Shop Till Receipts

ThinkQuick

Hoping someone can help me with a query about till receipts.

A few months back my bank Visa Debit card details were fraudulently used. No big deal, the bank systems spotted it quickly, automated phone call alerted me and so on. However I noticed that this had happened just after a had visited a particular store.

Today I was in that store and bought a couple of things. A standard chip and pin machine was used but it was the shop assistant that used it, taking my card off me, putting it in the machine, giving it to me to put the pin number in and then taking it back again to wait for receipts to print. I got my receipt as expected and they got theirs, however I was shocked to notice that on their receipt, my full card details were printed. The full card number, the start and expiry dates etc. My copy of course only showed the last 4 digits.

Is this normal because if so it would seem ludicrously insecure!!

I anticipate that some of you might suggest that "yes but they don't have your card pin number or the 3 digit security number on the back of the card"

However to that I would say that it would be exceptionally easy for an assistant, when ripping off the receipt and handing the card back to you, to turn the card over in the process and quickly clock that 3 digit number.

I thought all these transactions were computerised with no full details being stored anywhere except in the secure computer systems. Is this store just archaic in it's technology or are they scamming people?

shaun_from_Africa

This is quite normal and it is only the customers receipt that has part of the card number replaced with asterisks.

How does it work?
A software update to your terminal is all it takes to enable each customer’s
card account details to be replaced by a set of asterisks (****) on their copy
of the receipt. This keeps their account details secret and stops fraudsters who
could otherwise steal and use the information. (You will retain the account
number in full on your merchant copy of the receipt should any queries
arise).

http://www.streamline.com/accepting-card-payments/face-to-face/other-products/pan-truncation-tbc/

Slowhand

How would they know your PIN, or the answer to the online security questions? ie give the 1st 6th and 8th characters of your favourite child's name?

George_Michael

Slowhand wrote: »

How would they know your PIN?

http://www.dailymail.co.uk/news/article-522848/Motorists-warned-new-card-cloning-scam-petrol-station-spy-camera-records-chip-PIN-details.html

Getting hold of someone's PIN isn't too difficult if you know what you are doing and the person concerned is even slightly lax when they enter it.
I've often been behind people in shops and garages and have clearly been able to see the number that they enter as they made no effort whatsover to conceal the pin pad.

ThinkQuick

Slowhand / George

You miss the point I think. PIN numbers are not the issue. If I want to order a CD from say Amazon on the internet my card PIN number never enters the equation. What I DO have to supply though is the 3 digit security number on the back of the card. Think it through, just about ANY online purchase you are asked for:

Full card number
Card Expiry Date
Security 3 digit number

A few websites ask for the special bank password you may have set up with your card but there are plenty of sites that don't and I'm sure the scammers know which they are.

The shop till receipt has 2 of these and the 3 digit security number is easily spied by a shop assistent if they handle your card and take a sneaky peak at it, maybe also your name from the front of the card too.

What an incredibly dumb and insecure system !

bris

Your full details are printed because of chargebacks. If you dispute the transaction the merchant service provider sends a letter asking for proof you visited the store.

The retailer digs out your receipt identified by the long card number and date of the transaction, scans it and sends it to the merchant.

This is the proof the retailer needs to stop the chargeback, if it still turns out to be fraud the bank takes the hit not the retailer because they followed the proper procedure and got the pin entered at time of sale.

You are assuming sales assistants are all fraudsters, but this is the way these terminals have operated for the last 40 years, even going back to the carbon days.

arcon5

Youd be shocked to know, when you buy stuff online a cross reference ID is generated so your card can actually be charged again even without the details stored. A proper merchant account can also have settings changed to authorise payments even without the csc number.

Fortunately there are stringent processes in place to identity check persons setting up new merchant accounts and often if chargebacks rates are above industry standards your account is at risk of suspension so getting chargebacks can be a nightmare for retailers.

ThumbRemote

bris wrote: »

Your full details are printed because of chargebacks. If you dispute the transaction the merchant service provider sends a letter asking for proof you visited the store.

The retailer digs out your receipt identified by the long card number and date of the transaction, scans it and sends it to the merchant.

This is the proof the retailer needs to stop the chargeback, if it still turns out to be fraud the bank takes the hit not the retailer because they followed the proper procedure and got the pin entered at time of sale.

You are assuming sales assistants are all fraudsters, but this is the way these terminals have operated for the last 40 years, even going back to the carbon days.

They aren't assuming all sales assistants are fraudsters, they are simply pointing out that a sales assistant could commit fraud, as they have enough information to do so.

There are also a far larger number of transactions nowadays where the customer isn't present, compared to the carbon days.

It is a poor system if this is possible. There's really no need to print anything other than a transaction ID on the retailers copy, in the event of a dispute they could just as easily track it that way.

Own_My_Own

Slowhand wrote: »

How would they know your PIN, or the answer to the online security questions? ie give the 1st 6th and 8th characters of your favourite child's name ?

Just don't ever let your other children now that its not their name. It cause upset :eek:

Dimey

Slowhand wrote: »

How would they know your PIN, or the answer to the online security questions? ie give the 1st 6th and 8th characters of your favourite child's name?

A fraudster doesn't need to know these questions. They can get away with just supplying- card number, expiry date and security code number most of the time.

CynicalScotsman

they are simply pointing out that a sales assistant could commit fraud, as they have enough information to do so

.

They don't really.

The information is useless in a store - as you need the card.

The information is useless online - as a transaction would be stopped/flagged if it was being delivered to a different address AND you would need your 'verified by visa' etc password.

The information is useless over the phone - very few retailers would carry out a 'customer not present' transaction as they would be liable should it be fraud, and, if they did you would get the money back within days anyway!

I dont understand why consumers have just realised this! Its been happening since the invention of credit/debit cards!