Forgot your password?
typodupeerror

Card Processing Software May Store CC Info 177

Posted by Zonk
from the i'll-just-hang-onto-this dept.
An anonymous reader writes "Visa has sent out a warning to customers stating that some card processing software may keep customer data even after a transaction is complete. The setup, two versions of a software made by Fujitsu Transaction Solutions, is used by such companies as Best Buy, OfficeMax, and Staples. It's unknown if any of these large retailers use the poorly-made versions of the software." From the article: "Visa's warning, which was first reported by The Wall Street Journal on Friday, has raised eyebrows in the financial and retail sectors. The software was flagged at a time when thousands of debit-card holders across the country have reported unauthorized withdrawals from their accounts. Bank of America, Washington Mutual and Citibank are among the financial institutions that have replaced more than 200,000 debit cards in the past two months ..."
This discussion has been archived. No new comments can be posted.

Card Processing Software May Store CC Info

Comments Filter:
  • by Nimloth (704789) on Sunday March 19, 2006 @10:45AM (#14951837)
    Not true, most credit card transaction receipts include only the first and last 4 digits of the credit card number. The rest usually consists of *'s or X's.
    This is to avoid fraud, the printout only serves the purpose of identifying the proper card with the proper sequence number, amount, date and signature.
    Some cheaper, less used systems WILL however print out the complete number. I would personally find another method of payment if you know place X does that, but if you have to use a credit card, don't throw your receipt away in the trash.
  • by cyclocommuter (762131) on Sunday March 19, 2006 @11:43AM (#14952021)
    This article on the globeandmail.com [theglobeandmail.com] talks about the inventor of one such device and the associated software (RenCode) and how easy it easy for thieves and others to get their hands on it.
  • inflation (Score:1, Informative)

    by Anonymous Coward on Sunday March 19, 2006 @12:12PM (#14952136)
    All major currencies are now "fiat" meaning they ARE just created on a whim, hence why most currencies suffer inflation.

      Inflation is an increase in the money supply that is not justified by an increase of actual produced wealth.

      In essence, the "money" out there comes as a form of counterfeit.

      In the US, the problem is so acute now and the dollar in so much peril from rampant "borrowing" and introducing unjustified money into the system via selling bonds and treasury notes and pushing the massive real estate bubble (most new inflated phony fiat money enters through the banking congame system using the technique called "fractional reserve banking", look that up for an eye opener) that the "federal" reserve bank (which is a private bank contracted by "law" to "create" money which it then loans at "interest") has ceased publishing most of the M3 money supply statistics as of *this month*. It is so out of control now they have to do anything possible to divert attention and keep the shellgame running to try and avoid massive collapse.

    I don't think it will work for much longer, in a historical term. My best guess is within a few years, and they WILL start more large scale wars as a last ditch diversionary tactic before total collapse.

      It is by far and away the single biggest global congame scam that affects humans all over the planet, and it allows the planetary huge fatcats to control populations and business, which is their long term goal, establish control-done, that is accomplished, and maintain it-this they do by introducing inflated money to their pet projects and supporters and witholding it from "enemies". This is the major reason for all the apparently ludicrous laws revolving around money and taxes, just a huge interconnected congame.

    This is complex,*really* complex, but a simple way of looking at it is that the money most of us use now starts out completely counterfeit, just poof created out of thin air. It is either raw printed up in the form of banknotes (which are debt instruments) or it is data entried into existence.

        It has little to nothing do with produced wealth, that's why all the economic problems all the time and all the boom and bust cycles. It's also a primary reason why wars are so easy to pull off, the people who profit from wars are basicaly the same who get to create the money, which they lend to themselves in the form of huge government contracts that they insist various citizens then need to payback.

    Then they have the nads to tell us we "owe" them all this principle back PLUS interest.

    It is the mother of all economic crimes. Around the world central bankers need to be rounded up and incarcerated and put to forced hard labor. They are a larger threat then the next 10 million "terrorists" combined. They are beyond greedy into the truly evil category.

