Forgot your password?
typodupeerror

Card Processing Software May Store CC Info 177

Posted by Zonk
from the i'll-just-hang-onto-this dept.
An anonymous reader writes "Visa has sent out a warning to customers stating that some card processing software may keep customer data even after a transaction is complete. The setup, two versions of a software made by Fujitsu Transaction Solutions, is used by such companies as Best Buy, OfficeMax, and Staples. It's unknown if any of these large retailers use the poorly-made versions of the software." From the article: "Visa's warning, which was first reported by The Wall Street Journal on Friday, has raised eyebrows in the financial and retail sectors. The software was flagged at a time when thousands of debit-card holders across the country have reported unauthorized withdrawals from their accounts. Bank of America, Washington Mutual and Citibank are among the financial institutions that have replaced more than 200,000 debit cards in the past two months ..."
This discussion has been archived. No new comments can be posted.

Card Processing Software May Store CC Info

Comments Filter:
  • by Gravis Zero (934156) on Sunday March 19, 2006 @09:31AM (#14951685)
    i was wondering why i had bought several laptops for someone in Nigeria.
    • I'm trying to figure out why this is news.

      I've worked with various POS software/hardware as well as plenty of online ecommerce sites and I'm really stretching trying to think of at least one that didn't store CC information somewhere for much longer than the transaction lasted.

      Sure, if someone was using a third-party card processor, that third-party usually stored the info instead (although most people would be shocked by the merchants who store this info when there really is no reason for them to do so, si
      • by bastion_xx (233612) on Sunday March 19, 2006 @06:43PM (#14953731)
        They use the information for chargebacks, refunds, reconciliation, auto-renewal, etc..., etc...

        Last time I read the VISA and MC guidelines, the only real requirement was that you are never supposed to store the VVC code for longer than you need to get the authorization. Everything else is fair game to store, subject to various security guidelines.


        If you are still involved with card processing, you should read up on the latest guidelines. Basically, don't store the PAN or exipiration date unencrypted. And NEVER store the card verification code (CVV2, CVC2, or Amex's CID), track data, or PIN for debit transactions. It should be transmitted to the processor or authorizer and then deleted from memory.

        This has been in effect for a couple years now, but only recently (post Card Systems) have the associations started to really crack down. Processors and authorization entities were the first to comply with the more stringent guidelines. Now that they are, for the most part CISP complaint, the next in the chain are merchants.

        POS software should include authentication and logging, at minimum, pertaining to lookups of cardholder info. Even tighter controls on cardholder data access should be required.

        Post-transaction events such as chargebacks and returns do require access to cardholder details, at least the PAN.
  • by quokkapox (847798) <quokkapox@gmail.com> on Sunday March 19, 2006 @09:37AM (#14951693)
    You can't use credit cards because the number will get skimmed at the restaurant or the electronics store. You can't use cash because you might get pulled over or mugged and have your cash seized.

    I raise chickens. Does Fry's accept barter? How many chickens for an iPod? Oh wait, I forgot about bird flu.

  • by xoip (920266) on Sunday March 19, 2006 @09:40AM (#14951698) Homepage
    If there is no reason for storing pin data according to the credit card company specs, then why have these vendors built in a switch to do just that?
    • by jmp_nyc (895404) * on Sunday March 19, 2006 @10:24AM (#14951790)
      There's a restaurant from which my wife and I order food for delivery every so often. I almost always use cash.

      One time, I hadn't made it to the ATM recently enough and gave them my Visa number. The following time I ordered from them, I told them I wanted to pay cash. The delivery guy showed up with a credit card slip with my number on it. I called the restaurant and asked why they had stored my number without my permission. They shrugged it off and said they would remove it from their system.

      The next time I ordered from them, the same thing happened. I told them I was complaining to Visa, since I had specifically requested that they not retain my card number. They tried to make some excuse, but it hasn't happened since.

      This is exactly why I NEVER use a debit card, but will regularly use credit cards. If these guys are storing credit card numbers as a matter of practice, I don't want them to have my debit card number. Credit card agreements have built-in liability protection if the number is stolen. Debit cards leave the account holder dealing with missing money at least until things are sorted out, if not permanently.
      -JMP
      • Credit card agreements have built-in liability protection if the number is stolen. Debit cards leave the account holder dealing with missing money at least until things are sorted out, if not permanently.

