Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Card Processing Software May Store CC Info

Zonk posted more than 8 years ago | from the i'll-just-hang-onto-this dept.

177

An anonymous reader writes "Visa has sent out a warning to customers stating that some card processing software may keep customer data even after a transaction is complete. The setup, two versions of a software made by Fujitsu Transaction Solutions, is used by such companies as Best Buy, OfficeMax, and Staples. It's unknown if any of these large retailers use the poorly-made versions of the software." From the article: "Visa's warning, which was first reported by The Wall Street Journal on Friday, has raised eyebrows in the financial and retail sectors. The software was flagged at a time when thousands of debit-card holders across the country have reported unauthorized withdrawals from their accounts. Bank of America, Washington Mutual and Citibank are among the financial institutions that have replaced more than 200,000 debit cards in the past two months ..."

cancel ×

177 comments

Sorry! There are no comments related to the filter you selected.

well that explains it (5, Funny)

Gravis Zero (934156) | more than 8 years ago | (#14951685)

i was wondering why i had bought several laptops for someone in Nigeria.

Re:well that explains it (2, Interesting)

_Sharp'r_ (649297) | more than 8 years ago | (#14952305)

I'm trying to figure out why this is news.

I've worked with various POS software/hardware as well as plenty of online ecommerce sites and I'm really stretching trying to think of at least one that didn't store CC information somewhere for much longer than the transaction lasted.

Sure, if someone was using a third-party card processor, that third-party usually stored the info instead (although most people would be shocked by the merchants who store this info when there really is no reason for them to do so, since their card processor stores it for them), but the info usually get's stored somewhere.

Typically, you were typically lucky if they encrypted the information and doubly lucky if the encryption key wasn't stored on the same server that the data was stored on (which is typical of these systems).

They use the information for chargebacks, refunds, reconciliation, auto-renewal, etc..., etc...

Last time I read the VISA and MC guidelines, the only real requirement was that you are never supposed to store the VVC code for longer than you need to get the authorization. Everything else is fair game to store, subject to various security guidelines.

What are we supposed to use? (4, Funny)

quokkapox (847798) | more than 8 years ago | (#14951693)

You can't use credit cards because the number will get skimmed at the restaurant or the electronics store. You can't use cash because you might get pulled over or mugged and have your cash seized.

I raise chickens. Does Fry's accept barter? How many chickens for an iPod? Oh wait, I forgot about bird flu.

Re:What are we supposed to use? (2, Funny)

ForestGrump (644805) | more than 8 years ago | (#14951699)

How bout barter with beef then?

Right now, corned beef is going for 70-90 cents/pound. Stock up now and go shopping when it's back up to 1.50 to 2 dollars/pound.

Remember kiddies. Buy low, barter high.

Grump

Re:What are we supposed to use? (1)

Andrzej Sawicki (921100) | more than 8 years ago | (#14951754)

How bout barter with beef then?
Forgetting BSE, are we? ;)

Re:What are we supposed to use? (1)

wetfeetl33t (935949) | more than 8 years ago | (#14951704)

I recommend that we all move out into cabins in the wilderness, grow all our own food, live without modern amenities, and cut of contact with the rest of the world, etc.
That would solve the problem

Re:What are we supposed to use? (1)

way2trivial (601132) | more than 8 years ago | (#14951732)

Can we? your sugeestion has struck me sir, as worthy of my attention.
if we look at the planet http://hypertextbook.com/facts/2001/DanielChen.sht ml [hypertextbook.com]

and the People http://www.ibiblio.org/lunarbin/worldpop [ibiblio.org] we find that it's .02 km sq per person.

and thats weird...

Implants (1)

nurb432 (527695) | more than 8 years ago | (#14951712)

Well dear consumer, you need to sign up for our 'save and secure implant payment system'. With just a single one-time injection you can pay for all your goods just by walking thru our automated scanners.

"Oh, and since we are tied into the federal governments national database, you can be assured you will be kept more safe. " " So sign up today"

Re:Implants (1)

kooshvt (86122) | more than 8 years ago | (#14952571)

With just a single one-time injection you can pay for all your goods just by walking thru our automated scanners.

How would this injection system work? Would it be in the blood stream, watch out for blood transfusions. Would it be an implant in the arm, watch out for a rise in blackmarket arms of the recently deceased being sold.

Re:What are we supposed to use? (2, Insightful)

Alex P Keaton in da (882660) | more than 8 years ago | (#14951817)

Well,I don't know about other stores, but I know the Gap must keep your info. When you return something there with your reciept, they don't need your credit card. They just scan the UPC on the reciept, and viola, the charge on your credit card is reversed. I don't like that, because it means that somewhere there is a database with your credit card info. I am sure there is fine print somewhere that makes you authorize this...

Re:What are we supposed to use? (5, Funny)

gEvil (beta) (945888) | more than 8 years ago | (#14951832)

They just scan the UPC on the reciept, and viola...

I'm sorry, but I see no reason for them to need to look at my viola to decide whether or not I'm eligible to return some clothing.

Re:What are we supposed to use? (0)

Anonymous Coward | more than 8 years ago | (#14952549)

UMmmmm.. Im pretty sure he meant 'voilà", Italian for "Eureka," not "viola" the instrument, MORAN.

Re:What are we supposed to use? (2, Interesting)

JAFSlashdotter (791771) | more than 8 years ago | (#14951868)

I don't know for sure, but it could be that they aren't storing your credit card info, but instead storing some sort of encrypted transaction code for just that one transaction associated with your receipt, that they share with the credit card company itself. In other words, it would be useless except for referring back to that single purchase transaction. Presumably the credit card company already knows your credit card info. :)

Imagine I put my credit card number on a piece of paper, put it in a sealed envelope, and hand it to the merchant. The merchant hands the envelope to the credit card company along with the purchase amount, and the credit card company hands them back a piece of paper with a transaction number on it, indicating approval. When you come back into the store later, the merchant says "Hey, remember this transaction? Credit the card holder back $xxx." So, it's possible to get you your money back without the merchant knowing your card info directly. On the other hand, I don't do these kinds of systems for a living, so I have no idea if that's how it really works.

Re:What are we supposed to use? (0)

Anonymous Coward | more than 8 years ago | (#14951877)

This is very common in retail, and from my POV there's nothing wrong with it as long as the data is stored responsibly. The trick is taking reasonable precautions on the card number itself, which means strong encryption at the field level for that number. That's all you need to do this, and from a business standpoint, the improvement in the customer experience is well worth that investment if you process a lot of returns. Remember, you're still much safer swiping your card at a retail payment terminal device than you would be handing it to a waiter at a restaurant.

Software storing PINs for debit cards is another story altogether. There's no legitimate business purpose (i.e. that benefits a customer) in storing this data, so if it's happening, Visa and the other card companies are right in yelling loudly about it.

