Card Processing Software May Store CC Info 177
An anonymous reader writes "Visa has sent out a warning to customers stating that some card processing software may keep customer data even after a transaction is complete. The setup, two versions of a software made by Fujitsu Transaction Solutions, is used by such companies as Best Buy, OfficeMax, and Staples. It's unknown if any of these large retailers use the poorly-made versions of the software." From the article: "Visa's warning, which was first reported by The Wall Street Journal on Friday, has raised eyebrows in the financial and retail sectors. The software was flagged at a time when thousands of debit-card holders across the country have reported unauthorized withdrawals from their accounts. Bank of America, Washington Mutual and Citibank are among the financial institutions that have replaced more than 200,000 debit cards in the past two months ..."
Asleep at the switch? (Score:5, Interesting)
It's widespread... (Score:5, Interesting)
The need to retain customer confidence in the card-processing system means that the interesting question of who would be liable in the case of a mass theft is unlikely to be tested in court - even if it were useful to do so (a lot of mailorder businesses are not cash rich and neither are the software companies that supply them).
This risk will persist until there is some sort of two-factor authentication on all card transactions.
HomeDepot in Canada (Score:4, Interesting)
I purchased some bathroom renovation supplies at HomeDepot in Toronto a few weeks ago. When I was complete, I brought back the parts that I had not used. When I returned them to the customer service desk, the lady scanned the barcode at the bottom of the receipt, and then tossed the valves into the "restock" bins. When I attempted to hand her my credit card to refund the transaction, she looked at me and said "We don't need that..."
I looked at her, and asked how she had my credit card information, and how it was going to be credited to my account. She stated that they store all transaction information specifically so they can speed up the refund process.
I asked to speak to the manager to complain about this, but after waiting for 10 minutes for him to show up, my wife got the better of me, and we had to go...
Gut feeling says this should be against industry best practice, and potentially against Canadian banking and privacy laws, but IANAL.
Could this just be a PR/Power Grab ploy? (Score:3, Interesting)
Seems like something went wrong, they still don't know what or how (other then the possible OfficeMax connection), but they are using this opportunity to claim that it has something to do with devices not sanctioned by CC compaines.
Look like this has a high probablity of being spin.
Another similar issue (Score:4, Interesting)
Victim here - lessons learned (Score:5, Interesting)
Lessons learned. Use your debit card as a credit card - the laws concerning credit fraud are more clear cut. Ask your bank to not to use your savings as overdraft protection. Only keep enough money in checking for what you know is coming in the short term, isolate the rest in the saving account. Check your account frequently (a friend has his balance emailed to him daily - not a bad idea). Check your credit history every four months (one free per year per credit agency - https://www.annualcreditreport.com/ [annualcreditreport.com] ).
If fraud happens. Call bank/Visa/MC/whoever and get a block on your card. Call one of the credit agencies and put a fraud alert on your credit record. Call the local police and file a report. If you are like I was and can't do anything until Monday, move what is left into your savings account that are going to isolate after reading this.
A good resource is: http://www.consumer.gov/idtheft/ [consumer.gov]
Re:Asleep at the switch? (Score:4, Interesting)
One time, I hadn't made it to the ATM recently enough and gave them my Visa number. The following time I ordered from them, I told them I wanted to pay cash. The delivery guy showed up with a credit card slip with my number on it. I called the restaurant and asked why they had stored my number without my permission. They shrugged it off and said they would remove it from their system.
The next time I ordered from them, the same thing happened. I told them I was complaining to Visa, since I had specifically requested that they not retain my card number. They tried to make some excuse, but it hasn't happened since.
This is exactly why I NEVER use a debit card, but will regularly use credit cards. If these guys are storing credit card numbers as a matter of practice, I don't want them to have my debit card number. Credit card agreements have built-in liability protection if the number is stolen. Debit cards leave the account holder dealing with missing money at least until things are sorted out, if not permanently.
-JMP
Never use Debit at a store... (Score:2, Interesting)
Re:What are we supposed to use? (Score:2, Interesting)
Imagine I put my credit card number on a piece of paper, put it in a sealed envelope, and hand it to the merchant. The merchant hands the envelope to the credit card company along with the purchase amount, and the credit card company hands them back a piece of paper with a transaction number on it, indicating approval. When you come back into the store later, the merchant says "Hey, remember this transaction? Credit the card holder back $xxx." So, it's possible to get you your money back without the merchant knowing your card info directly. On the other hand, I don't do these kinds of systems for a living, so I have no idea if that's how it really works.
Re:well that explains it (Score:3, Interesting)
I've worked with various POS software/hardware as well as plenty of online ecommerce sites and I'm really stretching trying to think of at least one that didn't store CC information somewhere for much longer than the transaction lasted.
Sure, if someone was using a third-party card processor, that third-party usually stored the info instead (although most people would be shocked by the merchants who store this info when there really is no reason for them to do so, since their card processor stores it for them), but the info usually get's stored somewhere.
Typically, you were typically lucky if they encrypted the information and doubly lucky if the encryption key wasn't stored on the same server that the data was stored on (which is typical of these systems).
They use the information for chargebacks, refunds, reconciliation, auto-renewal, etc..., etc...
Last time I read the VISA and MC guidelines, the only real requirement was that you are never supposed to store the VVC code for longer than you need to get the authorization. Everything else is fair game to store, subject to various security guidelines.