        Debit cards have the same protection as credit cards when used as credit cards. The only time you're using it as a debit card is when you have to enter your PIN.

        • by hazem (472289)
          Debit cards have the same protection as credit cards when used as credit cards.

          That's what the banks say, but it's not often born out by experience.

          Remember, that visa debit card is attached to your checking account. If someone takes money they're not supposed to, you can end up bouncing checks and getting into all kinds of other trouble. You have to fight to get your money back, and bank does not have to respond immediately - and can even deny your claim.

          If you just use a credit card and someone gets you
          • Remember, that visa debit card is attached to your checking account. If someone takes money they're not supposed to, you can end up bouncing checks and getting into all kinds of other trouble.

            Exactly. Some credit card agreements and other loan contracts allow the issuer to raise your interest rate if your payment check to them bounces. Good luck getting that changed.

      • Actually, if your debit card is used through the credit-card system - I.E. the Visa or Mastercard system, then you have the same protections as a credit card for unauthorized charges. So, if you sign instead of using a pin, it is exactly like a credit card to the company issuing it, and is exactly like a credit card for you and your rights.

        • Same protections? Yes. But the money is actually *gone* while you dispute it. On a credit card dispute, they don't give you back money, they remove a debt. The difference may be subtle, but important.
    • Troubleshooting. Same reason you can store CVV2 codes, even though CISP says *never* store CCV2 codes. You'd be surprised how often this shit comees in handy when you are trying to figure out why a series of transactions failed. It's way easier to figure out what is fucked-up with a transaction if you can see all the data. Businesses ( and customers too, actually ) don't like to hear "Well it failed, but we don't keep data for that stuff, so that's all I can tell you." They are very into the why, and someti
    • The PCI-Security spec presented by the major credit card vendors is very specific about what sorts of data can be retained and how it must be protected. Storing credit card numbers is fine. Storing the CCV2 code or the complete contents of the mag strips is not. I would think that PIN storage would also be forbidden, though I have not read the spec in a while.

      This is an unusual move by Visa, and it suggests that the manufacturers of the software had likely been audited and refused to make the necessary c
      • I think it might be allowed to store the PIN if its encrypted somehow. My card was replaced recently due to a breach at a VISA vendor and in the letter my bank specified that the leaked information contained the PIN in encrypted form only.
        • If you store the credit card number itself, that is required to be encrypted.

          However, looking back at the spec, PIN's are not explicitly mentioned, so they might be covered in the same way that credit card numbers are. However, it seems to me that as the intent of a PIN is the same as the intent of a CCV2 number, the fact that CCV2 numbers *cannot* be retained makes me think that this is an oversight on the part of those who wrote the spec.

          Note, that if any credit card information is compromised, Visa/Mast
  • by chivo243 (808298) on Sunday March 19, 2006 @09:44AM (#14951706)
    not in the next 50 years... Until there is a "PERFECT" system in place for financial transactions, plus, too many remote "poor" areas that can't afford the other gizmos required for electronic payment. Long live cold hard cash.
    • If governments decide to stop using cash (which I believe they will, in our lifetimes), they will. They'll stop using it, banks won't have anything to do with it, and you'll be out there on your own, trying to enforce disputes and payments over goods and services with progressively more tatty bits of paper. Everyone else will be using some form of credit.

      Cash will be attacked for being connected with untraceable transactions relating to drugs, terrorism and tax evasion. The same people who now say `what's
      • There's one potential flaw in that - card clearing companies generally charge a per transaction fee (they have to make money somehow, after all). I can't imagine too many shops being happy to use cards for all transactions, when a good number of those transactions may be at or below the charge rate (eg newspapers, sweets, etc)

        I can well imagine a "only terrorists and criminals need to use cash" campaign, though.
        • >I can't imagine too many shops being happy to use cards for all transactions,
          their are many many costs associated with cash also, the merchants exposure to fraud (counterfeit/theft) has a price. Granted most of the costs with cash are taken care of by our government, so we probably don't know what those costs of cash are. I think I read the average life of cash (paper money) is 3 months, but I believe enough cash is lost/destroyed/collected to pay for the governments expense.
  • by ian_mackereth (889101) on Sunday March 19, 2006 @09:48AM (#14951715) Journal

    ...is to use someone else's card number, purchased as a job lot from the spotty-faced clerk at your local Best Buy, OfficeMax, Staples, etc!

