Slashdot Mirror
Card Processing Software May Store CC Info
An anonymous reader writes "Visa has sent out a warning to customers stating that some card processing software may keep customer data even after a transaction is complete. The setup, two versions of a software made by Fujitsu Transaction Solutions, is used by such companies as Best Buy, OfficeMax, and Staples. It's unknown if any of these large retailers use the poorly-made versions of the software." From the article: "Visa's warning, which was first reported by The Wall Street Journal on Friday, has raised eyebrows in the financial and retail sectors. The software was flagged at a time when thousands of debit-card holders across the country have reported unauthorized withdrawals from their accounts. Bank of America, Washington Mutual and Citibank are among the financial institutions that have replaced more than 200,000 debit cards in the past two months ..."
i was wondering why i had bought several laptops for someone in Nigeria.
Anons need not reply. Questions end with a question mark.
I raise chickens. Does Fry's accept barter? How many chickens for an iPod? Oh wait, I forgot about bird flu.
it's a blue bright blue Saturday hey hey
If there is no reason for storing pin data according to the credit card company specs, then why have these vendors built in a switch to do just that?
not in the next 50 years... Until there is a "PERFECT" system in place for financial transactions, plus, too many remote "poor" areas that can't afford the other gizmos required for electronic payment. Long live cold hard cash.
Sig Hansen?
I know a number of (UK) mailorder businesses that routinely store the card number, expiry date and CVV of all transactions. It's either done for convenience (if a refund is required later you don't have to phone the customer to get the card number) or because of operational issues (for example, there is a batch process that extracts the payment details from one system and passes it to another to actually debit the card and it has to be repeatable in case one part of the process fails: the lazy solution is to store everything indefinitely).
The need to retain customer confidence in the card-processing system means that the interesting question of who would be liable in the case of a mass theft is unlikely to be tested in court - even if it were useful to do so (a lot of mailorder businesses are not cash rich and neither are the software companies that supply them).
This risk will persist until there is some sort of two-factor authentication on all card transactions.
I purchased some bathroom renovation supplies at HomeDepot in Toronto a few weeks ago. When I was complete, I brought back the parts that I had not used. When I returned them to the customer service desk, the lady scanned the barcode at the bottom of the receipt, and then tossed the valves into the "restock" bins. When I attempted to hand her my credit card to refund the transaction, she looked at me and said "We don't need that..."
I looked at her, and asked how she had my credit card information, and how it was going to be credited to my account. She stated that they store all transaction information specifically so they can speed up the refund process.
I asked to speak to the manager to complain about this, but after waiting for 10 minutes for him to show up, my wife got the better of me, and we had to go...
Gut feeling says this should be against industry best practice, and potentially against Canadian banking and privacy laws, but IANAL.
Seems like something went wrong, they still don't know what or how (other then the possible OfficeMax connection), but they are using this opportunity to claim that it has something to do with devices not sanctioned by CC compaines.
Look like this has a high probablity of being spin.
A couple weeks ago, after finishing refueling my motorcycle, I put the pump back and started to get ready to leave. I noticed though that the pump display didn't say "Insert card and remove quickly" as it normally says when one leaves -- it said "Remove pump and begin fueling" -- as if it were giving a freebie to the next customer! I have no idea how common this problem is, but it may be prudent to watch out for it.
Slashdot's first reaction to VMware
Lessons learned. Use your debit card as a credit card - the laws concerning credit fraud are more clear cut. Ask your bank to not to use your savings as overdraft protection. Only keep enough money in checking for what you know is coming in the short term, isolate the rest in the saving account. Check your account frequently (a friend has his balance emailed to him daily - not a bad idea). Check your credit history every four months (one free per year per credit agency - https://www.annualcreditreport.com/ ).
If fraud happens. Call bank/Visa/MC/whoever and get a block on your card. Call one of the credit agencies and put a fraud alert on your credit record. Call the local police and file a report. If you are like I was and can't do anything until Monday, move what is left into your savings account that are going to isolate after reading this.
A good resource is: http://www.consumer.gov/idtheft/
We apologize for the preceding message. All those responsible have been sacked.
This is why I never use Debit at a store. Yeah it sucks when your credit card is stolen. Discover has been quick to issue a new card and restore my credit line. However, I always have a 2nd card for back-up. My debit card will never be used in a store because it is my money that is stolen. That is, they get access to my actual cash (well electronic funds) and not a line of credit. I'd much rather risk some credit dollars since I don't pay the disputed amount.
What is needed is a law that forces companies dealing with bank and finantial details (banks, credit card companies, card processors, insurance companies, finance companies, ATM providers, EFTPOS/credit card processing machine providers and so on) to take greater efforts to keep it secure, much like HIPPA mandates high security for medical records.
