Forgot your password?
typodupeerror

Card Processing Software May Store CC Info 177

Posted by Zonk
from the i'll-just-hang-onto-this dept.
An anonymous reader writes "Visa has sent out a warning to customers stating that some card processing software may keep customer data even after a transaction is complete. The setup, two versions of a software made by Fujitsu Transaction Solutions, is used by such companies as Best Buy, OfficeMax, and Staples. It's unknown if any of these large retailers use the poorly-made versions of the software." From the article: "Visa's warning, which was first reported by The Wall Street Journal on Friday, has raised eyebrows in the financial and retail sectors. The software was flagged at a time when thousands of debit-card holders across the country have reported unauthorized withdrawals from their accounts. Bank of America, Washington Mutual and Citibank are among the financial institutions that have replaced more than 200,000 debit cards in the past two months ..."
This discussion has been archived. No new comments can be posted.

Card Processing Software May Store CC Info

Comments Filter:
  • by chivo243 (808298) on Sunday March 19, 2006 @09:44AM (#14951706)
    not in the next 50 years... Until there is a "PERFECT" system in place for financial transactions, plus, too many remote "poor" areas that can't afford the other gizmos required for electronic payment. Long live cold hard cash.
  • by Threni (635302) on Sunday March 19, 2006 @10:13AM (#14951764)
    If governments decide to stop using cash (which I believe they will, in our lifetimes), they will. They'll stop using it, banks won't have anything to do with it, and you'll be out there on your own, trying to enforce disputes and payments over goods and services with progressively more tatty bits of paper. Everyone else will be using some form of credit.

    Cash will be attacked for being connected with untraceable transactions relating to drugs, terrorism and tax evasion. The same people who now say `what's wrong with cctv in your town, street, bedroom if you're not breaking the law` will say `why do you want to use cash if you're not buying drugs`.
  • by JAFSlashdotter (791771) on Sunday March 19, 2006 @10:25AM (#14951792)
    Amazon.com stores your credit card number if they only ask you to enter the last four digits of your card number, right ? So what's different here ? Maybe I've not understood something
    I think I can clarify... The problem isn't that they store the information, it's that unlike Amazon, they do it without your knowledge or consent. Also, because these vendors were unaware that this information was being stored by their systems, no security procedures are in place to prevent unscrupulous employees (or others) from extracting the card information from the system. On the other hand, a retailer like Amazon is aware that it is storing this information for you, you are (hopefully) aware Amazon is storing it for you, and both you and Amazon (presumably) take precautions to safeguard the info.
  • by EnglishSteve (834757) on Sunday March 19, 2006 @10:32AM (#14951809)
    I hate to tell you this, but the store has saved your credit card information almost EVERY TIME you have ever used a credit card in a retail store in recent years. The reason? They HAVE to, otherwise they would never get paid.

    What happens is this: at the end of the day, the store (often from the store, but sometimes it's done from the corporate office) and the credit provider perform a process called Settlement, where they compare a log of the credit card transactions for the day. The retailer does not get paid for the credit card sales until the transactions are reconciled.

    If the retailer and the credit provider are smart, the data is held and transmitted using encryption, but I know for a fact that this is not always so - I write Point Of Sale/credit authorization systems for a living.

  • by jonwil (467024) on Sunday March 19, 2006 @10:34AM (#14951812)
    What is needed is a law that forces companies dealing with bank and finantial details (banks, credit card companies, card processors, insurance companies, finance companies, ATM providers, EFTPOS/credit card processing machine providers and so on) to take greater efforts to keep it secure, much like HIPPA mandates high security for medical records.

    Essentialy it would mandate things like "any device or software that holds on to any finantial data after it is no longer required to process whatever transaction the data was given for is illegal" and "All devices storing or transporting or moving finantial data must use encryption" (for example, any US website taking banking details, finantial details or credit card details must use SSL or similar to encrypt the data as it goes over the internet) as well as requiring (for example) banks to do more to make it harder for phishing sites to fool users into plugging in their password (there are certainly solutions out there so its not like its not possible for the banks to do it, they just dont because it would cost too much to fix it).