        If you or I tried to loan that which did not exist, we would be arrested for fraud and buncoism. If I had say 50 televisions and told you I was going to sell you 200 televisions and all you got was 50 plus some IOU never to be honored except with further IOUs, you would think that was a fraud, and it would be. Yet bankers do this daily, and hand in hand with lying government weasels, they inflict this system on the rest of the planet. When governments and large central banks do this, it is called policy and business as usual. In the US they had to sneak the "federal reserve act" authorising fiat currency and turning over the creation of it to the "federal" reserve banks late at night when the bulk of congress was out at home for a holiday. This is easily researchable, the history of it is fascinating, how large scale crooks are able to act with impunity and take over governments, not only here in the US, but all over the planet.
  • by hazem (472289) on Sunday March 19, 2006 @01:57PM (#14952567) Journal
    Debit cards have the same protection as credit cards when used as credit cards.

    That's what the banks say, but it's not often born out by experience.

    Remember, that visa debit card is attached to your checking account. If someone takes money they're not supposed to, you can end up bouncing checks and getting into all kinds of other trouble. You have to fight to get your money back, and bank does not have to respond immediately - and can even deny your claim.

    If you just use a credit card and someone gets your number, it's actually the credit card company's money that's lost - not yours.

    Why risk it.

    Here's some info from Clark Howard's website about what he calls "Fake Visa's":

    http://clarkhoward.com/shownotes/category/7/40/225 / [clarkhoward.com]


    Feb 14, 2005 -- Update on Visa check card rights
    Visa's check card is supposed to help elminate debt by drafting money directly and immediately from your account that has money. But there are some problems with the cards. First, criminals can empty your checking account if they get their hands on your card. Who pays the bounced checks charges if your check card has been stolen? YOU DO! Also, on a real credit card, if you order something you have the right to dispute the charge if something happens to your order. Until now, you could not dispute an order problem on your check card. Visa is now offering modified dispute rights for check card customers. If you have a check card, look on the back and see if it says 'enterlink'. If your card does say this, then you might be covered under Visa's new policy. Make sure you check with your bank to see if you are covered before you begin ordering on your check card.

    Nov 10, 2004 -- Fake Visa warning and Wells Fargo update
    Clark has a special warning for people who carry fake Visa cards. There has been a breach of security at one of the big national merchants. No one is saying which merchant it is, but an employee has evidently obtained the records of an untold number of customers. That person is using people's debit card numbers across the country without their knowledge. So, when people try to use their cards, they are being turned away. We need full disclosure by the banking industry about this and anytime it happens. We need to know how many people are affected and what institution is involved. So, for the next seven days, if you carry a fake Visa card, check your account for unauthorized debits. Criminals are striking fast before people realize what's going on. Why is this so important? If someone gets a hold of your fake Visa numbers and charges up your account, that money is gone. You have to fight to get that money back, and banks decide on an individual basis. Also,Visa offers no protection for you if it causes checks to bounce. It's a disgrace, but right now, banks are free to decide whether they want to help you out or not.

  • Re:SSN in USA (Score:1, Informative)

    by Anonymous Coward on Sunday March 19, 2006 @02:36PM (#14952712)
    Ferris State University used mine for my Universal Refrigeration License when I was tested several years ago.

    Now everyplace I do business has my SS # because the EPA requires me to provide my license number to purchase things like Freon.

    Try willing a jackpot at a Detroit casino and not provide a SS #. Clerks there sell others identity information on the Internet. Saw it on the local news. Nobody cares, not the police, not the casinos, not the state. It's required by the IRS and they have very loose standards for handling personal information.
  • (I work for First National Merchant Solutions, a company which helps businesses accept payment by credit card.)

    Many highly-moderated posts here are confusing the facts, or saying how they think the system should work.

    The merchant SHOULD keep track of the credit card number. They can't print the card number on receipts they give to their customers, but the card number is sometimes the only customer identification they have. If a chargeback or retrieval request comes through, the mechant needs to be able to find information about a specific sale, and they usually find that using the card number.

    Someone reported that a business issued a credit to their card without requiring their card number again. This, too, is normal. Even if the merchant didn't store the credit card number, they would only have to call their credit card processing company (like the company I work for), identify themselves properly, give them the day of the original sale and the amount, and WE would tell them your card number and expiration date so they could process the credit. (You would have been wasting that manager's time, if you did talk to them.)