Re:What are we supposed to use? (0)

smbarbour (893880) | more than 8 years ago | (#14952665)

That's interesting, considering no amount of cardholder authorization allows them to store credit card numbers. If they are doing this, they need to be reported to Visa and MasterCard for a blatent violation of the merchant bylaws.

Other interesting bylaws that can result in a merchant being blacklisted:
- Requiring a minimum purchase amount over $1
- Allowing the card number and expiration date to appear on the cardholder's copy of receipts
- Charging a surcharge for paying via credit card (although you can offer a discount for paying cash instead)

Re:What are we supposed to use? (2)

Fareq (688769) | more than 8 years ago | (#14952678)

You can issue a void or refund transaction without the credit card number -- you just need the Transaction ID / Authorization Code that the credit card processor returned.

I think this is only true during the first 30 days, though... but I'm not sure...

Re:What are we supposed to use? (1)

TheOtherChimeraTwin (697085) | more than 8 years ago | (#14952116)

Does Fry's accept barter? How many chickens for an iPod?
It just takes one.

Oh wait, I forgot about bird flu.
That works in your favor.

Nice store ya got here. Be a shame for it to be quarantined, wouldn't it?

SECOND POST (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14951694)

SECOND POST!!!

Asleep at the switch? (4, Interesting)

xoip (920266) | more than 8 years ago | (#14951698)

If there is no reason for storing pin data according to the credit card company specs, then why have these vendors built in a switch to do just that?

Re:Asleep at the switch? (3, Interesting)

jmp_nyc (895404) | more than 8 years ago | (#14951790)

There's a restaurant from which my wife and I order food for delivery every so often. I almost always use cash.

One time, I hadn't made it to the ATM recently enough and gave them my Visa number. The following time I ordered from them, I told them I wanted to pay cash. The delivery guy showed up with a credit card slip with my number on it. I called the restaurant and asked why they had stored my number without my permission. They shrugged it off and said they would remove it from their system.

The next time I ordered from them, the same thing happened. I told them I was complaining to Visa, since I had specifically requested that they not retain my card number. They tried to make some excuse, but it hasn't happened since.

This is exactly why I NEVER use a debit card, but will regularly use credit cards. If these guys are storing credit card numbers as a matter of practice, I don't want them to have my debit card number. Credit card agreements have built-in liability protection if the number is stolen. Debit cards leave the account holder dealing with missing money at least until things are sorted out, if not permanently.
-JMP

Re:Asleep at the switch? (2)

thrillseeker (518224) | more than 8 years ago | (#14951862)

Credit card agreements have built-in liability protection if the number is stolen. Debit cards leave the account holder dealing with missing money at least until things are sorted out, if not permanently.

Debit cards have the same protection as credit cards when used as credit cards. The only time you're using it as a debit card is when you have to enter your PIN.

Re:Asleep at the switch? (0)

Anonymous Coward | more than 8 years ago | (#14952156)

That is actually false. Federal laws only cover lines of credit. Usually, banks and the card issuer (Visa, etc.) will have a written policy covering these transactions but they are NOT covered by law.

Check cards are not safe at all! The only way to stay safe is to use regular credit cards.

Re:Asleep at the switch? (2, Informative)

hazem (472289) | more than 8 years ago | (#14952567)

Debit cards have the same protection as credit cards when used as credit cards.

That's what the banks say, but it's not often born out by experience.

Remember, that visa debit card is attached to your checking account. If someone takes money they're not supposed to, you can end up bouncing checks and getting into all kinds of other trouble. You have to fight to get your money back, and bank does not have to respond immediately - and can even deny your claim.

If you just use a credit card and someone gets your number, it's actually the credit card company's money that's lost - not yours.

Why risk it.

Here's some info from Clark Howard's website about what he calls "Fake Visa's":

http://clarkhoward.com/shownotes/category/7/40/225 / [clarkhoward.com]


Feb 14, 2005 -- Update on Visa check card rights
Visa's check card is supposed to help elminate debt by drafting money directly and immediately from your account that has money. But there are some problems with the cards. First, criminals can empty your checking account if they get their hands on your card. Who pays the bounced checks charges if your check card has been stolen? YOU DO! Also, on a real credit card, if you order something you have the right to dispute the charge if something happens to your order. Until now, you could not dispute an order problem on your check card. Visa is now offering modified dispute rights for check card customers. If you have a check card, look on the back and see if it says 'enterlink'. If your card does say this, then you might be covered under Visa's new policy. Make sure you check with your bank to see if you are covered before you begin ordering on your check card.

Nov 10, 2004 -- Fake Visa warning and Wells Fargo update
Clark has a special warning for people who carry fake Visa cards. There has been a breach of security at one of the big national merchants. No one is saying which merchant it is, but an employee has evidently obtained the records of an untold number of customers. That person is using people's debit card numbers across the country without their knowledge. So, when people try to use their cards, they are being turned away. We need full disclosure by the banking industry about this and anytime it happens. We need to know how many people are affected and what institution is involved. So, for the next seven days, if you carry a fake Visa card, check your account for unauthorized debits. Criminals are striking fast before people realize what's going on. Why is this so important? If someone gets a hold of your fake Visa numbers and charges up your account, that money is gone. You have to fight to get that money back, and banks decide on an individual basis. Also,Visa offers no protection for you if it causes checks to bounce. It's a disgrace, but right now, banks are free to decide whether they want to help you out or not.

Re:Asleep at the switch? (2)

miracle69 (34841) | more than 8 years ago | (#14951865)

Actually, if your debit card is used through the credit-card system - I.E. the Visa or Mastercard system, then you have the same protections as a credit card for unauthorized charges. So, if you sign instead of using a pin, it is exactly like a credit card to the company issuing it, and is exactly like a credit card for you and your rights.

Re:Asleep at the switch? (1)

Oopsz (127422) | more than 8 years ago | (#14952179)

Same protections? Yes. But the money is actually *gone* while you dispute it. On a credit card dispute, they don't give you back money, they remove a debt. The difference may be subtle, but important.

Re:Asleep at the switch? (2, Insightful)

runcible (306937) | more than 8 years ago | (#14952487)

Troubleshooting. Same reason you can store CVV2 codes, even though CISP says *never* store CCV2 codes. You'd be surprised how often this shit comees in handy when you are trying to figure out why a series of transactions failed. It's way easier to figure out what is fucked-up with a transaction if you can see all the data. Businesses ( and customers too, actually ) don't like to hear "Well it failed, but we don't keep data for that stuff, so that's all I can tell you." They are very into the why, and sometimes without that data there just is no why.

Not to say that you should do it, you'll *take it in the shorts* for doing this in a prod environment, it is stupidly dangerous...but everybody thinks their systems are secure, right?

This is why cash won't die... (4, Insightful)

chivo243 (808298) | more than 8 years ago | (#14951706)

not in the next 50 years... Until there is a "PERFECT" system in place for financial transactions, plus, too many remote "poor" areas that can't afford the other gizmos required for electronic payment. Long live cold hard cash.

