Slashdot Mirror
Card Processing Software May Store CC Info
An anonymous reader writes "Visa has sent out a warning to customers stating that some card processing software may keep customer data even after a transaction is complete. The setup, two versions of a software made by Fujitsu Transaction Solutions, is used by such companies as Best Buy, OfficeMax, and Staples. It's unknown if any of these large retailers use the poorly-made versions of the software." From the article: "Visa's warning, which was first reported by The Wall Street Journal on Friday, has raised eyebrows in the financial and retail sectors. The software was flagged at a time when thousands of debit-card holders across the country have reported unauthorized withdrawals from their accounts. Bank of America, Washington Mutual and Citibank are among the financial institutions that have replaced more than 200,000 debit cards in the past two months ..."
i was wondering why i had bought several laptops for someone in Nigeria.
Anons need not reply. Questions end with a question mark.
I raise chickens. Does Fry's accept barter? How many chickens for an iPod? Oh wait, I forgot about bird flu.
it's a blue bright blue Saturday hey hey
If there is no reason for storing pin data according to the credit card company specs, then why have these vendors built in a switch to do just that?
not in the next 50 years... Until there is a "PERFECT" system in place for financial transactions, plus, too many remote "poor" areas that can't afford the other gizmos required for electronic payment. Long live cold hard cash.
Sig Hansen?
Well dear consumer, you need to sign up for our 'save and secure implant payment system'. With just a single one-time injection you can pay for all your goods just by walking thru our automated scanners.
"Oh, and since we are tied into the federal governments national database, you can be assured you will be kept more safe. " " So sign up today"
---- Booth was a patriot ----
I know a number of (UK) mailorder businesses that routinely store the card number, expiry date and CVV of all transactions. It's either done for convenience (if a refund is required later you don't have to phone the customer to get the card number) or because of operational issues (for example, there is a batch process that extracts the payment details from one system and passes it to another to actually debit the card and it has to be repeatable in case one part of the process fails: the lazy solution is to store everything indefinitely).
The need to retain customer confidence in the card-processing system means that the interesting question of who would be liable in the case of a mass theft is unlikely to be tested in court - even if it were useful to do so (a lot of mailorder businesses are not cash rich and neither are the software companies that supply them).
This risk will persist until there is some sort of two-factor authentication on all card transactions.
http://www.privcom.gc.ca/legislation/02_06_01_01_e .asp
The law in Canada makes it illegal to store people's credit card numbers. The store doesn't need your number per se and they can't ask for it (or swipe your card twice to get it). Your card is swiped and the number goes directly to the card company. That's all that's necessary to complete the transaction and that's all the store is entitled to.
Amazon.com stores your credit card number if they only ask you to enter the last four digits of your card number, right ? So what's different here ? Maybe I've not understood something
I purchased some bathroom renovation supplies at HomeDepot in Toronto a few weeks ago. When I was complete, I brought back the parts that I had not used. When I returned them to the customer service desk, the lady scanned the barcode at the bottom of the receipt, and then tossed the valves into the "restock" bins. When I attempted to hand her my credit card to refund the transaction, she looked at me and said "We don't need that..."
I looked at her, and asked how she had my credit card information, and how it was going to be credited to my account. She stated that they store all transaction information specifically so they can speed up the refund process.
I asked to speak to the manager to complain about this, but after waiting for 10 minutes for him to show up, my wife got the better of me, and we had to go...
Gut feeling says this should be against industry best practice, and potentially against Canadian banking and privacy laws, but IANAL.
Seems like something went wrong, they still don't know what or how (other then the possible OfficeMax connection), but they are using this opportunity to claim that it has something to do with devices not sanctioned by CC compaines.
Look like this has a high probablity of being spin.
A couple weeks ago, after finishing refueling my motorcycle, I put the pump back and started to get ready to leave. I noticed though that the pump display didn't say "Insert card and remove quickly" as it normally says when one leaves -- it said "Remove pump and begin fueling" -- as if it were giving a freebie to the next customer! I have no idea how common this problem is, but it may be prudent to watch out for it.
Slashdot's first reaction to VMware
1) Duh, all direct credit card transactions produce a printed piece of paper I have to sign, there is my signature and all 16 numbers on my CC, if any shopkeeper wants to keep/store/abuse it.
