Comments on: Visa warns software may store customer data

Cash register software by Fujitsu comes under scrutiny while wave of debit-card fraud hits country.

[davaal]

i've known this for years

i worked for NCR - we service registers and sigcap machines at retailers like walmart and best buy. i've known for a while that the information was saved. i just didnt know what information was saved.

recently i was asked to sign the signature capture device 3 times because my first signatures didnt go through. 'go thru what?' i asked. the cashier was either ignorant or didnt wanna let me in on the secret. think about it: she asked for my zip code, my phone number and she had my debit card account number and my signature. because i had a best buy card, they also sometimes asked for my social at the counter. i signed it incorrectly a second time because i really have no idea what my sig looks like.

now i only use cash. i dont give away personal information. they dont need it. i've been giving my zip code and phone number for years - and i've never seen any change in the store's products. its supposed to personalize the experience so that the store wont waste money on things the local populace doesnt buy. but i dont see why they need my signature and social in a database.

best buy, you wanna help me? tell that fat bouncer at the door to worry less about seeing my receipt and more about helping me get my purchace thru the friggin door. its insulting. as if i'd come off register 1 with a PC and an HD TV, after giving them my social, zip code, phone number and signature, then scan my debit card, smile at the camera above the door and then make a run for it.

now i shop for electronics online. if and when i do venture to a circuit city or best buy - i use cash only and i give false information.

[penso]

I've known this for years

I can see you having to give your PIN and CC card number for purchases but you mention social. Is that your Social Security No.? Never give that to anybody,especially when someone could access it. With that they can retrieve any info about you,ie:medical,legal etc. Not very good if they have that. Cash is the best way.

[markdoiron]

Why a Switch?

Why would ANY business ever want to save customer acct numbers and PINs? Why should any software EVER have a switch that the end-user business must "remember" to turn off? Software like that should never have been written.

mark d.

[hercules0]

intentional theft

Why are words like 'inadvertently', 'accidentally', and 'forget to turn
off' used in this article? It makes it sound like it was a simple
mistake that this happened.

It was purposeful hacking done to facilitate theft. There is no other
reason why a PIN should be stored at a merchant.

[GreenPlastics]

intentional theft & Accessories to a Crime

Yes you are right.

The PINS were intentionally stored and then intentionally used -- perhaps by a different party than the party who stored the PINs.

But doesn't this storage transgression make for two crimes?

A: Storing the personal information breaks their contractual legal obligations.

B. And AIDING and ABETTING the thieves, by providing data ("accidently" or otherwise) should make OfficeMax at least an ACCESSORY to that felony.

These companies should be punished on both counts.

[mikeallgaier]

Won't Biometrics Solve This Problem?

Why don't they (CC companies) just go with Biometrics (home and
retail) and be done with the fraud thing?

[volterwd]

Dont have your thinking cap on?

If they are currently storing your pin... whats to stop them from storing a copy of your biometrics?

[Zymurgist]

Because...

Biometric devices are prone to error (false-positive and false-negative error rates both high). Some people would find that their fingers will never scan right and will get frustrated, others will find that almost anyone's fingers will scan just as their own.

[BobCat01]

No - biometrics won't solve the problem

Hi there,

I noticed your posting. I had the same question a while back but there are some other considerations which factor in. First off, people aren't fond of biometrics. They feel it is invasive to privacy. Next up, some privacy legislation requires biometrics to be optional (an truly optional - not optional as in "you can choose not to use it but its at your peril" - there has to be another good alternative available). These two things alone make it a poor business choice in most cases. Lastly, it doesn't necessarily solve the problem. If software security holes allow PIN numbers to be read in the clear, what's to prevent similar programming holes from allowing a fingerprint to be re-created? The encryption could be weak in the system or even non-existent. I tested a system recently where a replay attack was possible because of an error in the driver code. Its easier to replace a card and a PIN than a fingerprint that has been compromised.

Chip cards are coming and they will likely address these issues but without the privacy concerns that surround biometrics.

[ordaj]

They pay FINES?!? Yeah, right.

Not according to this story:

http://news.yahoo.com/s/ap/20060319/ap_on_bi_ge/unpaid_fines

[ordaj]

They pay FINES?!? Yeah, right.

Not according to this story:

http://news.yahoo.com/s/ap/20060319/ap_on_bi_ge/unpaid_fines

[jtpickering]

Read. Process. Re-read.

Your post refers to people and companies who have not paid the US GOVERNMENT. The c-net article refers to the credit card associations fining merchants.

MasterCard, Visa, AmEx, et. al. have created an entity named PCI (Payment Card Industry) which has consolidated data security standards (DSS) from several of the founding companies into a single standard. PCI DSS enforcement is rumored to be turned over to a 3rd party.

The fines, should they be levied, are significant. Penalties vary, but include the revocation of merchant rights for MasterCard, Visa, or American Express. Additionally, a merchant is responsible for all entities that participate in the storage, process, or handling of credit card data.

[Stating]

VISA Blames The Consumer

Take a look at the security section of Visa's website (visa.com). Their entire spiel about security and identity theft blames the victim.
No advice about not giving out unnecessary personal information to merchants, about reporting merchants whose swipe machines DO NOT require a PIN to be entered, etc.

It's the same old garbage that if you were hacked, it's YOUR FAULT. To VISA I say, "Kiss My Grits."

/personal/security/protect_yourself/id_theft/how_it_happens%2Ehtml

[jtpickering]

VISA, Master Card, et. al. hold the merchant responsible

Caveat lector ? My reply is limited to space, among other things. Reseach PCI DSS, Visa?s CISP program, and MasterCard?s SDP program for a more thorough understanding of this topic.

A post stated:
?Take a look at the security section of Visa's website (visa.com). Their entire spiel about security and identity theft blames the victim.
No advice about not giving out unnecessary personal information to merchants, about reporting merchants whose swipe machines DO NOT require a PIN to be entered, etc.

It's the same old garbage that if you were hacked, it's YOUR FAULT.?

On the site you mention, under ?Use credit and debit cards safely? it says (in part): ?When using your credit card do not volunteer any personal information.? The page goes on to give some good advice. I will admit it does not specifically state that you shouldn?t give personal info to the merchant, but if a reasonable person reads the information, he/she will come to the conclusion that personal information (other than identity authentication) is not required to complete a credit/debit card transaction.

A sale is a business transaction, not an exchange of personal information - caveat emptor. You do not owe the merchant your phone number, zip code, or mother?s maiden name when you want to buy goods from them. If the merchant won?t complete the transaction without that information, get creative.