Re:This is why cash won't die... (2, Insightful)

Threni (635302) | more than 8 years ago | (#14951764)

If governments decide to stop using cash (which I believe they will, in our lifetimes), they will. They'll stop using it, banks won't have anything to do with it, and you'll be out there on your own, trying to enforce disputes and payments over goods and services with progressively more tatty bits of paper. Everyone else will be using some form of credit.

Cash will be attacked for being connected with untraceable transactions relating to drugs, terrorism and tax evasion. The same people who now say `what's wrong with cctv in your town, street, bedroom if you're not breaking the law` will say `why do you want to use cash if you're not buying drugs`.

Re:This is why cash won't die... (1)

chivo243 (808298) | more than 8 years ago | (#14951824)

Those are valid points, but each day the technology gap increases, the have nots are being left farther behind. It is well and good for you to say you will be find other means of paying disputes, what about the millions in poverty that can't afford it, is the gov't gonna pony up for all these upgrades, hell no, it is gonna be the people they can reach who have taken this other means of paying disputes.... have a nice Pay! ;-}

Re:This is why cash won't die... (1)

Threni (635302) | more than 8 years ago | (#14951929)

> what about the millions in poverty that can't afford it, is the gov't gonna pony
> up for all these upgrades,

Yep!

http://www.bankingcode.org.uk/wpdocs/Basic%20bank% 20accounts%20300703.htm [bankingcode.org.uk]

This is for people who are on benefit. If they can afford a bank account, it will be argued, everyone can.

Re:This is why cash won't die... (1)

Tim C (15259) | more than 8 years ago | (#14951859)

There's one potential flaw in that - card clearing companies generally charge a per transaction fee (they have to make money somehow, after all). I can't imagine too many shops being happy to use cards for all transactions, when a good number of those transactions may be at or below the charge rate (eg newspapers, sweets, etc)

I can well imagine a "only terrorists and criminals need to use cash" campaign, though.

Re:This is why cash won't die... (1)

david.heyman (36692) | more than 8 years ago | (#14951953)

I can well imagine a "only terrorists and criminals need to use cash" campaign, though.

Why would they need to use cash when they can just buy your credit card details from some poor paid call center employee in the 3rd world?

Re:This is why cash won't die... (1)

webworm99 (830804) | more than 8 years ago | (#14952344)

You keep forgetting about stores that don't take cards. This would ruin business like Western Union, Money gram and other similar type of service. It would also ruin pay day advance places as well. If the U.S. did require to be microchip in the finger or the forhead. I would refuse even if it meant my death. This does not mean I do or do not believe in god. It just against what I believe in. It would be challenged by origination like the EFF as well.

Re:This is why cash won't die... (1)

Threni (635302) | more than 8 years ago | (#14952419)

> It would be challenged by origination like the EFF as well.

I can just imagine the concern that would cause in the US/UK governments...

Re:This is why cash won't die... (1)

LionOfMacedon (947932) | more than 8 years ago | (#14951818)

completely offtopic,but im asking out of curiosity.assuming all our money is made digital,then would'nt it lose its value ?,as in,anyone can "create" money,by hacking into back sites or something,since there is no physical money to backup this virtual money(a situation we already face),then wont it lose its value,and this system would give us the oppurtunity for massive fruad,as we all know,digital manipulations cannot be tracked,unlike manipulations to physical paper.

Re:This is why cash won't die... (1)

TykeClone (668449) | more than 8 years ago | (#14951857)

The problem already exists and is called "Counterfeiting" - easily doable given the proper equipment. Much of the money in circulation at any given moment in time is already "digital" - in the form of checking accounts or credit cards.

Having said that, I wouldn't bet that cold, hard cash will disappear any time too soon. It's quick and easy to use for informal transactions, doesn't require any equipment to transfer, and doesn't have any float to worry about.

Re:This is why cash won't die... (1)

LionOfMacedon (947932) | more than 8 years ago | (#14952358)

i agree with you,point i was trying to make was that,in physical Counterfeits,at some point,the currency note will fail the test,might miss a hologram,or might not have a watermark properly,etc.but in digital Counterfeits,u can never make out the difference,assuming the hacker has concealed his entry.

Re:This is why cash won't die... (1)

hazem (472289) | more than 8 years ago | (#14952588)

Having said that, I wouldn't bet that cold, hard cash will disappear any time too soon. It's quick and easy to use for informal transactions, doesn't require any equipment to transfer, and doesn't have any float to worry about.

And it's not very traceable - which is perfect for giving politicians bribes. I can't imagine they'll be in a hurry to get rid of that very convenient feature of cash.

inflation (1, Informative)

Anonymous Coward | more than 8 years ago | (#14952136)

All major currencies are now "fiat" meaning they ARE just created on a whim, hence why most currencies suffer inflation.

  Inflation is an increase in the money supply that is not justified by an increase of actual produced wealth.

  In essence, the "money" out there comes as a form of counterfeit.

  In the US, the problem is so acute now and the dollar in so much peril from rampant "borrowing" and introducing unjustified money into the system via selling bonds and treasury notes and pushing the massive real estate bubble (most new inflated phony fiat money enters through the banking congame system using the technique called "fractional reserve banking", look that up for an eye opener) that the "federal" reserve bank (which is a private bank contracted by "law" to "create" money which it then loans at "interest") has ceased publishing most of the M3 money supply statistics as of *this month*. It is so out of control now they have to do anything possible to divert attention and keep the shellgame running to try and avoid massive collapse.

I don't think it will work for much longer, in a historical term. My best guess is within a few years, and they WILL start more large scale wars as a last ditch diversionary tactic before total collapse.

  It is by far and away the single biggest global congame scam that affects humans all over the planet, and it allows the planetary huge fatcats to control populations and business, which is their long term goal, establish control-done, that is accomplished, and maintain it-this they do by introducing inflated money to their pet projects and supporters and witholding it from "enemies". This is the major reason for all the apparently ludicrous laws revolving around money and taxes, just a huge interconnected congame.

This is complex,*really* complex, but a simple way of looking at it is that the money most of us use now starts out completely counterfeit, just poof created out of thin air. It is either raw printed up in the form of banknotes (which are debt instruments) or it is data entried into existence.

    It has little to nothing do with produced wealth, that's why all the economic problems all the time and all the boom and bust cycles. It's also a primary reason why wars are so easy to pull off, the people who profit from wars are basicaly the same who get to create the money, which they lend to themselves in the form of huge government contracts that they insist various citizens then need to payback.

Then they have the nads to tell us we "owe" them all this principle back PLUS interest.

It is the mother of all economic crimes. Around the world central bankers need to be rounded up and incarcerated and put to forced hard labor. They are a larger threat then the next 10 million "terrorists" combined. They are beyond greedy into the truly evil category.

