Giffgaff credit card payment not secure - appear to be storing CVV

wattc

Last month while buying a new giffgaff goodybag, I accidentally entered the wrong CVV number because I got mixed up between my credit and debit card. But I wasn't totally sure if I'd entered it wrong, as the payment went through.

Yesterday however, I deliberately put in the WRONG CVV for my credit card and the payment went through!

How has the payment gone through? I've put in the wrong CVV on other websites and payment is rejected instantly. It seems to me the only way the payment could have gone through is if giffgaff have stored my CVV from previous transactions.

I believe that in the UK, online shopping services are not allowed to store the CVV.


What do people think about this? It appears that people have been complaining about this to giffgaff for over a year and nothing has been done.


This is a serious breach of online security isn't it?

peachyprice

I don't know the in's and out's of whether it's legal or not, but if it is and they can't do it how could they take payment for recurring goody bags? You don't put the CVV in every month for that.

wattc

I'm not talking about a recurring goodybag (I assume you accept some terms and conditions for that option), I'm talking about a single transaction purchase of a goodybag. This is a payment like you'd do on any website, so the CVV must surely have to be correct?

kimminess

It isn't illegal for them not to ask for the CV2 number - Most companies have it as a requirement for extra fraud protection, as if a card is used fraudulently the actual cardholder can initiate a chargeback which means the company loses the sale money and the goods.

From my experience, the merchant services I have used allow you to create "rules" for added fraud protection. This means that if no rules are set up, any payment attempted with a valid card number and expiry date can go through, regardless of whether the CV2 number and the billing address match what is registered at the bank.

(Which also means they probably aren't storing your CV2 number - They just don't have anything in place to reject the transaction when the data doesn't match!)

That's really shoddy of GiffGaff not to have anything in place though! Leaving themselves open to a rubbish reputation and losing money!

HTH

System

Have you used that card with giff gaff before and used the correct number?

If so then they have a proven link between your on-line account and that card so there is no risk to them accepting that card without or with a wrong CVV.

Neither the OP nor giff gaff will lose money as the account is only linked to the single telephone number anyway so any purchase will only be used by the OP on their phone.

peachyprice

wattc wrote: »

I'm not talking about a recurring goodybag (I assume you accept some terms and conditions for that option),

No, you don't, they just use the card details they hold for normal top-up.

shakeitright

Even with a single transaction,you can store credit card/debit card details on the Gifgaff site for future use.I have always had to fill out my banks security form when buying a goody bag so it seems as secure as any other site.

Colin2511

Why dont you ask them?

Companies that take Credit /card info have to be PCI Complaint now, and have to fill in an annual return, confirming what information is stored on site, how payment is taken and what is being done to mitigate the risk of a 3rd party getting any information.

Also (I dont know the site) - it depends on how payment is taken, as there are two main ways with big payment providers like Sagepay, where customers stay on your site whilst they proces the payment, or where you go to sagepay to complete the transaction - the latter is very secure, we use this, and when the payment is completed we have no access to the card details, we get the last 4 digits and type of card (bank) only -

Colin2511

PS the rules bit is right, we can set which transactions by value, country, isp etc that we want things to agree, or does not matter if does not match

SuperHan

Maybe they just aren't checking CVV, and not storing it at all. Amazon for one do not ask for CVV at all when processing card payments. It's just an extra fraud protector, maybe it's one that GiffGaff are using as a deterrent but in fact not looking at at all.

shirley999

giffgaff took too much money out of my son's account 13 days ago. They acknowledged it was an error 8 days ago but he has still not got his money back. I don't understand how this happened in the first place, let alone why it wasn't immediately refunded. What if he hadn't noticed the extra money had been taken from his account? How many other people could have been affected? This looks like theft to me.