    • No kidding.
      I've been buying and using visa gift cards and using them for anonymous purchases, because of this very problem in the article.
      For internet orders though, my citibank card offers virtual credit card numbers, which are disposable, and does the trick.
  • It's widespread... (Score:5, Interesting)

    by cardpuncher (713057) on Sunday March 19, 2006 @09:50AM (#14951718)
    I know a number of (UK) mailorder businesses that routinely store the card number, expiry date and CVV of all transactions. It's either done for convenience (if a refund is required later you don't have to phone the customer to get the card number) or because of operational issues (for example, there is a batch process that extracts the payment details from one system and passes it to another to actually debit the card and it has to be repeatable in case one part of the process fails: the lazy solution is to store everything indefinitely).

    The need to retain customer confidence in the card-processing system means that the interesting question of who would be liable in the case of a mass theft is unlikely to be tested in court - even if it were useful to do so (a lot of mailorder businesses are not cash rich and neither are the software companies that supply them).

    This risk will persist until there is some sort of two-factor authentication on all card transactions.
  • Amazon.com stores your credit card number if they only ask you to enter the last four digits of your card number, right ? So what's different here ? Maybe I've not understood something
    • The last four digits are what's the most important. You and many others will have the same first 4, 8, or 12 digits.
    • Amazon.com stores your credit card number if they only ask you to enter the last four digits of your card number, right ? So what's different here ? Maybe I've not understood something

      I think I can clarify... The problem isn't that they store the information, it's that unlike Amazon, they do it without your knowledge or consent. Also, because these vendors were unaware that this information was being stored by their systems, no security procedures are in place to prevent unscrupulous employees (or others)

    • Amazon is obvious to the customer about it. OTOH, these stores are doing it without the cust knowing.
    • Another difference is that these devices apparently stored your debit card card + pin. The statutory protections for unauthorized credit card transactions are much stronger than for debit cards (though most debit card issuers voluntarily extend those protections to debit cards).
    • Correct me if I'm wrong, but this can be done relatively securely, can't it? You store all the credit card info except the last four digits, and encrypt the stored data using those four digits (and of course some other data tied to that user). Then when you enter the last four, attempt to decrypt the stored data, append the four digits to end of the credit card number, calculate a hash of the decrypted info and compare it to the previously computed hash from the last transcation.

      Obviously you could brute-fo
      • A brute-force crack with only 10,000 possibilities to choose from? Not gonna take very long (assuming you know the hashing algorithm). At ten per second, that's under 17 minutes. If you're running something faster than a 486, you can probably check a hash faster than ten per second.
        • That was the point I made about brute-forcing it: after three tries you are dissallowed from ever trying again without entering the complete credit card information, as the encrypted info would be purged.

          Although the point made by the AC that the last 4 digits of people's credit cards are readily available in trash cans everywhere renders this method moot.

          Thanks for the responses both of you!

          • Also consider that the attacker could be an employee who has made a copy of all entries in the system before running the decryption logic on their own machine...in which case the "three strikes and you're out" mechanism won't apply.
            And there's the denial-of-service attack where the purpose of the attack is to cause a bunch of records to be purged ... in any security scenario, you have to consider all angles. Leave one hole open, and you still lose.
            • Right, that's what I was talking about - if your only way of trying to authenticate is via their web site, then it doesn't matter if they encrypt the data on the server or not. Since we're talking about cracking encryption, I was assuming you had access to the encrypted data.
  • HomeDepot in Canada (Score:4, Interesting)

    by Neter (56934) on Sunday March 19, 2006 @10:07AM (#14951751)

    I purchased some bathroom renovation supplies at HomeDepot in Toronto a few weeks ago. When I was complete, I brought back the parts that I had not used. When I returned them to the customer service desk, the lady scanned the barcode at the bottom of the receipt, and then tossed the valves into the "restock" bins. When I attempted to hand her my credit card to refund the transaction, she looked at me and said "We don't need that..."

