Brute Force Attack against PIN on Card History Page Could Lead to Card Information Discovery / Fraud

@kylecolson demonstrated the ability to brute force Starbucks Card numbers at a specific endpoint, then worked with our team to answer questions and verify the fix. Rate-limiting issues have been identified as an item listed as an exclusion within our program and have therefore been considered out of scope. However, this particular finding helped to identify an inconsistency in controls already applied. As a result, we will be evaluating how we triage and determine rate-limiting issues for eligibility in the future. Thanks @kylecolson!