    If you or I tried to loan that which did not exist, we would be arrested for fraud and buncoism. If I had say 50 televisions and told you I was going to sell you 200 televisions and all you got was 50 plus some IOU never to be honored except with further IOUs, you would think that was a fraud, and it would be. Yet bankers do this daily, and hand in hand with lying government weasels, they inflict this system on the rest of the planet. When governments and large central banks do this, it is called policy and business as usual. In the US they had to sneak the "federal reserve act" authorising fiat currency and turning over the creation of it to the "federal" reserve banks late at night when the bulk of congress was out at home for a holiday. This is easily researchable, the history of it is fascinating, how large scale crooks are able to act with impunity and take over governments, not only here in the US, but all over the planet.

Re:This is why cash won't die... (1)

mslinux (570958) | more than 8 years ago | (#14952450)

This happened in 1971. The US did away with the Gold Reserve. Cash was backed by gold up until that time. After that, cash became a 'currency'. Which basically means it's not backed by anything and that the Federal Reserve can print as much as it wants to. Currencies have no inherent value and decrease in value over time. For example, if you bury 40 bucks in your backyard and dig it up 50 years from now, you'll find that it'll buy much less than it did when you buried it. On the other hand, if you bury 40 bucks worth of gold, silver or copper, etc. you'll find that it has gone up (a lot) in value. Cash is basically wothless. It's just paper. Get rid of it. Buy stuff that goes up in value... something cash cannot do :)

The only way to keep your card secure... (2, Funny)

ian_mackereth (889101) | more than 8 years ago | (#14951715)

...is to use someone else's card number, purchased as a job lot from the spotty-faced clerk at your local Best Buy, OfficeMax, Staples, etc!

Re:The only way to keep your card secure... (1)

Bill Wong (583178) | more than 8 years ago | (#14951739)

No kidding.
I've been buying and using visa gift cards and using them for anonymous purchases, because of this very problem in the article.
For internet orders though, my citibank card offers virtual credit card numbers, which are disposable, and does the trick.

It's widespread... (5, Interesting)

cardpuncher (713057) | more than 8 years ago | (#14951718)

I know a number of (UK) mailorder businesses that routinely store the card number, expiry date and CVV of all transactions. It's either done for convenience (if a refund is required later you don't have to phone the customer to get the card number) or because of operational issues (for example, there is a batch process that extracts the payment details from one system and passes it to another to actually debit the card and it has to be repeatable in case one part of the process fails: the lazy solution is to store everything indefinitely).

The need to retain customer confidence in the card-processing system means that the interesting question of who would be liable in the case of a mass theft is unlikely to be tested in court - even if it were useful to do so (a lot of mailorder businesses are not cash rich and neither are the software companies that supply them).

This risk will persist until there is some sort of two-factor authentication on all card transactions.

Re:It's widespread... (0)

Anonymous Coward | more than 8 years ago | (#14952213)

This risk will persist until there is some sort of two-factor authentication on all card transactions.

Except that the second factor will just be stored alongside the first in the company databases. The CVV was originally for helping prevent fraud by providing a number that could not be obtained in any way except from the back of the card (it wasn't even on the stripe). Naturally, everyone pretty much abandoned this right away, since it made transactions too hard, leading to fewer per-transaction charges for visa/mc/etc and the clearinghouses, the companies had to store it to run their transactions anyway, and most consumers had no clue what the CVV was. Now it's just there to provide a facade of security over the same insecure operations that had been going on before.

Re:It's widespread... (1)

jmichaelg (148257) | more than 8 years ago | (#14952345)

Except that the second factor will just be stored alongside the first in the company databases.

It woludn't matter if the second factor is a computed function of the transaction number and transaction value using a large encryption key that's assigned to the credit card by the bank. The credit card would be a little usb stick that stored a processor and a key. When you bought something, you'd stick the key into a usb port, the stick would show you the transaction amount, you'd push a button allowing the processor to compute a hash value which would be trasmitted to the bank for verification.

The credit card would do very little so the software is easily checked to ensure that it's correct. The credit card would be cheap would more than pay for itself in reduced fraud.

The hell with relying on vendors to be trustworthy.

Re:It's widespread... (0)

Anonymous Coward | more than 8 years ago | (#14952535)

You don't need the card number to issue a refund. If this is the excuse you're given for a merchant storing a card number, it's not a valid one. And any developer who writes card processing software knows it.

The only valid reason to store a card number is if you will be regularly billing a customer for something, and there are additional security standards if you plan to do this (although, they're not particularly onerous and are mostly common sense). You don't need the CVV for this purpose, either. Gateways that allow recurring transactions will reject transactions that contain a CVV precisely because it must not be stored. In fact, there are significant penalties if a merchant is caught storing the CVV.

That's illegal in Canada (0)

Anonymous Coward | more than 8 years ago | (#14951738)

http://www.privcom.gc.ca/legislation/02_06_01_01_e .asp [privcom.gc.ca]

The law in Canada makes it illegal to store people's credit card numbers. The store doesn't need your number per se and they can't ask for it (or swipe your card twice to get it). Your card is swiped and the number goes directly to the card company. That's all that's necessary to complete the transaction and that's all the store is entitled to.

SSN in USA (0, Offtopic)

WindBourne (631190) | more than 8 years ago | (#14951901)

It is very illegal in the USA to use the SSN and yet, businesses all over do so. Total BS, but...

Re:SSN in USA (1)

mzwaterski (802371) | more than 8 years ago | (#14952411)

"It is very illegal in the USA to use the SSN and yet, businesses all over do so. Total BS, but..."

To use your SSN for what?

Re:SSN in USA (1, Informative)

Anonymous Coward | more than 8 years ago | (#14952712)

Ferris State University used mine for my Universal Refrigeration License when I was tested several years ago.

Now everyplace I do business has my SS # because the EPA requires me to provide my license number to purchase things like Freon.

Try willing a jackpot at a Detroit casino and not provide a SS #. Clerks there sell others identity information on the Internet. Saw it on the local news. Nobody cares, not the police, not the casinos, not the state. It's required by the IRS and they have very loose standards for handling personal information.

Someone sure did store mine :P (1)

markholmberg (631311) | more than 8 years ago | (#14951963)

I visited Toronto two years ago. I used my Mastercard there in some restaurants and cafes. Two weeks after I had left Canada, someone had used my credit card in Toronto to buy stuff worth 890 Canadian dollars (pretty near my limit of 1000). I still don't have a clue how this was done. Where I come from we don't use credit cards that much, mainly cash and debit.

Re:Someone sure did store mine :P (1)

Guido von Guido (548827) | more than 8 years ago | (#14952672)

Presumably your credit card was out of your sight for a few minutes. It doesn't take very long to write down your name, the number, and the expiration date. I imagine they could have used a custom card swiper or something more efficient.

I had something similar happen to me after a trip to the Philly area a couple of years ago. Shortly after I returned, I discovered that someone had used one of my cards to spend a couple of grand on something like "broadband services" from AOL. I had used it at a couple of restaurants and a gas station; I hadn't used it online recently, although I suppose someone could have gotten the number from a stored transaction a few months before that.