    I looked at her, and asked how she had my credit card information, and how it was going to be credited to my account. She stated that they store all transaction information specifically so they can speed up the refund process.

    I asked to speak to the manager to complain about this, but after waiting for 10 minutes for him to show up, my wife got the better of me, and we had to go...

    Gut feeling says this should be against industry best practice, and potentially against Canadian banking and privacy laws, but IANAL.
    • The same thing happened to me at a Target in the u.s..
    • I hate to tell you this, but the store has saved your credit card information almost EVERY TIME you have ever used a credit card in a retail store in recent years. The reason? They HAVE to, otherwise they would never get paid.

      What happens is this: at the end of the day, the store (often from the store, but sometimes it's done from the corporate office) and the credit provider perform a process called Settlement, where they compare a log of the credit card transactions for the day. The retailer does not g
      • by ZoneGray (168419)
        Thanks for pointing out what should have been obvious... reminds me that I ran a retail shop in the 80's, and submitted my charges on paper.

        And anybody who RTFA noted that the issue concerned DEBIT cards. You don't worry much about getting your credit card stolen, because the liability is limited. Debit cards are a whole 'nother story, and the problem here is that some debit-card software had been storing the PIN number as well as the card number... so anybody who got the numbers could go to an ATM and em
      • What happens is this: at the end of the day, the store (often from the store, but sometimes it's done from the corporate office) and the credit provider perform a process called Settlement, where they compare a log of the credit card transactions for the day. The retailer does not get paid for the credit card sales until the transactions are reconciled.

        Keeping card data for Settlement makes sense. But once the company gets 'Settle 000' back why do they need the data then? The refund process should still req
    • by fermion (181285) on Sunday March 19, 2006 @10:54AM (#14951854) Homepage Journal
      My question is what information does the store have to save in order to do a refund. If the system was well done, it would just be a CC number with the original tranaction number to confirm. Such a system makes a lot of sense as it insures that the credit is applied to the same card and limits the number of person handling the card. Furthermore, it makes some sense for a operation to store the CC number along with the transaction in case the customer later protests the charge. Given the current practice of asking other questions to confirm the purchase, it is not such a big deal. For most retail outlets, a person must have a valid card with valid magnetic strip to make a purchase. These cards are not impossible to fabricate, but it an additional hurdle.

      The problem, as I see it, is vendors that store all customer information, in a single logical location, long term. For instance, after a purchase is valiated, which online takes 30 seconds, my adress and CVVC should be delinked from my cc number. Keep the CC number in a transaction log, but get rid of the CVC and only keep the address in a ship log. I know this is not going to happen, as it is complicated, but it should help protect us. I am with you though. We need laws that makes bad practice a liability on the vendors, banks, and device providers that utilize it.

    • Relax! To issue a refund to your credit card, the merchant only needs to store the last 4 digits [authorizenet.com] of your credit card number.

  • by vrimj (750402) on Sunday March 19, 2006 @10:10AM (#14951760)
    Neither one of the Fujitsu products, RAFT and GlobalStore, is among the products approved by the major credit card companies. This doesn't mean that the software doesn't meet industry standards. It only means that the software hasn't undergone the review process needed for sanctioning by the group, according to a note on Visa's site.

    Seems like something went wrong, they still don't know what or how (other then the possible OfficeMax connection), but they are using this opportunity to claim that it has something to do with devices not sanctioned by CC compaines.
    Look like this has a high probablity of being spin.

    • Neither one of the Fujitsu products, RAFT and GlobalStore, is among the products approved by the major credit card companies.....

