Storing credit card details

MisterT

Interesting thread, I stumbled across it searching for CVV information in relation to fraud so I'm going to hijack it!

Recently I bought an item over the phone which required a deposit paid when placing the order and the balance when the item became available for delivery. Understandably I was asked for the 3 digit code when I paid the deposit but I was concerned when I was called and asked to pay the balance a few weeks later as the retailer asked me to confirm the card details – number, dates etc including the CVV number which they obviously had kept on file. I queried this at the time but was told they needed to keep it so the balance could be taken.

Again on a recent occasion I had to use a pre-printed form to book and pay for an education course. The form asked for the credit card details including the CVV number. This especially concerned me as fraudsters would know anyone using these forms would have conveniently written down all the details required for an online or over the phone purchase using the card. All they need to do is intercept the forms and off they go - spend spend spend.

Is it common for printed forms to ask for a CVV number?

Chino

MisterT wrote: »

Is it common for printed forms to ask for a CVV number?

It doesn't directly answer your question, but a few weeks ago there was an item on the BBC Radio 4 programme "Money Box" regarding the practice of some retailers to ask cardholders for CVV numbers for face to face transactions:

news.bbc.co.uk/1/hi/programmes/moneybox/9747789.stm

UsernameAlreadyExists

MisterT wrote: »

Recently I bought an item over the phone which required a deposit paid when placing the order and the balance when the item became available for delivery. Understandably I was asked for the 3 digit code when I paid the deposit but I was concerned when I was called and asked to pay the balance a few weeks later as the retailer asked me to confirm the card details – number, dates etc including the CVV number which they obviously had kept on file. I queried this at the time but was told they needed to keep it so the balance could be taken.

Yes, 2 entirely separate payments.
The first was for the deposit, and then later they need to charge the balance.

They may well have retained the card number (or perhaps a mask of it - eg. NNNNN******NNN) to ensure that you're paying the balance with the same card (otherwise billing address/delivery address checks might need to be done again)
They shouldn't have kept the CVV, hence they must ask again for it for the balance payment.

MisterT wrote: »

Again on a recent occasion I had to use a pre-printed form to book and pay for an education course. The form asked for the credit card details including the CVV number. This especially concerned me as fraudsters would know anyone using these forms would have conveniently written down all the details required for an online or over the phone purchase using the card. All they need to do is intercept the forms and off they go - spend spend spend.

Is it common for printed forms to ask for a CVV number?

This unfortunately is not uncommon, and entirely understandable. You have to imagine that these are probably small buinesses being run from home and they've got a credit card terminal to take their payments. So they open the post, sort the order details, key in the card details (same as they would if you were on the phone to them), and they then can take your money. At this point they need to destroy the paperwork, as the terminal will print out the receipt, and they often return a customer copy for you.

Technically ... from the moment you the fill in the form, to the point it gets keyed into the terminal, the authorisation is in progress and the data is in transit. It's not being stored electronically on a computer system that can be hacked. However I'd not write my CVV on a form, I'd do it over the phone.

UsernameAlreadyExists

EDIT: by "in transit", this is no different from typing your CVV into a webform, and it travelling over the internet to their servers. Anyone can intercept it (same as you can mug a postman), hence SSL is used as a layer of protection.

MisterT

This isn't a small business by any stretch of the imagination - it's a local authority for a major city. it seems insane to me to ask people to write down every detail of their credit card and pop it in the post - credit card fraud costs 100's of millions of pounds each year and no wonder!

Tiexen

I used to work in a small firm that took cc payment over the phone - I'd hear the person reading the details back - I could easily have written them down - I'd much rather do online payments anyday

Fertilizer

@ MisterT
I am quite happy for you to hijack in this instance ...

Forms - I have been asked a couple of times to fill in credit card details on a form, but never complied - that does concern me.

Phone - I was once asked to pay the deposit for a (small) hotel booking and they requested I tell them my CVV number - the only time ever I had been asked, as I recall - I refused - too easily hijacked - apart from anything else, some busy hotels have a tendency to leave bits of paper all over the place at the reception desk and it is just too easy for anyone to lean over and pick them up. I did actually book that hotel but via the internet.

In general
- forms? never
- phone? not for years and NEVER given anyone my CVV
- shops? put card into machine but NEVER needed CVV
- restaurants? don't let anyone walk off with card
- Internet? - most days of the week for many years, but don't want anyone storing my card details - therefore don't have CC scheduled debits which some companies suggest ... always use Direct Debit on bank instead.


Nothing is perfectly safe - I could be mugged for cash in the street - but Credit Cards are reasonable. However, some organisations are sloppy with data, some individuals are complacent, some criminals are determined.

Further up this trail, I mentioned identity and credit card - I also mentioned data which could only have come from the credit card company's data files. A few years back I received a call about an odd transaction. It appeared that someone had managed to persuade the credit card company that I had moved house (I had not) and then perhaps arrange an expensive delivery there.

Although it had been compulsory for me to create a telephone password when setting up the credit card originally, I had never used it myself. I never phone credit card companies. The telephone password was unique - not used for anything or anyone else - never been used at all. Yet someone had called the credit card company and apparently successfully pretended to be me.

I have never lost any money on credit cards. There have been a few dodgy transactions - but not for years - and they were always caught by diligent card companies.

Although cc fraud cannot be stopped completely, it is obviously best to take sensible precautions.

Fertilizer

An article people might find useful on BBC
http://www.bbc.co.uk/webwise/guides/safe-shopping-with-cards

Fertilizer

An article people might find worrying on ZDNET
http://www.zdnet.com/blog/security/analysts-on-visa-mastercard-credit-card-security-breach/11161

dalesrider

Fertilizer wrote: »

An article people might find worrying on ZDNET
http://www.zdnet.com/blog/security/analysts-on-visa-mastercard-credit-card-security-breach/11161

March 30, 2012 Old news.

As I said the weak point is retailers. But they have a need to store card details.

You could also add TK Maxx as another co a few years ago who hit the same issue.