Isn't what amazon.com does ? (1)

lord_rob the only on (859100) | more than 8 years ago | (#14951750)

Amazon.com stores your credit card number if they only ask you to enter the last four digits of your card number, right ? So what's different here ? Maybe I've not understood something

Re:Isn't what amazon.com does ? (1)

magicchex (898936) | more than 8 years ago | (#14951775)

The last four digits are what's the most important. You and many others will have the same first 4, 8, or 12 digits.

Re:Isn't what amazon.com does ? (2, Insightful)

JAFSlashdotter (791771) | more than 8 years ago | (#14951792)

Amazon.com stores your credit card number if they only ask you to enter the last four digits of your card number, right ? So what's different here ? Maybe I've not understood something
I think I can clarify... The problem isn't that they store the information, it's that unlike Amazon, they do it without your knowledge or consent. Also, because these vendors were unaware that this information was being stored by their systems, no security procedures are in place to prevent unscrupulous employees (or others) from extracting the card information from the system. On the other hand, a retailer like Amazon is aware that it is storing this information for you, you are (hopefully) aware Amazon is storing it for you, and both you and Amazon (presumably) take precautions to safeguard the info.

Re:Isn't what amazon.com does ? (1)

ForestGrump (644805) | more than 8 years ago | (#14951794)

Amazon is obvious to the customer about it. OTOH, these stores are doing it without the cust knowing.

Re:Isn't what amazon.com does ? (1)

1ucius (697592) | more than 8 years ago | (#14951878)

Another difference is that these devices apparently stored your debit card card + pin. The statutory protections for unauthorized credit card transactions are much stronger than for debit cards (though most debit card issuers voluntarily extend those protections to debit cards).

Re:Isn't what amazon.com does ? (1)

entrylevel (559061) | more than 8 years ago | (#14951973)

Correct me if I'm wrong, but this can be done relatively securely, can't it? You store all the credit card info except the last four digits, and encrypt the stored data using those four digits (and of course some other data tied to that user). Then when you enter the last four, attempt to decrypt the stored data, append the four digits to end of the credit card number, calculate a hash of the decrypted info and compare it to the previously computed hash from the last transcation.

Obviously you could brute-force this system easier than a system that stores no info at all, but if I were to implement this, three wrong tries would wipe the info from the system and force you to re-enter all of it.

I'm not a security expert, and am actually a strong proponent within my comany to outsource all credit card processing (to the extent that none of our systems ever see any credit card info at all), but is there any gaping hole I'm missing in the above method?

HomeDepot in Canada (4, Interesting)

Neter (56934) | more than 8 years ago | (#14951751)


I purchased some bathroom renovation supplies at HomeDepot in Toronto a few weeks ago. When I was complete, I brought back the parts that I had not used. When I returned them to the customer service desk, the lady scanned the barcode at the bottom of the receipt, and then tossed the valves into the "restock" bins. When I attempted to hand her my credit card to refund the transaction, she looked at me and said "We don't need that..."

I looked at her, and asked how she had my credit card information, and how it was going to be credited to my account. She stated that they store all transaction information specifically so they can speed up the refund process.

I asked to speak to the manager to complain about this, but after waiting for 10 minutes for him to show up, my wife got the better of me, and we had to go...

Gut feeling says this should be against industry best practice, and potentially against Canadian banking and privacy laws, but IANAL.

Re:HomeDepot in Canada (1)

QCompson (675963) | more than 8 years ago | (#14951777)

The same thing happened to me at a Target in the u.s..

Re:HomeDepot in Canada (3, Insightful)

EnglishSteve (834757) | more than 8 years ago | (#14951809)

I hate to tell you this, but the store has saved your credit card information almost EVERY TIME you have ever used a credit card in a retail store in recent years. The reason? They HAVE to, otherwise they would never get paid.

What happens is this: at the end of the day, the store (often from the store, but sometimes it's done from the corporate office) and the credit provider perform a process called Settlement, where they compare a log of the credit card transactions for the day. The retailer does not get paid for the credit card sales until the transactions are reconciled.

If the retailer and the credit provider are smart, the data is held and transmitted using encryption, but I know for a fact that this is not always so - I write Point Of Sale/credit authorization systems for a living.

Re:HomeDepot in Canada (2, Insightful)

ZoneGray (168419) | more than 8 years ago | (#14952168)

Thanks for pointing out what should have been obvious... reminds me that I ran a retail shop in the 80's, and submitted my charges on paper.

And anybody who RTFA noted that the issue concerned DEBIT cards. You don't worry much about getting your credit card stolen, because the liability is limited. Debit cards are a whole 'nother story, and the problem here is that some debit-card software had been storing the PIN number as well as the card number... so anybody who got the numbers could go to an ATM and empty your bank account in seconds. Additionally, a stolen debit card is a much greater risk for identity theft than a stolen credit card.

Re:HomeDepot in Canada (1)

EnglishSteve (834757) | more than 8 years ago | (#14952587)

Yeah, debit cards are a different animal. I've never come across a retailer that actually stored the PIN in transaction data, although it certainly sounds like there are some out there. Most of the retailers I work with use pinpad terminals that have firmware encryption built in - the PIN is only ever sent to the debit provider in encrypted form and never leaves the hardware device as unencrpyted data. The PIN never makes it into the POS system transaction data at all - just the card info (number/expiration date) and the approval code. I guess I wrongly assumed that ALL providers would be somewhat sensible and do this. I guess not.

Re:HomeDepot in Canada (3, Insightful)

fermion (181285) | more than 8 years ago | (#14951854)

My question is what information does the store have to save in order to do a refund. If the system was well done, it would just be a CC number with the original tranaction number to confirm. Such a system makes a lot of sense as it insures that the credit is applied to the same card and limits the number of person handling the card. Furthermore, it makes some sense for a operation to store the CC number along with the transaction in case the customer later protests the charge. Given the current practice of asking other questions to confirm the purchase, it is not such a big deal. For most retail outlets, a person must have a valid card with valid magnetic strip to make a purchase. These cards are not impossible to fabricate, but it an additional hurdle.

The problem, as I see it, is vendors that store all customer information, in a single logical location, long term. For instance, after a purchase is valiated, which online takes 30 seconds, my adress and CVVC should be delinked from my cc number. Keep the CC number in a transaction log, but get rid of the CVC and only keep the address in a ship log. I know this is not going to happen, as it is complicated, but it should help protect us. I am with you though. We need laws that makes bad practice a liability on the vendors, banks, and device providers that utilize it.

Re:HomeDepot in Canada (1)

agurk (193950) | more than 8 years ago | (#14952241)

Or it might be only the transaction number. I have worked with a lot of online payment systems which got this kind of functionality. If a refund is necessary you just use the original transaction code and tell the payment broker to reimburse the credit card. This way you may also know that you never reimburse more than the customer actually paid.