2) Those two or three main american companies that own (and log) everyone's ability to do electronic transactions ('credit card circuits' owners): they invented and could deploy the credit card system once, what the hll are they waiting to study&deploy a less stupid and secure method of payment once and for the next 40 years?
That said, this is the first I've heard anything about BofA debit cards being pilfered and replaced. As someone who is paranoid by default, I am questioning the security status of my BofA debit card. I have, regretfully, shopped at Best Buy within the past month; when my LAN went down due to a burnt-up switch and I had to get a new one, BB was my easiest option.
Should I be worried? Considering that I've received no contact from BofA regarding this situation, I don't know whether to feel placated or even more paranoid.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Lessons learned. Use your debit card as a credit card - the laws concerning credit fraud are more clear cut. Ask your bank to not to use your savings as overdraft protection. Only keep enough money in checking for what you know is coming in the short term, isolate the rest in the saving account. Check your account frequently (a friend has his balance emailed to him daily - not a bad idea). Check your credit history every four months (one free per year per credit agency - https://www.annualcreditreport.com/ ).
If fraud happens. Call bank/Visa/MC/whoever and get a block on your card. Call one of the credit agencies and put a fraud alert on your credit record. Call the local police and file a report. If you are like I was and can't do anything until Monday, move what is left into your savings account that are going to isolate after reading this.
A good resource is: http://www.consumer.gov/idtheft/
Fujitsu is also behind Tokyo Stock Exchange's recent woes, with TSE having to limit operating hours when transactions near the system's limit. Fujitsu also took TSE down for a day in November 2005 after applying a software patch.
There are a few articles that point out that the software that Fujitsu Transaction Solutions developed for these devices is not, in fact, responsible. I heard a quote in a radio soundbite yesterday afternoon from a Fugitsu spokeperson suggesting that there is no security vulnerability in their ware. In either event, it seems like there is more to the story than we know today. Is this simply a ploy by Visa (or others?) to spin public (read, media) opinion?
This is why I never use Debit at a store. Yeah it sucks when your credit card is stolen. Discover has been quick to issue a new card and restore my credit line. However, I always have a 2nd card for back-up. My debit card will never be used in a store because it is my money that is stolen. That is, they get access to my actual cash (well electronic funds) and not a line of credit. I'd much rather risk some credit dollars since I don't pay the disputed amount.
What is needed is a law that forces companies dealing with bank and finantial details (banks, credit card companies, card processors, insurance companies, finance companies, ATM providers, EFTPOS/credit card processing machine providers and so on) to take greater efforts to keep it secure, much like HIPPA mandates high security for medical records.
Essentialy it would mandate things like "any device or software that holds on to any finantial data after it is no longer required to process whatever transaction the data was given for is illegal" and "All devices storing or transporting or moving finantial data must use encryption" (for example, any US website taking banking details, finantial details or credit card details must use SSL or similar to encrypt the data as it goes over the internet) as well as requiring (for example) banks to do more to make it harder for phishing sites to fool users into plugging in their password (there are certainly solutions out there so its not like its not possible for the banks to do it, they just dont because it would cost too much to fix it).
Also this law should have bigger penalties for companies who dont protect this data and it gets copied as a result (much like how there are penatlies if medical data is copied)
Does anyone know who may be a more secure credit provider? Discover, Amex, MasterCard? I am a Visa customer, no balance! no PIN#! Does anyone have any inside advice about any of the competetion?
No Fat Tony Jokes please, he don't like that kinda crap.
Sig Hansen?
I think the only other form of transaction will be cash.
I do security
Banks already have that - it's the Gramm-Leach-Bliley act and purportedly is meant to protect customer financial privacy.
I think that the gist of the article, though, is that the merchants are not under the same regulatory burden - and that is where the weak link in the chain is at the moment.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
Visa and Mastercard are putting requirements into contracts that have the same effect. They mandate a security program called CISP or PCI or maybe something else this week which has requirements much more specific than HIPAA does. The contracts have penalty clauses.
It's going to be interesting to see how this free-market equivalent of legislation works out.
It is very illegal in the USA to use the SSN and yet, businesses all over do so. Total BS, but...
I prefer the "u" in honour as it seems to be missing these days.
I visited Toronto two years ago. I used my Mastercard there in some restaurants and cafes. Two weeks after I had left Canada, someone had used my credit card in Toronto to buy stuff worth 890 Canadian dollars (pretty near my limit of 1000). I still don't have a clue how this was done. Where I come from we don't use credit cards that much, mainly cash and debit.