      Seems like something went wrong

      I'll tell you what went wrong - the credit card companies were accepting transactions put through by non-approved software. I'll get modded to hell and back for this, but this strikes me as exactly the kind of place where Trusted Computing could be useful - as a means to guarantee that the software being used to conduct financial transactions is app
    • If I were VeriSign, I'd get someone from legal to talk to their 'expert' before he gets them sued by either OfficeMax or Fujitsu or both. His opinion could be seen as coming close to extortion to buy their services.
  • by Jon Abbott (723) on Sunday March 19, 2006 @10:11AM (#14951762) Homepage
    A couple weeks ago, after finishing refueling my motorcycle, I put the pump back and started to get ready to leave. I noticed though that the pump display didn't say "Insert card and remove quickly" as it normally says when one leaves -- it said "Remove pump and begin fueling" -- as if it were giving a freebie to the next customer! I have no idea how common this problem is, but it may be prudent to watch out for it.
  • Bank of America, Washington Mutual and Citibank are among the financial institutions that have replaced more than 200,000 debit cards in the past two months ...

    I have a BofA account, and the associated debit card. When I first received it, I was a bit miffed that it came with a 6-digit PIN, but now I've gotten used to it and I wish my other card issuers offered the option to select a PIN longer than 4 digits.

    That said, this is the first I've heard anything about BofA debit cards being pilfered and replaced.

  • by dubbayu_d_40 (622643) on Sunday March 19, 2006 @10:22AM (#14951786)
    Last weekend someone overseas (Bangkok) started draining my checking account. I have a Visa debit card and was directed to Visa put a block on the card. That didn't work, I guess ATM txns go a different route. I tried moving all of my checking and overdraft line of credit into my savings account, but it turns out that it too was used for overdraft protection. My bank is a small credit union and there was nothing I could do until Monday morning - but to their credit they refunded everything within two hours of me walking in the door.

    Lessons learned. Use your debit card as a credit card - the laws concerning credit fraud are more clear cut. Ask your bank to not to use your savings as overdraft protection. Only keep enough money in checking for what you know is coming in the short term, isolate the rest in the saving account. Check your account frequently (a friend has his balance emailed to him daily - not a bad idea). Check your credit history every four months (one free per year per credit agency - https://www.annualcreditreport.com/ [annualcreditreport.com] ).

    If fraud happens. Call bank/Visa/MC/whoever and get a block on your card. Call one of the credit agencies and put a fraud alert on your credit record. Call the local police and file a report. If you are like I was and can't do anything until Monday, move what is left into your savings account that are going to isolate after reading this.

    A good resource is: http://www.consumer.gov/idtheft/ [consumer.gov]

    • I've thought as well of e-mailing the balance of my account on a daily basis - as long as it does not have my account number. But since e-mail is unencrypted I'm a bit leery. The banks often as what your balance is as a secruity question.

      I don't understand why some banks are really using lame security to appeal to 99% of the population. Are the any banks accepting customers givem them say a public PGP key to send them their data electronically? Why can't more of the banks use finger-print I.D. or even put a
      • My bank sends me an email whenever an amount over a certain threshold is deducted from my account. If someone nicks some money from me, Ill get an email about it within 5-10 minutes (assuming Im sitting at my computer which, alas, I generally am). I can then log on and check the details of the transaction through their online banking facility, and contact them straight away.

        My bank's St. George. It's an Australian bank, I doubt they offer consumer accounts in the US.
  • Fujitsu is also behind Tokyo Stock Exchange's recent woes, with TSE having to limit operating hours when transactions near the system's limit. Fujitsu also took TSE down for a day in November 2005 after applying a software patch.
  • This is why I never use Debit at a store. Yeah it sucks when your credit card is stolen. Discover has been quick to issue a new card and restore my credit line. However, I always have a 2nd card for back-up. My debit card will never be used in a store because it is my money that is stolen. That is, they get access to my actual cash (well electronic funds) and not a line of credit. I'd much rather risk some credit dollars since I don't pay the disputed amount.
  • by jonwil (467024) on Sunday March 19, 2006 @10:34AM (#14951812)
    What is needed is a law that forces companies dealing with bank and finantial details (banks, credit card companies, card processors, insurance companies, finance companies, ATM providers, EFTPOS/credit card processing machine providers and so on) to take greater efforts to keep it secure, much like HIPPA mandates high security for medical records.