Re:HomeDepot in Canada (1)

captbrando (303182) | more than 8 years ago | (#14952449)

Honestly, you don't need to store anything to issue a credit. A credit is just like a debit, except you put money back instead of take it out.

The problem here is the storage of discretionary data (CVV/CVC) found in the track (magstripe), and "card-not-present" (read: online purchases) authentication data (CVV2/CVC2/CID). A PIN number or PIN block (encrypted pin that matches with issuing bank) is just as bad, except in most cases you are directly hitting someone's checking or savings account.

Companies get a better (cheaper) interchange rate on transactions where they provide this authentication data, so some may think it is to their advantage to store it.

Re:HomeDepot in Canada (1)

chicagozer (585086) | more than 8 years ago | (#14951987)

Do you really think building a system with no record of credit card transactions is better?

I'm not talking about storing CVV values, but I would be inclined to keep the core details (credit card number, signature imprint etc) around until I got paid by VISA/MC and/or the refund period expired. Granted, appropriate authorization and encryption security needs to be in place as I'm not in favor of keeping all this stuff in clear text.

If you are a merchant and you store none of these details, you open yourself up to all kinds of fraud.

Re:HomeDepot in Canada (0)

Anonymous Coward | more than 8 years ago | (#14952132)

It's unlikely they were storing your credit card number. Almost all retail or mail order systems use transaction reference numbers with their merchant processor.

When a refund is requested, they send the transaction reference number and amount to be refunded, to the merchant processor/gateway.

They don't need a card number to issue a credit (0)

Anonymous Coward | more than 8 years ago | (#14952484)

You're being overly paranoid. No payment gateway I've ever used has ever required the full card number to issue a refund (for a linked credit anyway, which is what you're describing).

The original transaction ID, and maybe some part of the card number (like a mask containing the last 4 digits), is sufficient.

And yes, any merchant is going to keep a transaction record for accounting, settlement and dispute purposes.

Could this just be a PR/Power Grab ploy? (2, Interesting)

vrimj (750402) | more than 8 years ago | (#14951760)

Neither one of the Fujitsu products, RAFT and GlobalStore, is among the products approved by the major credit card companies. This doesn't mean that the software doesn't meet industry standards. It only means that the software hasn't undergone the review process needed for sanctioning by the group, according to a note on Visa's site.

Seems like something went wrong, they still don't know what or how (other then the possible OfficeMax connection), but they are using this opportunity to claim that it has something to do with devices not sanctioned by CC compaines.
Look like this has a high probablity of being spin.

Another similar issue (3, Interesting)

Jon Abbott (723) | more than 8 years ago | (#14951762)

A couple weeks ago, after finishing refueling my motorcycle, I put the pump back and started to get ready to leave. I noticed though that the pump display didn't say "Insert card and remove quickly" as it normally says when one leaves -- it said "Remove pump and begin fueling" -- as if it were giving a freebie to the next customer! I have no idea how common this problem is, but it may be prudent to watch out for it.

Why software not paper? (0)

Anonymous Coward | more than 8 years ago | (#14951781)

1) Duh, all direct credit card transactions produce a printed piece of paper I have to sign, there is my signature and all 16 numbers on my CC, if any shopkeeper wants to keep/store/abuse it.

2) Those two or three main american companies that own (and log) everyone's ability to do electronic transactions ('credit card circuits' owners): they invented and could deploy the credit card system once, what the hll are they waiting to study&deploy a less stupid and secure method of payment once and for the next 40 years?

Re:Why software not paper? (2, Informative)

Nimloth (704789) | more than 8 years ago | (#14951837)

Not true, most credit card transaction receipts include only the first and last 4 digits of the credit card number. The rest usually consists of *'s or X's.
This is to avoid fraud, the printout only serves the purpose of identifying the proper card with the proper sequence number, amount, date and signature.
Some cheaper, less used systems WILL however print out the complete number. I would personally find another method of payment if you know place X does that, but if you have to use a credit card, don't throw your receipt away in the trash.

Re:Why software not paper? (0)

Anonymous Coward | more than 8 years ago | (#14952134)

In Texas it is the law ststes that the reciept should not to provide more than 4 digits of the CC #. Some merchants still do it, but it is mostly smaller ones.

BofA vulnerability asssesment? (1)

ShaunC (203807) | more than 8 years ago | (#14951784)

Bank of America, Washington Mutual and Citibank are among the financial institutions that have replaced more than 200,000 debit cards in the past two months ...
I have a BofA account, and the associated debit card. When I first received it, I was a bit miffed that it came with a 6-digit PIN, but now I've gotten used to it and I wish my other card issuers offered the option to select a PIN longer than 4 digits.

That said, this is the first I've heard anything about BofA debit cards being pilfered and replaced. As someone who is paranoid by default, I am questioning the security status of my BofA debit card. I have, regretfully, shopped at Best Buy within the past month; when my LAN went down due to a burnt-up switch and I had to get a new one, BB was my easiest option.

Should I be worried? Considering that I've received no contact from BofA regarding this situation, I don't know whether to feel placated or even more paranoid.

4 digits are best (1)

sgent (874402) | more than 8 years ago | (#14952070)

The problem with anything other than a 4 digit pin, is that you have no idea if it will work when you try to use it. There are still some machines in the US, and many, many more in other countries that only accept 4 numeric characters. In some cases its your only option -- there are no other ATM's.

Victim here - lessons learned (4, Interesting)

dubbayu_d_40 (622643) | more than 8 years ago | (#14951786)

Last weekend someone overseas (Bangkok) started draining my checking account. I have a Visa debit card and was directed to Visa put a block on the card. That didn't work, I guess ATM txns go a different route. I tried moving all of my checking and overdraft line of credit into my savings account, but it turns out that it too was used for overdraft protection. My bank is a small credit union and there was nothing I could do until Monday morning - but to their credit they refunded everything within two hours of me walking in the door.

Lessons learned. Use your debit card as a credit card - the laws concerning credit fraud are more clear cut. Ask your bank to not to use your savings as overdraft protection. Only keep enough money in checking for what you know is coming in the short term, isolate the rest in the saving account. Check your account frequently (a friend has his balance emailed to him daily - not a bad idea). Check your credit history every four months (one free per year per credit agency - https://www.annualcreditreport.com/ [annualcreditreport.com] ).

If fraud happens. Call bank/Visa/MC/whoever and get a block on your card. Call one of the credit agencies and put a fraud alert on your credit record. Call the local police and file a report. If you are like I was and can't do anything until Monday, move what is left into your savings account that are going to isolate after reading this.

A good resource is: http://www.consumer.gov/idtheft/ [consumer.gov]

Re:Victim here - lessons learned (1)

failedlogic (627314) | more than 8 years ago | (#14952166)

I've thought as well of e-mailing the balance of my account on a daily basis - as long as it does not have my account number. But since e-mail is unencrypted I'm a bit leery. The banks often as what your balance is as a secruity question.