CC processing software needs to retain the card info for a few weeks until the transactions settle. This allows the merchant to handle chargebacks, disputes, etc.
Nothing to be alarmed about as long as you trust the merchant.
Chip H.
This article on the globeandmail.com talks about the inventor of one such device and the associated software (RenCode) and how easy it easy for thieves and others to get their hands on it.
The problem with anything other than a 4 digit pin, is that you have no idea if it will work when you try to use it. There are still some machines in the US, and many, many more in other countries that only accept 4 numeric characters. In some cases its your only option -- there are no other ATM's.
All major currencies are now "fiat" meaning they ARE just created on a whim, hence why most currencies suffer inflation.
Inflation is an increase in the money supply that is not justified by an increase of actual produced wealth.
In essence, the "money" out there comes as a form of counterfeit.
In the US, the problem is so acute now and the dollar in so much peril from rampant "borrowing" and introducing unjustified money into the system via selling bonds and treasury notes and pushing the massive real estate bubble (most new inflated phony fiat money enters through the banking congame system using the technique called "fractional reserve banking", look that up for an eye opener) that the "federal" reserve bank (which is a private bank contracted by "law" to "create" money which it then loans at "interest") has ceased publishing most of the M3 money supply statistics as of *this month*. It is so out of control now they have to do anything possible to divert attention and keep the shellgame running to try and avoid massive collapse.
I don't think it will work for much longer, in a historical term. My best guess is within a few years, and they WILL start more large scale wars as a last ditch diversionary tactic before total collapse.
It is by far and away the single biggest global congame scam that affects humans all over the planet, and it allows the planetary huge fatcats to control populations and business, which is their long term goal, establish control-done, that is accomplished, and maintain it-this they do by introducing inflated money to their pet projects and supporters and witholding it from "enemies". This is the major reason for all the apparently ludicrous laws revolving around money and taxes, just a huge interconnected congame.
This is complex,*really* complex, but a simple way of looking at it is that the money most of us use now starts out completely counterfeit, just poof created out of thin air. It is either raw printed up in the form of banknotes (which are debt instruments) or it is data entried into existence.
It has little to nothing do with produced wealth, that's why all the economic problems all the time and all the boom and bust cycles. It's also a primary reason why wars are so easy to pull off, the people who profit from wars are basicaly the same who get to create the money, which they lend to themselves in the form of huge government contracts that they insist various citizens then need to payback.
Then they have the nads to tell us we "owe" them all this principle back PLUS interest.
It is the mother of all economic crimes. Around the world central bankers need to be rounded up and incarcerated and put to forced hard labor. They are a larger threat then the next 10 million "terrorists" combined. They are beyond greedy into the truly evil category.
If you or I tried to loan that which did not exist, we would be arrested for fraud and buncoism. If I had say 50 televisions and told you I was going to sell you 200 televisions and all you got was 50 plus some IOU never to be honored except with further IOUs, you would think that was a fraud, and it would be. Yet bankers do this daily, and hand in hand with lying government weasels, they inflict this system on the rest of the planet. When governments and large central banks do this, it is called policy and business as usual. In the US they had to sneak the "federal reserve act" authorising fiat currency and turning over the creation of it to the "federal" reserve banks late at night when the bulk of congress was out at home for a holiday. This is easily researchable, the history of it is fascinating, how large scale crooks are able to act with impunity and take over governments, not only here in the US, but all over the planet.
Yes, lets put more lawyers to work. Visa has already led an initiative to make credit card usage more secure, it's called CISP, Cardholder Information Security Program. You can find information here: http://usa.visa.com/business/accepting_visa/ops_ri sk_management/cisp.html
All retailers and software providers must comply with this initiative if they want accept Visa cards as payment. Having worked in the retail POS software industry for the last 11 years I have seen all sorts of non-complient behaviour. Just because someone passes a law or publishes a standard doesn't mean that everyone is following said law/standard. Everyone stores your card information at some level or another.
No Brains, No Headaches
Free hint to Visa regarding Captain Zapps first axiom of software projects:
Cheap, within scope, within time: Pick one!
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
Not regulatory as in government, but industry regulated yes. All card brands require that you comply with the Payment Card Industry, Data Security Standard. http://www.visa.com/cisp for more info...
