers are ready to give their contact number. But there was one case where a customer gave his credit card details over email and i had to make sure that the email got purged and no one else got access to it.

Vijay
<snip>

[edited by: engine at 11:15 am (utc) on Oct. 21, 2009]
[edit reason] See WebmasterWorld TOS [/edit]

i used to work for a travel company and they logged the full credit card number, expiry dates and name on the card on every booking. we had call centres up and down the country.. our technical support desk was based in india too. that's hundreds of different employees from all over the place all looking at the bookings and seeing the info.
if anyone had any criminal tendancies they'd be living in their dream world. how would the cops ever trace that? the bookings could have dated back years.

Had a person I never met not a customer either but a writer on our article site send me there google log info to me. They had an adsense account I assume maybe more. I never signed into the account but sent him an email to NEVER EVER give that information out to ANYBODY and to change the password ASAP.

Now I know why I continue to get You just won 1 Pa Trillion dollar emails all day long. A Pa Trillion is more than a billion but less than a Ma Trillion

A few years ago at another job i did this sort of thing for a client who was used to getting CC#s via email and was reluctant to change the way he handled them. I insisted that the emails at the least, be encrypted.