Card Processing Software May Store CC Info

An anonymous reader writes "Visa has sent out a warning to customers stating that some card processing software may keep customer data even after a transaction is complete. The setup, two versions of a software made by Fujitsu Transaction Solutions, is used by such companies as Best Buy, OfficeMax, and Staples. It's unknown if any of these large retailers use the poorly-made versions of the software." From the article: "Visa's warning, which was first reported by The Wall Street Journal on Friday, has raised eyebrows in the financial and retail sectors. The software was flagged at a time when thousands of debit-card holders across the country have reported unauthorized withdrawals from their accounts. Bank of America, Washington Mutual and Citibank are among the financial institutions that have replaced more than 200,000 debit cards in the past two months ..."

Asleep at the switch?

[xoip]

If there is no reason for storing pin data according to the credit card company specs, then why have these vendors built in a switch to do just that?

It's widespread...

[cardpuncher]

I know a number of (UK) mailorder businesses that routinely store the card number, expiry date and CVV of all transactions. It's either done for convenience (if a refund is required later you don't have to phone the customer to get the card number) or because of operational issues (for example, there is a batch process that extracts the payment details from one system and passes it to another to actually debit the card and it has to be repeatable in case one part of the process fails: the lazy solution is to store everything indefinitely).

The need to retain customer confidence in the card-processing system means that the interesting question of who would be liable in the case of a mass theft is unlikely to be tested in court - even if it were useful to do so (a lot of mailorder businesses are not cash rich and neither are the software companies that supply them).

This risk will persist until there is some sort of two-factor authentication on all card transactions.

HomeDepot in Canada

[Neter]

I purchased some bathroom renovation supplies at HomeDepot in Toronto a few weeks ago. When I was complete, I brought back the parts that I had not used. When I returned them to the customer service desk, the lady scanned the barcode at the bottom of the receipt, and then tossed the valves into the "restock" bins. When I attempted to hand her my credit card to refund the transaction, she looked at me and said "We don't need that..."

I looked at her, and asked how she had my credit card information, and how it was going to be credited to my account. She stated that they store all transaction information specifically so they can speed up the refund process.

I asked to speak to the manager to complain about this, but after waiting for 10 minutes for him to show up, my wife got the better of me, and we had to go...

Gut feeling says this should be against industry best practice, and potentially against Canadian banking and privacy laws, but IANAL.

Could this just be a PR/Power Grab ploy?

[vrimj]

Neither one of the Fujitsu products, RAFT and GlobalStore, is among the products approved by the major credit card companies. This doesn't mean that the software doesn't meet industry standards. It only means that the software hasn't undergone the review process needed for sanctioning by the group, according to a note on Visa's site.

Seems like something went wrong, they still don't know what or how (other then the possible OfficeMax connection), but they are using this opportunity to claim that it has something to do with devices not sanctioned by CC compaines.
Look like this has a high probablity of being spin.

Another similar issue

[Equuleus42]

A couple weeks ago, after finishing refueling my motorcycle, I put the pump back and started to get ready to leave. I noticed though that the pump display didn't say "Insert card and remove quickly" as it normally says when one leaves -- it said "Remove pump and begin fueling" -- as if it were giving a freebie to the next customer! I have no idea how common this problem is, but it may be prudent to watch out for it.

Victim here - lessons learned

[dubbayu_d_40]

Last weekend someone overseas (Bangkok) started draining my checking account. I have a Visa debit card and was directed to Visa put a block on the card. That didn't work, I guess ATM txns go a different route. I tried moving all of my checking and overdraft line of credit into my savings account, but it turns out that it too was used for overdraft protection. My bank is a small credit union and there was nothing I could do until Monday morning - but to their credit they refunded everything within two hours of me walking in the door.

Lessons learned. Use your debit card as a credit card - the laws concerning credit fraud are more clear cut. Ask your bank to not to use your savings as overdraft protection. Only keep enough money in checking for what you know is coming in the short term, isolate the rest in the saving account. Check your account frequently (a friend has his balance emailed to him daily - not a bad idea). Check your credit history every four months (one free per year per credit agency - https://www.annualcreditreport.com/ [annualcreditreport.com] ).

If fraud happens. Call bank/Visa/MC/whoever and get a block on your card. Call one of the credit agencies and put a fraud alert on your credit record. Call the local police and file a report. If you are like I was and can't do anything until Monday, move what is left into your savings account that are going to isolate after reading this.

A good resource is: http://www.consumer.gov/idtheft/ [consumer.gov]

Re:Asleep at the switch?

[jmp_nyc]

There's a restaurant from which my wife and I order food for delivery every so often. I almost always use cash.

One time, I hadn't made it to the ATM recently enough and gave them my Visa number. The following time I ordered from them, I told them I wanted to pay cash. The delivery guy showed up with a credit card slip with my number on it. I called the restaurant and asked why they had stored my number without my permission. They shrugged it off and said they would remove it from their system.

The next time I ordered from them, the same thing happened. I told them I was complaining to Visa, since I had specifically requested that they not retain my card number. They tried to make some excuse, but it hasn't happened since.

This is exactly why I NEVER use a debit card, but will regularly use credit cards. If these guys are storing credit card numbers as a matter of practice, I don't want them to have my debit card number. Credit card agreements have built-in liability protection if the number is stolen. Debit cards leave the account holder dealing with missing money at least until things are sorted out, if not permanently.
-JMP

Never use Debit at a store...

[IcePop456]

This is why I never use Debit at a store. Yeah it sucks when your credit card is stolen. Discover has been quick to issue a new card and restore my credit line. However, I always have a 2nd card for back-up. My debit card will never be used in a store because it is my money that is stolen. That is, they get access to my actual cash (well electronic funds) and not a line of credit. I'd much rather risk some credit dollars since I don't pay the disputed amount.

Re:What are we supposed to use?

[JAFSlashdotter]

I don't know for sure, but it could be that they aren't storing your credit card info, but instead storing some sort of encrypted transaction code for just that one transaction associated with your receipt, that they share with the credit card company itself. In other words, it would be useless except for referring back to that single purchase transaction. Presumably the credit card company already knows your credit card info. :)

Imagine I put my credit card number on a piece of paper, put it in a sealed envelope, and hand it to the merchant. The merchant hands the envelope to the credit card company along with the purchase amount, and the credit card company hands them back a piece of paper with a transaction number on it, indicating approval. When you come back into the store later, the merchant says "Hey, remember this transaction? Credit the card holder back $xxx." So, it's possible to get you your money back without the merchant knowing your card info directly. On the other hand, I don't do these kinds of systems for a living, so I have no idea if that's how it really works.

Re:well that explains it

[_Sharp'r_]

I'm trying to figure out why this is news.

I've worked with various POS software/hardware as well as plenty of online ecommerce sites and I'm really stretching trying to think of at least one that didn't store CC information somewhere for much longer than the transaction lasted.

Sure, if someone was using a third-party card processor, that third-party usually stored the info instead (although most people would be shocked by the merchants who store this info when there really is no reason for them to do so, since their card processor stores it for them), but the info usually get's stored somewhere.

Typically, you were typically lucky if they encrypted the information and doubly lucky if the encryption key wasn't stored on the same server that the data was stored on (which is typical of these systems).

They use the information for chargebacks, refunds, reconciliation, auto-renewal, etc..., etc...

Last time I read the VISA and MC guidelines, the only real requirement was that you are never supposed to store the VVC code for longer than you need to get the authorization. Everything else is fair game to store, subject to various security guidelines.