    Essentialy it would mandate things like "any device or software that holds on to any finantial data after it is no longer required to process whatever transaction the data was given for is illegal" and "All devices storing or transporting or moving finantial data must use encryption" (for example, any US website taking banking details, finantial details or credit card details must use SSL or similar to encrypt the data as it goes over the internet) as well as requiring (for example) banks to do more to make it harder for phishing sites to fool users into plugging in their password (there are certainly solutions out there so its not like its not possible for the banks to do it, they just dont because it would cost too much to fix it).

    Also this law should have bigger penalties for companies who dont protect this data and it gets copied as a result (much like how there are penatlies if medical data is copied)
    • What is needed is a law that forces companies dealing with bank and finantial details (banks, credit card companies, card processors, insurance companies, finance companies, ATM providers, EFTPOS/credit card processing machine providers and so on) to take greater efforts to keep it secure, much like HIPPA mandates high security for medical records.

      Banks already have that - it's the Gramm-Leach-Bliley act and purportedly is meant to protect customer financial privacy.

      I think that the gist of the article, though, is that the merchants are not under the same regulatory burden - and that is where the weak link in the chain is at the moment.

    • Visa and Mastercard are putting requirements into contracts that have the same effect. They mandate a security program called CISP or PCI or maybe something else this week which has requirements much more specific than HIPAA does. The contracts have penalty clauses.

      It's going to be interesting to see how this free-market equivalent of legislation works out.
  • In the future I think credit will be controlled by cryptographic smart cards which have a built in key pad. You will put in your card, punch in your pin, and then the card will unencrypt a 1-time authorization for a set amount of money that the vendor then sends to the credit card company to conduct the transaction. No processing off card. Requires something you have and something you know. Storing the data doesn't do any good.

    I think the only other form of transaction will be cash.

    • Or just a really good prediction? We already have these in Europe, the US is just a little behind in the chip-card game.
      • We have smart cards. And once when I first thought of the idea I looked and found a company that manufactured cards w/ the # pad on the card. But I don't know that the cards kept all confidential information on themselves. I certainly didn't know that europe used a # pad on card method though I had heard that smart cards were becoming more prevelant over there.
  • CC processing software needs to retain the card info for a few weeks until the transactions settle. This allows the merchant to handle chargebacks, disputes, etc.

    Nothing to be alarmed about as long as you trust the merchant.

    Chip H.
  • by cyclocommuter (762131) on Sunday March 19, 2006 @11:43AM (#14952021)
    This article on the globeandmail.com [theglobeandmail.com] talks about the inventor of one such device and the associated software (RenCode) and how easy it easy for thieves and others to get their hands on it.
  • Should this be my fucking problem in the first place?

    Free hint to Visa regarding Captain Zapps first axiom of software projects:

    Cheap, within scope, within time: Pick one!

  • I avoid using debit cards at retail stores if at all possible. The only exceptions are when for some reason I can't use my CC AND the store is a very large reputable firm. Enter my PIN into some mom and pop shop, not likely.

    On another note, yes, software does store CC numbers all the time. This is EXACTLY the same security that we've had for years with CC's. Before computers, we had hard copy "impressions" -- those had your full CC number too. CC's are inherently insecure, but that's ok. Let the CC
    • At the local Walmart, if you use a debit card at the register you have to enter your PIN with these large keys. It wouldn't be that hard to watch somebody enter their PIN in line at the register, then grab their wallet or purse on the way out. You could have a partner perform the actual theft, so you're not too easily associated with the crime. Heck, you might be able to get PINs from the security camera.
  • Sine credit card debt in the U.S. can no longer be bankrupted the banks have gotten incredibly greedy. The latest scam is targeting people who pay off their credit card every month: the credit card company simply "forgets" to send you a bill one month. If you don't notice, your next bill has late fees - interest, and is twice the size of what you expect. This in the hopes that you won't be able to pay it off.

    Please don't tell me that I could look up the account information on line; I have exactly zero inter
  • (I work for First National Merchant Solutions, a company which helps businesses accept payment by credit card.)

    Many highly-moderated posts here are confusing the facts, or saying how they think the system should work.

    The merchant SHOULD keep track of the credit card number. They can't print the card number on receipts they give to their customers, but the card number is sometimes the only customer identification they have. If a chargeback or retrieval request comes through, the mechant needs to be able to find information about a specific sale, and they usually find that using the card number.