Visa Warns of Cash-Register Flaw
Software Could Be Used
To Steal Customers' Data
From Credit, Debit Cards
By ROBIN SIDEL
The Wall Street Journal
March 17, 2006; Page A2
Visa USA Inc. is warning that two versions of popular software installed at cash registers could be used to steal information from credit and debit cards.
The software, which is used by retailers to help ring up transactions, can be used -- sometimes inadvertently -- in a way that allows the cash register to store customer data, such as personal-identification numbers used in debit-card transactions. Under card-industry guidelines, retailers aren't supposed to store that information because it can fall into criminal hands if a computer system is hacked or an unauthorized person gains access to it.
Retailers are supposed to comply with the industry rules, although some of the nation's biggest merchants didn't meet a December 2005 deadline to prove that they are following the regulations.
Visa, an association owned by thousands of financial institutions that issue credit cards and debit cards, sent out the alert in recent days to large "merchant acquirers," which are the companies that process card transactions for the nation's biggest retailers. A Visa spokeswoman confirmed the alert, a copy of which was reviewed by The Wall Street Journal.
"Visa has a responsibility to protect cardholder information," Visa said in a statement. "We confidentially alert financial institutions when there is a potential for any point-of-sale software or modification of it that puts cardholder information at risk."
It isn't clear if customer data have been stolen as a result of the glitch, but Visa said in the alert that it was issuing the warning after becoming aware of an incident that involved the software and data retention. Visa didn't specifically say that data theft occurred as a result of the incident.
The warning covers two versions of software that is made by Fujitsu Transaction Solutions Inc., a Frisco, Texas-based subsidiary of Japan's Fujitsu Ltd. The U.S. unit has a long list of big retail customers, including Best Buy Co., Dress Barn Inc., OfficeMax Inc., Staples Inc. and Payless ShoeSource Inc., according to the Fujitsu unit's Web site.
Representatives of Fujitsu denied that their software was being used to steal customer data and disagreed with Visa's decision to issue the warning. They said the versions of RAFT and GlobalStore software cited by Visa are about one-and-a-half years old and noted that their customers are continually upgrading their software products.
"There is no incident that I'm aware of. There is no breach of anything," said Keith McNamara, a senior vice president for software operations at Fujitsu. Mr. McNamara said he was aware of just one retailer that was using a version of the software identified by Visa, but declined to identify the merchant. A Best Buy spokeswoman said the company doesn't use the versions of the software cited by Visa. Representatives of Dress Barn, Staples and Payless couldn't be reached for comment. A spokesman for OfficeMax declined to discuss the type of software used by the company.
Mr. McNamara also said the software itself doesn't allow retailers to store customer information. Instead, other tools can be installed and essentially linked to the Fujitsu software that could permit the tracing or storage of sensitive, encrypted data, he said.
Since receiving the memo from Visa, large merchant acquirers, which include First Data Corp., Fifth Third Bancorp and Bank of America Corp., have been contacting their retail customers to address the matter. In the memo, Visa said that Fujitsu has a software upgrade available to address the issue.
"We got the notice and we will work with anyone who has been identified as having that software," said Stephanie Hagen, a spokeswoman for Fifth Third, which is based in Cincinnati.
The alert was issued in the same week that Citigroup Inc. said it was blocking transactions a
You're being overly paranoid. No payment gateway I've ever used has ever required the full card number to issue a refund (for a linked credit anyway, which is what you're describing).
The original transaction ID, and maybe some part of the card number (like a mask containing the last 4 digits), is sufficient.
And yes, any merchant is going to keep a transaction record for accounting, settlement and dispute purposes.
Hello stupid world,
I would like to let you know that I got first hand knowledge that all CC processing machines actually store all the CC/Expiry Date and Invoice transaction internally in the machines for several years of data depending on volume. An employee can easily print out this data and have all transaction batches printed out. If a company does not clear the memory of the units, and sells their CC terminals, you are now liable in unknowingly distributing your client's Credit Card information.
This function is not even protected by a Admin password/Admin Swipe card as well. I think that Credit Card terminal vendors should be liable for not protecting this data under an admin password/swipe card. They are blatantly allowing anyone to steal this information and have others to be able to create fake credit cards for transactions.
