Slashdot Mirror

← Back to Stories (view on slashdot.org)

Card Processing Software May Store CC Info

Posted by ryuzaki0 on from the i'll-just-hang-onto-this dept.

An anonymous reader writes "Visa has sent out a warning to customers stating that some card processing software may keep customer data even after a transaction is complete. The setup, two versions of a software made by Fujitsu Transaction Solutions, is used by such companies as Best Buy, OfficeMax, and Staples. It's unknown if any of these large retailers use the poorly-made versions of the software." From the article: "Visa's warning, which was first reported by The Wall Street Journal on Friday, has raised eyebrows in the financial and retail sectors. The software was flagged at a time when thousands of debit-card holders across the country have reported unauthorized withdrawals from their accounts. Bank of America, Washington Mutual and Citibank are among the financial institutions that have replaced more than 200,000 debit cards in the past two months ..."

9 of 177 comments (clear)

  1. well that explains it by Gravis+Zero · · Score: 4, Funny

    i was wondering why i had bought several laptops for someone in Nigeria.

    --
    Anons need not reply. Questions end with a question mark.
  2. What are we supposed to use? by quokkapox · · Score: 4, Funny
    You can't use credit cards because the number will get skimmed at the restaurant or the electronics store. You can't use cash because you might get pulled over or mugged and have your cash seized.

    I raise chickens. Does Fry's accept barter? How many chickens for an iPod? Oh wait, I forgot about bird flu.

    --
    it's a blue bright blue Saturday hey hey
    1. Re:What are we supposed to use? by gEvil+(beta) · · Score: 5, Funny

      They just scan the UPC on the reciept, and viola...

      I'm sorry, but I see no reason for them to need to look at my viola to decide whether or not I'm eligible to return some clothing.

      --
      This guy's the limit!
  3. Asleep at the switch? by xoip · · Score: 4, Interesting

    If there is no reason for storing pin data according to the credit card company specs, then why have these vendors built in a switch to do just that?

  4. This is why cash won't die... by chivo243 · · Score: 4, Insightful

    not in the next 50 years... Until there is a "PERFECT" system in place for financial transactions, plus, too many remote "poor" areas that can't afford the other gizmos required for electronic payment. Long live cold hard cash.

    --
    Sig Hansen?
  5. It's widespread... by cardpuncher · · Score: 5, Interesting

    I know a number of (UK) mailorder businesses that routinely store the card number, expiry date and CVV of all transactions. It's either done for convenience (if a refund is required later you don't have to phone the customer to get the card number) or because of operational issues (for example, there is a batch process that extracts the payment details from one system and passes it to another to actually debit the card and it has to be repeatable in case one part of the process fails: the lazy solution is to store everything indefinitely).

    The need to retain customer confidence in the card-processing system means that the interesting question of who would be liable in the case of a mass theft is unlikely to be tested in court - even if it were useful to do so (a lot of mailorder businesses are not cash rich and neither are the software companies that supply them).

    This risk will persist until there is some sort of two-factor authentication on all card transactions.

  6. HomeDepot in Canada by Neter · · Score: 4, Interesting


    I purchased some bathroom renovation supplies at HomeDepot in Toronto a few weeks ago. When I was complete, I brought back the parts that I had not used. When I returned them to the customer service desk, the lady scanned the barcode at the bottom of the receipt, and then tossed the valves into the "restock" bins. When I attempted to hand her my credit card to refund the transaction, she looked at me and said "We don't need that..."

    I looked at her, and asked how she had my credit card information, and how it was going to be credited to my account. She stated that they store all transaction information specifically so they can speed up the refund process.

    I asked to speak to the manager to complain about this, but after waiting for 10 minutes for him to show up, my wife got the better of me, and we had to go...

    Gut feeling says this should be against industry best practice, and potentially against Canadian banking and privacy laws, but IANAL.

  7. Victim here - lessons learned by dubbayu_d_40 · · Score: 4, Interesting
    Last weekend someone overseas (Bangkok) started draining my checking account. I have a Visa debit card and was directed to Visa put a block on the card. That didn't work, I guess ATM txns go a different route. I tried moving all of my checking and overdraft line of credit into my savings account, but it turns out that it too was used for overdraft protection. My bank is a small credit union and there was nothing I could do until Monday morning - but to their credit they refunded everything within two hours of me walking in the door.

    Lessons learned. Use your debit card as a credit card - the laws concerning credit fraud are more clear cut. Ask your bank to not to use your savings as overdraft protection. Only keep enough money in checking for what you know is coming in the short term, isolate the rest in the saving account. Check your account frequently (a friend has his balance emailed to him daily - not a bad idea). Check your credit history every four months (one free per year per credit agency - https://www.annualcreditreport.com/ ).

    If fraud happens. Call bank/Visa/MC/whoever and get a block on your card. Call one of the credit agencies and put a fraud alert on your credit record. Call the local police and file a report. If you are like I was and can't do anything until Monday, move what is left into your savings account that are going to isolate after reading this.

    A good resource is: http://www.consumer.gov/idtheft/

  8. Re:What is needed is the finantial version of HIPP by TykeClone · · Score: 4, Insightful
    What is needed is a law that forces companies dealing with bank and finantial details (banks, credit card companies, card processors, insurance companies, finance companies, ATM providers, EFTPOS/credit card processing machine providers and so on) to take greater efforts to keep it secure, much like HIPPA mandates high security for medical records.

    Banks already have that - it's the Gramm-Leach-Bliley act and purportedly is meant to protect customer financial privacy.

    I think that the gist of the article, though, is that the merchants are not under the same regulatory burden - and that is where the weak link in the chain is at the moment.

    --
    A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.