storage of credit card details

robinwales

I came very close last week to losing £1,500 to scammers who had my Sainsbury's credit card details, including the CVV number. I'm very careful about handing out the details, but it obviously leaked from somewhere. When you make an online purchase by card the details are passed to the secure payment system. Are they also stored on the server belonging to the seller (unless you have opted not to) or are they stored on your laptop/phone? Are they stored by the secure payment system?

born_again

CVV is not stored by any retailer. If they do then they are in breach of card regulations and stand to face a massive fine for doing so.

CVV is also not required for many online transactions. Recurring payments do not require it.

robinwales

born_again said:

CVV is not stored by any retailer. If they do then they are in breach of card regulations and stand to face a massive fine for doing so.

CVV is also not required for many online transactions. Recurring payments do not require it.

This morning I went to a smaller online retailer and they asked if I want to set up payment card details. When I did so, they wouldn't let me save the details until I had provided the CVV, then it stored it. But where is it stored? The retailer, when I emailed them, said it was not stored on their server, but on the secure payment server, which in this case is Opayo (was SagePay). But why do they need the CVV? I thought the whole point of CVV was an additional layer of security for online transactions to prove it really is you using the card. If the details are held online (even encrypted) if they leak out then anyone can use the card fraudulently which is what happed with my card last week.

TadleyBaggie

Retailers (i.e. Amazon) will often request and use the CVV the first time a new payment card is used, they will not the CVV subsequently as they will not have saved it. I suspect this latest retailer is following the same model.

Some others will request the CVV each time a purchase is made, it's their choice, but again it won't be saved.

Bradden

Without knowing more abouit the attempted scam it's hard to say.. how do you know they had the CVV? It might be worthwhile sharing your experience.. if only so others can avoid falling for the scammers.

Ergates

robinwales said:

born_again said:

CVV is not stored by any retailer. If they do then they are in breach of card regulations and stand to face a massive fine for doing so.

CVV is also not required for many online transactions. Recurring payments do not require it.

This morning I went to a smaller online retailer and they asked if I want to set up payment card details. When I did so, they wouldn't let me save the details until I had provided the CVV, then it stored it. But where is it stored? The retailer, when I emailed them, said it was not stored on their server, but on the secure payment server, which in this case is Opayo (was SagePay). But why do they need the CVV? I thought the whole point of CVV was an additional layer of security for online transactions to prove it really is you using the card. If the details are held online (even encrypted) if they leak out then anyone can use the card fraudulently which is what happed with my card last week.

They require you to provide the CVV to prove you actually have the card in your possession when you're setting up the card details (and you've not just stolen them from some other online retailer's site).  The CVV is used to validate your card details with the card issuer, the merchant will then store the rest of the card details but shouldn't store the CVV.   The payment processor (e.g. Opayo/SagePay/WorldPay), doesn't need to hold your CVV either - it's only used to perform real-time validation of your card wtih the card issuer (i.e. it has to be provided by you each time it's needed).

born_again

robinwales said:

born_again said:

CVV is not stored by any retailer. If they do then they are in breach of card regulations and stand to face a massive fine for doing so.

CVV is also not required for many online transactions. Recurring payments do not require it.

This morning I went to a smaller online retailer and they asked if I want to set up payment card details. When I did so, they wouldn't let me save the details until I had provided the CVV, then it stored it. But where is it stored? The retailer, when I emailed them, said it was not stored on their server, but on the secure payment server, which in this case is Opayo (was SagePay). But why do they need the CVV? I thought the whole point of CVV was an additional layer of security for online transactions to prove it really is you using the card. If the details are held online (even encrypted) if they leak out then anyone can use the card fraudulently which is what happed with my card last week.

They do not store the CVV clearly the retailer does not know the regulations (and why should they if they are using a 3rd payment payment processer) S0 Opayo will not have CVV stored on their servers.

CVV is like a online pin. It is supposed to prove you have the card in your possession. But retailers can get around the need for it. Same as they can get round the need for your PIN. But it puts them at a higher risk.

It is not just online you have to think about. Everytime you use your card at a retailer their till roll has your full card details on it (Card No, EXP, NOT CVV or Name)
So think anyone working in a retail environment who has access to a till roll has access to thousands of card details. How many retailers actually vet their employees?

eskbanker

born_again said:
Everytime you use your card at a retailer their till roll has your full card details on it (Card No, EXP, NOT CVV or Name)

That maybe used to be true years ago, and perhaps still applies to some simple PDQ type environments, but modern retail systems designed post PCI-DSS won't use old-fashioned 'till rolls' that can reveal full card details to front-line staff.

robinwales

Bradden said:

Without knowing more abouit the attempted scam it's hard to say.. how do you know they had the CVV? It might be worthwhile sharing your experience.. if only so others can avoid falling for the scammers.

 Last week has a phone call from a guy who claimed to be from the bank. He was quite convincing, and he had spoofed the number with the genuine call centre number. He said he was from the fraud division of the bank. He said he needed to take me through security and said he would send me a 'security code', which turned out to be a normal OTP code. I was obviously suspicious, but he was pretty insistent.

I phoned the bank, and they told me that they had suspended the card a few hours earlier (but hadn't called me then) due to suspected fraud. He obviously tried again just before he called me and knew he had generated an OTP but it had gone to my phone, hence the call to me to try and get it. The reason his attempt earlier in the day failed is because we were close to max on our limit and the £1,500 he was trying to claim would have bust it. The bank said had the limit not been breached the payment would have gone through. It would not have generated an OTP.

He must have had the CVV otherwise he wouldn't have got to the stage in payment that allowed payment, or generated an OTP.

eskbanker

robinwales said:

He must have had the CVV otherwise he wouldn't have got to the stage in payment that allowed payment, or generated an OTP.

An understandable assumption but accessing a stored copy isn't the only possibility - CVVs can be worked out by brute force attacks, or some form of navigation through the site could have evaded CVV entry, or it may not have been checked correctly, or....

[Deleted User]

eskbanker said:

robinwales said:

He must have had the CVV otherwise he wouldn't have got to the stage in payment that allowed payment, or generated an OTP.

An understandable assumption but accessing a stored copy isn't the only possibility - CVVs can be worked out by brute force attacks, or some form of navigation through the site could have evaded CVV entry, or it may not have been checked correctly, or....

My card was used twice (once successfully) for a fraud, card never leaves the wallet and it hasn't been stolen, suspect it was someone harvesting it from a compromised site and I doubt they have the CVV. Fortunately my main card now requires authentication in the app for unusual payments online