I think it is time to make the CC Terminal manufacturers get charged for allowing their terminals to be used for fraud and to have them replace each and everyone of them with a new unit that CAN NOT give out this information without some sort of password/swipe card protection. ON TOP OF ALL THAT, If the Terminal detects ANY Change in settings to the terminal or it should call up the CC Processing Facility and see if this terminal is active with the Processor prior to displaying such important CC Data, then the data could be save from fraudulent use.
The simple method is to ensure that the terminals are protected from any possible fraudulent way of getting previous CC Data. And that protection MUST come from the CC Terminal Manufacturers. This time they should be flipping the bill to replace/upgrade their existing terminals with new code to offer such protection.
I avoid using debit cards at retail stores if at all possible. The only exceptions are when for some reason I can't use my CC AND the store is a very large reputable firm. Enter my PIN into some mom and pop shop, not likely.
On another note, yes, software does store CC numbers all the time. This is EXACTLY the same security that we've had for years with CC's. Before computers, we had hard copy "impressions" -- those had your full CC number too. CC's are inherently insecure, but that's ok. Let the CC company take on that risk, that's their business.
When forced to sign those electronic pads, I always use my left hand and just scribble something because I figure that once my sig is digitized, I can "sign" things from any hacker's system. Am I being overly paranoid?
And what about biometric data? What prevents its storage and later user as proof that we authorized transactions?
I realize that such data is never the exact same twice, but I don't like depending on systems that have to copy all instances of this data to make sure that they aren't seeing duplicates.
Besta é tu si você não viver nesse mundo!
I was recently involved in a software project which handled credit card transactions. As part of the project, I felt that it was important to get informed about the proper proceedures with regards to sensitive information such as credit cars etc. I went to Visa & Mastercard to get spec. on the above.
There is none. Bupkiss, nada, rien, nil, null and void.
Given the fact that there is a 'tax' of 3.5-4.5% on every credit card transcation, don't you think it would behove the majors (Amex, Visa, Mc) to provide crypto code so that it could be used as a template for storing CC info? They make billions and are always whining about fraud. So, why is it that the consumer is left totally hung out to dry?
Caveat emptor. You've been warned.
*** Don't be dull.***
Sine credit card debt in the U.S. can no longer be bankrupted the banks have gotten incredibly greedy. The latest scam is targeting people who pay off their credit card every month: the credit card company simply "forgets" to send you a bill one month. If you don't notice, your next bill has late fees - interest, and is twice the size of what you expect. This in the hopes that you won't be able to pay it off.
Please don't tell me that I could look up the account information on line; I have exactly zero interest in becoming a creditor's unpaid employee - doing all of their key punch work for them so that they can save money on printed bills and fire employees.
Chase pulled the "we forgot to send you a bill" scam on me last month. I called them up fought through the automated phone system and got to a real person. I got my account balance - gave them the check number for the payment in full and explained that along with the check they would also be receiving their credit card in several pieces. I told them to close the account as I would not do business with a company that behaved that way. If enough people do that the credit card companies will be forced to cease the practice.
I have talked to a number of people who pay off their cards every month, and they all have had similar experiences.
(I work for First National Merchant Solutions, a company which helps businesses accept payment by credit card.)
i sk_management/cisp.html If they maintain a secure system, there is no problem at all with them storing their customers' details.
Many highly-moderated posts here are confusing the facts, or saying how they think the system should work.
The merchant SHOULD keep track of the credit card number. They can't print the card number on receipts they give to their customers, but the card number is sometimes the only customer identification they have. If a chargeback or retrieval request comes through, the mechant needs to be able to find information about a specific sale, and they usually find that using the card number.
Someone reported that a business issued a credit to their card without requiring their card number again. This, too, is normal. Even if the merchant didn't store the credit card number, they would only have to call their credit card processing company (like the company I work for), identify themselves properly, give them the day of the original sale and the amount, and WE would tell them your card number and expiration date so they could process the credit. (You would have been wasting that manager's time, if you did talk to them.)
Visa and Mastercard regulations prohibit merchants from storing the CVV2/CVC2 number (that's the 3 digit number printed on the papery stripe on the back of your card), or any of the 'secret' information encoded on the magnetic stripe of the card. Everything else they can store, AS LONG AS THEY COMPLY WITH SECURITY REQUIREMENTS. http://usa.visa.com/business/accepting_visa/ops_r
If there's a security breach, the government's intervention is not required. Processing regulations already demand fines for noncompliance. If a merchant's security is penetrated and they lose a bunch of customer details, they'll have to pay a fine and have their security audited to Visa/Mastercard's satisfaction. These fines scale according to the size of the merchant and their annual transaction volume. The largest merchants (like those many of you are talking about) could face huge fines in the hundreds-of-thousands-of-dollars range, if they're noncompliant and they stay that way for any length of time.