I don't understand why some banks are really using lame security to appeal to 99% of the population. Are the any banks accepting customers givem them say a public PGP key to send them their data electronically? Why can't more of the banks use finger-print I.D. or even put a picture of the user right on the cards?

Given all the money that's lost everyyear to fraud, people getting away with fraud, isn't it time they step-up and provide a real solution? Isn't 100,000+ cards being scammed enough?

Re:Victim here - lessons learned (1)

webworm99 (830804) | more than 8 years ago | (#14952408)

put a picture of the user right on the cards? That won't work. Most places the cashier never looks at your card. This was before the pos terminals, Citibank tried that once. Most merchants thought the card was a fake. I had to write Citibank to get a standard card. Plus you do get old. So your feature would change. It was not the Merchants fault. It was the Card processing company.

Re:Victim here - lessons learned (1)

failedlogic (627314) | more than 8 years ago | (#14952532)

True. Also the pictures weren't stadardized across all banks since it was exclusive to Citibank.

But, playing the blame-game is fun!!

OTOH, bank security is a big issue. I hate punching in my pin for debit transactions. To limit my spending too, I usually try and pay with cash. The cashiers look at people in a funny way when you pay for $60 or $100 of stuff with $20's. This is even with the new Canadian $20 bills with the 'extra' security features.

Fujitsu & Tokyo Stock Exchange (1)

Bushcat (615449) | more than 8 years ago | (#14951796)

Fujitsu is also behind Tokyo Stock Exchange's recent woes, with TSE having to limit operating hours when transactions near the system's limit. Fujitsu also took TSE down for a day in November 2005 after applying a software patch.

Spin? (1)

drwhitt (634345) | more than 8 years ago | (#14951799)

There are a few [usatoday.com] articles [com.com] that point out that the software that Fujitsu Transaction Solutions [fujitsu.com] developed for these devices is not, in fact, responsible. I heard a quote in a radio soundbite yesterday afternoon from a Fugitsu spokeperson suggesting that there is no security vulnerability in their ware. In either event, it seems like there is more to the story than we know today. Is this simply a ploy by Visa (or others?) to spin public (read, media) opinion?

Never use Debit at a store... (2, Interesting)

IcePop456 (575711) | more than 8 years ago | (#14951811)

This is why I never use Debit at a store. Yeah it sucks when your credit card is stolen. Discover has been quick to issue a new card and restore my credit line. However, I always have a 2nd card for back-up. My debit card will never be used in a store because it is my money that is stolen. That is, they get access to my actual cash (well electronic funds) and not a line of credit. I'd much rather risk some credit dollars since I don't pay the disputed amount.

What is needed is the finantial version of HIPPA (2, Insightful)

jonwil (467024) | more than 8 years ago | (#14951812)

What is needed is a law that forces companies dealing with bank and finantial details (banks, credit card companies, card processors, insurance companies, finance companies, ATM providers, EFTPOS/credit card processing machine providers and so on) to take greater efforts to keep it secure, much like HIPPA mandates high security for medical records.

Essentialy it would mandate things like "any device or software that holds on to any finantial data after it is no longer required to process whatever transaction the data was given for is illegal" and "All devices storing or transporting or moving finantial data must use encryption" (for example, any US website taking banking details, finantial details or credit card details must use SSL or similar to encrypt the data as it goes over the internet) as well as requiring (for example) banks to do more to make it harder for phishing sites to fool users into plugging in their password (there are certainly solutions out there so its not like its not possible for the banks to do it, they just dont because it would cost too much to fix it).

Also this law should have bigger penalties for companies who dont protect this data and it gets copied as a result (much like how there are penatlies if medical data is copied)

Re:What is needed is the finantial version of HIPP (4, Insightful)

TykeClone (668449) | more than 8 years ago | (#14951846)

What is needed is a law that forces companies dealing with bank and finantial details (banks, credit card companies, card processors, insurance companies, finance companies, ATM providers, EFTPOS/credit card processing machine providers and so on) to take greater efforts to keep it secure, much like HIPPA mandates high security for medical records.

Banks already have that - it's the Gramm-Leach-Bliley act and purportedly is meant to protect customer financial privacy.

I think that the gist of the article, though, is that the merchants are not under the same regulatory burden - and that is where the weak link in the chain is at the moment.

Re:What is needed is the finantial version of HIPP (1)

captbrando (303182) | more than 8 years ago | (#14952471)

Not regulatory as in government, but industry regulated yes. All card brands require that you comply with the Payment Card Industry, Data Security Standard. http://www.visa.com/cisp [visa.com] for more info...

Libertarian experiment (1)

Beryllium Sphere(tm) (193358) | more than 8 years ago | (#14951897)

Visa and Mastercard are putting requirements into contracts that have the same effect. They mandate a security program called CISP or PCI or maybe something else this week which has requirements much more specific than HIPAA does. The contracts have penalty clauses.

It's going to be interesting to see how this free-market equivalent of legislation works out.

Re:What is needed is the finantial version of HIPP (1)

WindowPane (150285) | more than 8 years ago | (#14952169)

Yes, lets put more lawyers to work. Visa has already led an initiative to make credit card usage more secure, it's called CISP, Cardholder Information Security Program. You can find information here: http://usa.visa.com/business/accepting_visa/ops_ri sk_management/cisp.html [visa.com]

All retailers and software providers must comply with this initiative if they want accept Visa cards as payment. Having worked in the retail POS software industry for the last 11 years I have seen all sorts of non-complient behaviour. Just because someone passes a law or publishes a standard doesn't mean that everyone is following said law/standard. Everyone stores your card information at some level or another.

Better Provider? (1)

chivo243 (808298) | more than 8 years ago | (#14951838)

Does anyone know who may be a more secure credit provider? Discover, Amex, MasterCard? I am a Visa customer, no balance! no PIN#! Does anyone have any inside advice about any of the competetion?

No Fat Tony Jokes please, he don't like that kinda crap.

In the future... (1)

Gyorg_Lavode (520114) | more than 8 years ago | (#14951845)

In the future I think credit will be controlled by cryptographic smart cards which have a built in key pad. You will put in your card, punch in your pin, and then the card will unencrypt a 1-time authorization for a set amount of money that the vendor then sends to the credit card company to conduct the transaction. No processing off card. Requires something you have and something you know. Storing the data doesn't do any good.

I think the only other form of transaction will be cash.

Old, but maybe not common news (1)

chiph (523845) | more than 8 years ago | (#14951978)

CC processing software needs to retain the card info for a few weeks until the transactions settle. This allows the merchant to handle chargebacks, disputes, etc.

Nothing to be alarmed about as long as you trust the merchant.

Chip H.

One device that makes all this possible... (2, Informative)

cyclocommuter (762131) | more than 8 years ago | (#14952021)

This article on the globeandmail.com [theglobeandmail.com] talks about the inventor of one such device and the associated software (RenCode) and how easy it easy for thieves and others to get their hands on it.