    Someone reported that a business issued a credit to their card without requiring their card number again. This, too, is normal. Even if the merchant didn't store the credit card number, they would only have to call their credit card processing company (like the company I work for), identify themselves properly, give them the day of the original sale and the amount, and WE would tell them your card number and expiration date so they could process the credit. (You would have been wasting that manager's time, if you did talk to them.)

    Visa and Mastercard regulations prohibit merchants from storing the CVV2/CVC2 number (that's the 3 digit number printed on the papery stripe on the back of your card), or any of the 'secret' information encoded on the magnetic stripe of the card. Everything else they can store, AS LONG AS THEY COMPLY WITH SECURITY REQUIREMENTS. http://usa.visa.com/business/accepting_visa/ops_ri sk_management/cisp.html [visa.com] If they maintain a secure system, there is no problem at all with them storing their customers' details.

    If there's a security breach, the government's intervention is not required. Processing regulations already demand fines for noncompliance. If a merchant's security is penetrated and they lose a bunch of customer details, they'll have to pay a fine and have their security audited to Visa/Mastercard's satisfaction. These fines scale according to the size of the merchant and their annual transaction volume. The largest merchants (like those many of you are talking about) could face huge fines in the hundreds-of-thousands-of-dollars range, if they're noncompliant and they stay that way for any length of time.

    If a merchant is using your card information in a way they shouldn't (for example, assuming you'll put your sale on a card you used last time) that's a customer service issue. If they actually charge your card unauthorized, make them give the money back. If they don't credit your account within 30 days, contact your issuing bank. Chargeback reason "Fraudulent Transaction - No Cardholder Authorization." They aren't actually breaking any rules by using a stored card number, but that's still a pretty dumb thing to do if you want happy customers.

    OK, now back on topic. Pin-based debit information, like full magnetic stripe info and ESPECIALLY any information about the pin number challenge/response, should NEVER be stored by any merchant. (They can store the card number, debit network ID, various transaction reference numbers, etc.) If someone's software is doing that, merchants should stop using that software. Maybe Visa/Mastercard should release a bulletin to its member organizations, for its merchants, warning them that if they're using this software they need to stop. (Looks suspiciously like something which inspired the original article, doesn't it?) If merchants fail to switch to other, compliant software versions, they deserve the fines and sanctions they'll incur.

    (How can Visa and Mastercard levy fines, if they're not the government? Contract law. Visa and Mastercard require contracts with processing companies, like the one I work for. When we sign on a new merchant, they must sign a merchant processing agreement, which binds them to Visa/Mastercard's regulations, and with that binds them to any fines they might incur.)

    Now let's get the discussion back on track. No more of this "businesses are storing my credit card number and I don't like it!" stuff.
    • The merchant SHOULD keep track of the credit card number. They can't print the card number on receipts they give to their customers, but the card number is sometimes the only customer identification they have.

      If it is only for identification purposes, they could as well store a cryptographic hash of the credit card number plus other non-changing data on the card. So if the customer wants e.g. a chargeback, you apply the hash to his cc data again and compare. This way the cc number isn't stored and cannot be

  • I use MBNA [mbnanetaccess.com]'s random-generated "Shop Safe" credit card numbers. Citibank [citibank.com] has the same thing that they call "Virtual Account Numbers." Essentially they let you set a limit and experation date on a temporary CC number (it is of coursed temporarilly tied back to your real account with them). It works great, and keeps sites that store your account info from screwing you up when they get hacked.

    The concept is great for online, but I don't know why a "smart" CC couldn't do the same thing: allow you punch in a
    • Wouldn't a better method be to use your card not as a password, but as a one-time pad generator? I'm not an expert on crypto, but the process would go something as follows.
      1. You apply for a credit card. Card issuer generates a number, and uses it to seed a pseudo random number generator in your credit card
      2. Every time your card is used in a transaction, it issues a transaction ID and a "random" number.
      3. Because the credit card issuer knows both your seed and the RNG algorithm, it can use the transaction ID to

C'est magnifique, mais ce n'est pas l'Informatique. -- Bosquet [on seeing the IBM 4341]

Working...