If a merchant is using your card information in a way they shouldn't (for example, assuming you'll put your sale on a card you used last time) that's a customer service issue. If they actually charge your card unauthorized, make them give the money back. If they don't credit your account within 30 days, contact your issuing bank. Chargeback reason "Fraudulent Transaction - No Cardholder Authorization." They aren't actually breaking any rules by using a stored card number, but that's still a pretty dumb thing to do if you want happy customers.
OK, now back on topic. Pin-based debit information, like full magnetic stripe info and ESPECIALLY any information about the pin number challenge/response, should NEVER be stored by any merchant. (They can store the card number, debit network ID, various transaction reference numbers, etc.) If someone's software is doing that, merchants should stop using that software. Maybe Visa/Mastercard should release a bulletin to its member organizations, for its merchants, warning them that if they're using this software they need to stop. (Looks suspiciously like something which inspired the original article, doesn't it?) If merchants fail to switch to other, compliant software versions, they deserve the fines and sanctions they'll incur.
(How can Visa and Mastercard levy fines, if they're not the government? Contract law. Visa and Mastercard require contracts with processing companies, like the one I work for. When we sign on a new merchant, they must sign a merchant processing agreement, which binds them to Visa/Mastercard's regulations, and with that binds them to any fines they might incur.)
Now let's get the discussion back on track. No more of this "businesses are storing my credit card number and I don't like it!" stuff.
When they can get all the data in the first swipe AND use it for the transaction to the bank?
Or just a really good prediction? We already have these in Europe, the US is just a little behind in the chip-card game.
The PCI standards dictate how cardholder data must be protected.
i sk_management/cisp.html
http://usa.visa.com/business/accepting_visa/ops_r
"In 2004, the CISP requirements were incorporated into an industry standard known as Payment Card Industry (PCI) Data Security Standard resulting from a collaboration between Visa and MasterCard to create common industry security requirements. Visa USA maintains CISP as the managing program for data security compliance endorsing the PCI Data Security Standard."
AND Visa is requiring that companies are audited for compliance.
And you can have your choice for your self-sustaining 20,000 sq me..
gobi desert or antartica?
every day http://en.wikipedia.org/wiki/Special:Random
never using the damn things again....mine are paid, and only use them when I have no other option to pay, i.e they won't accept cash, or check or chickens... I find being my own financial employee pays off. I had to use my credit card to book a flight, but then went on line the next day and paid the fricken bill from the bank account the airling wouldn't accept. My time spent 2 minutes, my piece of mind is worth that. Also, I don't want to see another slip of paper from any billing anything... what a waste, and it's passed on to us. Postage, paper costs, processing time etc. It could all be so much easier, but that is the cost of keeping people employed.
Sig Hansen?
I'm a customer service rep/tech support agent. The billing software I use at work stores credit card info whenever we put it in. It also shows the entire credit card number and expiraion date (although I have used this same version with another employer where everything but the last four numbers of the CC acct# was hidden). Obviously, when we talk to customers we pretend we can only see the last four digits.
This software has an initial copyright of 1980 (it was text-based then), the version I use is copyrighted 2004 (reeal ugly GUI pasted over it). It keeps the credit card number whether you're doing a one time payment or an automatic withdrawl. It has no delete feature for this data. Yes, some version of this software has been in existance for over 20 years, without a delete feature being added. If someone wants us to remove their credit card information we have no way to do it. We can change the exp date to something that wont pass with the CC company, but this is all up to them. I've seen credit card companies take charges when our exp date listed is three years expired.
I have heard that current versions of the software do have the ability to remove the CC info. But it seems this verison is popular.
In this system your records stay on the database after you cancel your services with the company. So I have credit card data for people who are no longer our customer and haven't been for years.
I have used at least two other billing software packages that are pretty much the same. In other words, this lack of security is completely normal.
Where I work, at an online store for IT related consumables (also retail shopfront), it is standard proceedure to store CC details.
The software we use (MYOB) is designed to store CC details in the customer card file.