And why again (1)

CaptainZapp (182233) | more than 8 years ago | (#14952172)

Should this be my fucking problem in the first place?

Free hint to Visa regarding Captain Zapps first axiom of software projects:

Cheap, within scope, within time: Pick one!

What the WSJ reported (0)

Anonymous Coward | more than 8 years ago | (#14952475)

Visa Warns of Cash-Register Flaw

Software Could Be Used
To Steal Customers' Data
From Credit, Debit Cards
By ROBIN SIDEL
The Wall Street Journal
March 17, 2006; Page A2

Visa USA Inc. is warning that two versions of popular software installed at cash registers could be used to steal information from credit and debit cards.

The software, which is used by retailers to help ring up transactions, can be used -- sometimes inadvertently -- in a way that allows the cash register to store customer data, such as personal-identification numbers used in debit-card transactions. Under card-industry guidelines, retailers aren't supposed to store that information because it can fall into criminal hands if a computer system is hacked or an unauthorized person gains access to it.

Retailers are supposed to comply with the industry rules, although some of the nation's biggest merchants didn't meet a December 2005 deadline to prove that they are following the regulations.

Visa, an association owned by thousands of financial institutions that issue credit cards and debit cards, sent out the alert in recent days to large "merchant acquirers," which are the companies that process card transactions for the nation's biggest retailers. A Visa spokeswoman confirmed the alert, a copy of which was reviewed by The Wall Street Journal.

"Visa has a responsibility to protect cardholder information," Visa said in a statement. "We confidentially alert financial institutions when there is a potential for any point-of-sale software or modification of it that puts cardholder information at risk."

It isn't clear if customer data have been stolen as a result of the glitch, but Visa said in the alert that it was issuing the warning after becoming aware of an incident that involved the software and data retention. Visa didn't specifically say that data theft occurred as a result of the incident.

The warning covers two versions of software that is made by Fujitsu Transaction Solutions Inc., a Frisco, Texas-based subsidiary of Japan's Fujitsu Ltd. The U.S. unit has a long list of big retail customers, including Best Buy Co., Dress Barn Inc., OfficeMax Inc., Staples Inc. and Payless ShoeSource Inc., according to the Fujitsu unit's Web site.

Representatives of Fujitsu denied that their software was being used to steal customer data and disagreed with Visa's decision to issue the warning. They said the versions of RAFT and GlobalStore software cited by Visa are about one-and-a-half years old and noted that their customers are continually upgrading their software products.

"There is no incident that I'm aware of. There is no breach of anything," said Keith McNamara, a senior vice president for software operations at Fujitsu. Mr. McNamara said he was aware of just one retailer that was using a version of the software identified by Visa, but declined to identify the merchant. A Best Buy spokeswoman said the company doesn't use the versions of the software cited by Visa. Representatives of Dress Barn, Staples and Payless couldn't be reached for comment. A spokesman for OfficeMax declined to discuss the type of software used by the company.

Mr. McNamara also said the software itself doesn't allow retailers to store customer information. Instead, other tools can be installed and essentially linked to the Fujitsu software that could permit the tracing or storage of sensitive, encrypted data, he said.

Since receiving the memo from Visa, large merchant acquirers, which include First Data Corp., Fifth Third Bancorp and Bank of America Corp., have been contacting their retail customers to address the matter. In the memo, Visa said that Fujitsu has a software upgrade available to address the issue.

"We got the notice and we will work with anyone who has been identified as having that software," said Stephanie Hagen, a spokeswoman for Fifth Third, which is based in Cincinnati.

The alert was issued in the same week that Citigroup Inc. said it was blocking transactions at automated teller machines in Canada, Britain and Russia after it flagged several hundred suspicious cash withdrawals last month.

Citigroup said the accounts may have been compromised by security breaches that occurred at U.S. retailers, but it didn't identify the retailers. Meanwhile, an investigation is continuing into unusual patterns of fraudulent activity on debit cards that were used at eight OfficeMax stores around the country, according to people familiar with the inquiry. OfficeMax has repeatedly said it has no knowledge of a security breach.

URL for this article:
http://online.wsj.com/article/SB114256447183300953 .html [wsj.com]

Copyright 2006 Dow Jones & Company, Inc. All Rights Reserved

CC Terminals stores CCs internally in FLASHRAM. (1)

Pi55edOff (938166) | more than 8 years ago | (#14952493)

Hello stupid world,

I would like to let you know that I got first hand knowledge that all CC processing machines actually store all the CC/Expiry Date and Invoice transaction internally in the machines for several years of data depending on volume. An employee can easily print out this data and have all transaction batches printed out. If a company does not clear the memory of the units, and sells their CC terminals, you are now liable in unknowingly distributing your client's Credit Card information.

This function is not even protected by a Admin password/Admin Swipe card as well. I think that Credit Card terminal vendors should be liable for not protecting this data under an admin password/swipe card. They are blatantly allowing anyone to steal this information and have others to be able to create fake credit cards for transactions.

I think it is time to make the CC Terminal manufacturers get charged for allowing their terminals to be used for fraud and to have them replace each and everyone of them with a new unit that CAN NOT give out this information without some sort of password/swipe card protection. ON TOP OF ALL THAT, If the Terminal detects ANY Change in settings to the terminal or it should call up the CC Processing Facility and see if this terminal is active with the Processor prior to displaying such important CC Data, then the data could be save from fraudulent use.

The simple method is to ensure that the terminals are protected from any possible fraudulent way of getting previous CC Data. And that protection MUST come from the CC Terminal Manufacturers. This time they should be flipping the bill to replace/upgrade their existing terminals with new code to offer such protection.

Simple: Don't use debit cards. (1)

WoTG (610710) | more than 8 years ago | (#14952505)

I avoid using debit cards at retail stores if at all possible. The only exceptions are when for some reason I can't use my CC AND the store is a very large reputable firm. Enter my PIN into some mom and pop shop, not likely.

On another note, yes, software does store CC numbers all the time. This is EXACTLY the same security that we've had for years with CC's. Before computers, we had hard copy "impressions" -- those had your full CC number too. CC's are inherently insecure, but that's ok. Let the CC company take on that risk, that's their business.

Can these systems store signatures? (1)

yemanja (258653) | more than 8 years ago | (#14952545)

When forced to sign those electronic pads, I always use my left hand and just scribble something because I figure that once my sig is digitized, I can "sign" things from any hacker's system. Am I being overly paranoid?

And what about biometric data? What prevents its storage and later user as proof that we authorized transactions?

I realize that such data is never the exact same twice, but I don't like depending on systems that have to copy all instances of this data to make sure that they aren't seeing duplicates.

mod Up (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14952554)

No7orious OpenBSD to say there have tangle of fatal started work on have an IRC cl1ent The rain..we can be WASTE OF BITS AND Least I won't previously thought
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?