Essentialy it would mandate things like "any device or software that holds on to any finantial data after it is no longer required to process whatever transaction the data was given for is illegal" and "All devices storing or transporting or moving finantial data must use encryption" (for example, any US website taking banking details, finantial details or credit card details must use SSL or similar to encrypt the data as it goes over the internet) as well as requiring (for example) banks to do more to make it harder for phishing sites to fool users into plugging in their password (there are certainly solutions out there so its not like its not possible for the banks to do it, they just dont because it would cost too much to fix it).
Also this law should have bigger penalties for companies who dont protect this data and it gets copied as a result (much like how there are penatlies if medical data is copied)
Not true, most credit card transaction receipts include only the first and last 4 digits of the credit card number. The rest usually consists of *'s or X's.
This is to avoid fraud, the printout only serves the purpose of identifying the proper card with the proper sequence number, amount, date and signature.
Some cheaper, less used systems WILL however print out the complete number. I would personally find another method of payment if you know place X does that, but if you have to use a credit card, don't throw your receipt away in the trash.
Banks already have that - it's the Gramm-Leach-Bliley act and purportedly is meant to protect customer financial privacy.
I think that the gist of the article, though, is that the merchants are not under the same regulatory burden - and that is where the weak link in the chain is at the moment.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
This article on the globeandmail.com talks about the inventor of one such device and the associated software (RenCode) and how easy it easy for thieves and others to get their hands on it.
(I work for First National Merchant Solutions, a company which helps businesses accept payment by credit card.)
i sk_management/cisp.html If they maintain a secure system, there is no problem at all with them storing their customers' details.
Many highly-moderated posts here are confusing the facts, or saying how they think the system should work.
The merchant SHOULD keep track of the credit card number. They can't print the card number on receipts they give to their customers, but the card number is sometimes the only customer identification they have. If a chargeback or retrieval request comes through, the mechant needs to be able to find information about a specific sale, and they usually find that using the card number.
Someone reported that a business issued a credit to their card without requiring their card number again. This, too, is normal. Even if the merchant didn't store the credit card number, they would only have to call their credit card processing company (like the company I work for), identify themselves properly, give them the day of the original sale and the amount, and WE would tell them your card number and expiration date so they could process the credit. (You would have been wasting that manager's time, if you did talk to them.)
Visa and Mastercard regulations prohibit merchants from storing the CVV2/CVC2 number (that's the 3 digit number printed on the papery stripe on the back of your card), or any of the 'secret' information encoded on the magnetic stripe of the card. Everything else they can store, AS LONG AS THEY COMPLY WITH SECURITY REQUIREMENTS. http://usa.visa.com/business/accepting_visa/ops_r
If there's a security breach, the government's intervention is not required. Processing regulations already demand fines for noncompliance. If a merchant's security is penetrated and they lose a bunch of customer details, they'll have to pay a fine and have their security audited to Visa/Mastercard's satisfaction. These fines scale according to the size of the merchant and their annual transaction volume. The largest merchants (like those many of you are talking about) could face huge fines in the hundreds-of-thousands-of-dollars range, if they're noncompliant and they stay that way for any length of time.
If a merchant is using your card information in a way they shouldn't (for example, assuming you'll put your sale on a card you used last time) that's a customer service issue. If they actually charge your card unauthorized, make them give the money back. If they don't credit your account within 30 days, contact your issuing bank. Chargeback reason "Fraudulent Transaction - No Cardholder Authorization." They aren't actually breaking any rules by using a stored card number, but that's still a pretty dumb thing to do if you want happy customers.
OK, now back on topic. Pin-based debit information, like full magnetic stripe info and ESPECIALLY any information about the pin number challenge/response, should NEVER be stored by any merchant. (They can store the card number, debit network ID, various transaction reference numbers, etc.) If someone's software is doing that, merchants should stop using that software. Maybe Visa/Mastercard should release a bulletin to its member organizations, for its merchants, warning them that if they're using this software they need to stop. (Looks suspiciously like something which inspired the original article, doesn't it?) If merchants fail to switch to other, compliant software versions, they deserve the fines and sanctions they'll incur.
(How can Visa and Mastercard levy fines, if they're not the government? Contract law. Visa and Mastercard require contracts with processing companies, like the one I work for. When we sign on a new merchant, they must sign a merchant processing agreement, which binds them to Visa/Mastercard's regulations, and with that binds them to any fines they might incur.)
Now let's get the discussion back on track. No more of this "businesses are storing my credit card number and I don't like it!" stuff.