It comes in handy to have these details in many situations, such as verifying a customer's ID, filling in missing details (!)- eg when a customer forgets to give us the security code, or writes their number wrong. We probably aren't meant to do this, but hell, we can do nationwide same-day delivery, and customers like that.
The CC details are stored unencrypted (unless MYOB encrypts) on a networked machine with net access. I worry about this some times. My boss doesnt seem to think it a problem.
Shiny side: In or out?
I have a minor problem with your sig - you pay taxes whether you get fined or not...
Funny, didn't these same companies loose millions of customer records recently? Oh, but that's just tin foil hat talk. If Visa says so, it must be the merchant. Given that Visa doesn't get a cut of the transaction unless you use your card as credit, there couldn't possibly be any reason for Visa to deter you from using your check card as a debit card...
I used to work for one of the big retailers and i can assure you that all this information is stored. Every transaction for about 15 years is stored on the companies back end servers. If you used a card to buy something I could search that card number and find every single transaction that the card was involved with. It is a matter of convience. If you return something they can simply return it without having to have your card. They could also make a new charge but that is against company policy.
It was charging that next customer's gas to your card. Seems like something that would have set off warning bells for me. Just sayin'.
I love deadlines. I like the whooshing sound they make as they fly by. - Douglas Adams
Troll? Wtf?
I use MBNA's random-generated "Shop Safe" credit card numbers. Citibank has the same thing that they call "Virtual Account Numbers." Essentially they let you set a limit and experation date on a temporary CC number (it is of coursed temporarilly tied back to your real account with them). It works great, and keeps sites that store your account info from screwing you up when they get hacked.
The concept is great for online, but I don't know why a "smart" CC couldn't do the same thing: allow you punch in a limit and download (bluetooth from your phone) a one-time credit card for un-trusted in-person merchants to bill against. You could have to put in your pin or whatever, but it wouldn't transmit across the store's machine, but via your cell phone back only to your bank.
Some sucker wants to double-swipe your card and store your info? It's worthless as the card number is going to expire in a month and is already maxed out (you'd set the limit to the amount of the purchase).
It's not ready for the masses who can't program their VCR's or the time on their microwave, but I've never had any CC fraud with online accounts since I started using MBNA's "Shop Safe" 4 years ago.
Stealing CC numbers is the only way Best Buy can get people to sign up for "free" subscriptions to Sports Illustrated and Entertainment Weekly.
I've always refused to use debit cards ever since a friend of mine lost her debit card and somebody withdrew her checking account. In the end she was liable for only $50, but she didn't have access to her money for a month until it was sorted out with her bank.
Several weeks ago I recieved a new Wells Fargo debit card sent to me overnight shipped through FedEx. I thought it was odd because typically it takes Wells Fargo several weeks to get you a new card, yet here was this new one overnighted. I heard on the news later that week that a Sacramento based OfficeMax had gotten their atm records stolen. I had shopped at OfficeMax in that area a few weeks before.
Relax! To issue a refund to your credit card, the merchant only needs to store the last 4 digits of your credit card number.
They look at you funny for handing them three to five bills? Where are you shopping? I guess I'm thinking mostly of grocery stores, but I don't remember ever getting a look for handing over a hundred bucks in cash.
Our pretty, red fifty dollar bills were widely shunned by merchants year or two ago, after a counterfeiting flap. I think the new fifties have assuaged their fears, because the little hand-lettered notices have disappeared from the checkout lanes. Twenties, though, were never in doubt in my experience.
Mind the Gap
Many major retailers store credit card info for data mining purposes. That way they can tell if you are using their store credit cards or your own and selectively advertise deals with their cards. They also use it in the troubleshooting of credit transaction problems. PIN information is NEVER stored in the clear. The encrypted PIN data doesn't get you much unless you were to have a spare Hardware Security Module (HSM) with the right keys loaded (your banks keys) to decrypt it. The track data is however commonly stored which is something that should change very soon. Tracing capabilities need to be limited in their software to NULL out most of the data and leave say the last 4 digits, etc... Having written ISO 8583 processing systems, these reports don't suprise me and I would venture that they are much more widespread than reported here. The last retailer I worked for violated the currect rules same as many others do. Millions of card numbers, their track data, and information is stored. There haven't been too many leaks yet, but the security of such data storage is a big problem just waiting to happen.