    Visa and Mastercard regulations prohibit merchants from storing the CVV2/CVC2 number (that's the 3 digit number printed on the papery stripe on the back of your card), or any of the 'secret' information encoded on the magnetic stripe of the card. Everything else they can store, AS LONG AS THEY COMPLY WITH SECURITY REQUIREMENTS. http://usa.visa.com/business/accepting_visa/ops_ri sk_management/cisp.html [visa.com] If they maintain a secure system, there is no problem at all with them storing their customers' details.

    If there's a security breach, the government's intervention is not required. Processing regulations already demand fines for noncompliance. If a merchant's security is penetrated and they lose a bunch of customer details, they'll have to pay a fine and have their security audited to Visa/Mastercard's satisfaction. These fines scale according to the size of the merchant and their annual transaction volume. The largest merchants (like those many of you are talking about) could face huge fines in the hundreds-of-thousands-of-dollars range, if they're noncompliant and they stay that way for any length of time.

    If a merchant is using your card information in a way they shouldn't (for example, assuming you'll put your sale on a card you used last time) that's a customer service issue. If they actually charge your card unauthorized, make them give the money back. If they don't credit your account within 30 days, contact your issuing bank. Chargeback reason "Fraudulent Transaction - No Cardholder Authorization." They aren't actually breaking any rules by using a stored card number, but that's still a pretty dumb thing to do if you want happy customers.

    OK, now back on topic. Pin-based debit information, like full magnetic stripe info and ESPECIALLY any information about the pin number challenge/response, should NEVER be stored by any merchant. (They can store the card number, debit network ID, various transaction reference numbers, etc.) If someone's software is doing that, merchants should stop using that software. Maybe Visa/Mastercard should release a bulletin to its member organizations, for its merchants, warning them that if they're using this software they need to stop. (Looks suspiciously like something which inspired the original article, doesn't it?) If merchants fail to switch to other, compliant software versions, they deserve the fines and sanctions they'll incur.

    (How can Visa and Mastercard levy fines, if they're not the government? Contract law. Visa and Mastercard require contracts with processing companies, like the one I work for. When we sign on a new merchant, they must sign a merchant processing agreement, which binds them to Visa/Mastercard's regulations, and with that binds them to any fines they might incur.)

    Now let's get the discussion back on track. No more of this "businesses are storing my credit card number and I don't like it!" stuff.
  • by Anonymous Coward on Sunday March 19, 2006 @04:19PM (#14953114)
    The PCI standards dictate how cardholder data must be protected.

    http://usa.visa.com/business/accepting_visa/ops_ri sk_management/cisp.html [visa.com]

    "In 2004, the CISP requirements were incorporated into an industry standard known as Payment Card Industry (PCI) Data Security Standard resulting from a collaboration between Visa and MasterCard to create common industry security requirements. Visa USA maintains CISP as the managing program for data security compliance endorsing the PCI Data Security Standard."

    AND Visa is requiring that companies are audited for compliance.
  • by bastion_xx (233612) on Sunday March 19, 2006 @06:43PM (#14953731)
    They use the information for chargebacks, refunds, reconciliation, auto-renewal, etc..., etc...

    Last time I read the VISA and MC guidelines, the only real requirement was that you are never supposed to store the VVC code for longer than you need to get the authorization. Everything else is fair game to store, subject to various security guidelines.


    If you are still involved with card processing, you should read up on the latest guidelines. Basically, don't store the PAN or exipiration date unencrypted. And NEVER store the card verification code (CVV2, CVC2, or Amex's CID), track data, or PIN for debit transactions. It should be transmitted to the processor or authorizer and then deleted from memory.

    This has been in effect for a couple years now, but only recently (post Card Systems) have the associations started to really crack down. Processors and authorization entities were the first to comply with the more stringent guidelines. Now that they are, for the most part CISP complaint, the next in the chain are merchants.

    POS software should include authentication and logging, at minimum, pertaining to lookups of cardholder info. Even tighter controls on cardholder data access should be required.

    Post-transaction events such as chargebacks and returns do require access to cardholder details, at least the PAN.

If you're not part of the solution, you're part of the precipitate.

Working...