    Also this law should have bigger penalties for companies who dont protect this data and it gets copied as a result (much like how there are penatlies if medical data is copied)
  • by Alex P Keaton in da (882660) on Sunday March 19, 2006 @10:36AM (#14951817) Homepage
    Well,I don't know about other stores, but I know the Gap must keep your info. When you return something there with your reciept, they don't need your credit card. They just scan the UPC on the reciept, and viola, the charge on your credit card is reversed. I don't like that, because it means that somewhere there is a database with your credit card info. I am sure there is fine print somewhere that makes you authorize this...
  • What is needed is a law that forces companies dealing with bank and finantial details (banks, credit card companies, card processors, insurance companies, finance companies, ATM providers, EFTPOS/credit card processing machine providers and so on) to take greater efforts to keep it secure, much like HIPPA mandates high security for medical records.

    Banks already have that - it's the Gramm-Leach-Bliley act and purportedly is meant to protect customer financial privacy.

    I think that the gist of the article, though, is that the merchants are not under the same regulatory burden - and that is where the weak link in the chain is at the moment.

  • by fermion (181285) on Sunday March 19, 2006 @10:54AM (#14951854) Homepage Journal
    My question is what information does the store have to save in order to do a refund. If the system was well done, it would just be a CC number with the original tranaction number to confirm. Such a system makes a lot of sense as it insures that the credit is applied to the same card and limits the number of person handling the card. Furthermore, it makes some sense for a operation to store the CC number along with the transaction in case the customer later protests the charge. Given the current practice of asking other questions to confirm the purchase, it is not such a big deal. For most retail outlets, a person must have a valid card with valid magnetic strip to make a purchase. These cards are not impossible to fabricate, but it an additional hurdle.

    The problem, as I see it, is vendors that store all customer information, in a single logical location, long term. For instance, after a purchase is valiated, which online takes 30 seconds, my adress and CVVC should be delinked from my cc number. Keep the CC number in a transaction log, but get rid of the CVC and only keep the address in a ship log. I know this is not going to happen, as it is complicated, but it should help protect us. I am with you though. We need laws that makes bad practice a liability on the vendors, banks, and device providers that utilize it.

  • by ZoneGray (168419) on Sunday March 19, 2006 @12:21PM (#14952168) Homepage
    Thanks for pointing out what should have been obvious... reminds me that I ran a retail shop in the 80's, and submitted my charges on paper.

    And anybody who RTFA noted that the issue concerned DEBIT cards. You don't worry much about getting your credit card stolen, because the liability is limited. Debit cards are a whole 'nother story, and the problem here is that some debit-card software had been storing the PIN number as well as the card number... so anybody who got the numbers could go to an ATM and empty your bank account in seconds. Additionally, a stolen debit card is a much greater risk for identity theft than a stolen credit card.
  • by runcible (306937) <runcible@nOsPaM.headnet.com> on Sunday March 19, 2006 @01:35PM (#14952487)
    Troubleshooting. Same reason you can store CVV2 codes, even though CISP says *never* store CCV2 codes. You'd be surprised how often this shit comees in handy when you are trying to figure out why a series of transactions failed. It's way easier to figure out what is fucked-up with a transaction if you can see all the data. Businesses ( and customers too, actually ) don't like to hear "Well it failed, but we don't keep data for that stuff, so that's all I can tell you." They are very into the why, and sometimes without that data there just is no why.

    Not to say that you should do it, you'll *take it in the shorts* for doing this in a prod environment, it is stupidly dangerous...but everybody thinks their systems are secure, right?

"Regardless of the legal speed limit, your Buick must be operated at speeds faster than 85 MPH (140kph)." -- 1987 Buick Grand National owners manual.

Working...