Visa warns software may store customer data

A popular software that retailers use to control debit-card transactions may inadvertently store sensitive customer information, including PIN codes, says Visa.

Two versions of cash-register software made by Fujitsu Transaction Solutions are under scrutiny, according to a warning Visa issued to the companies that process card transactions for some of the nation's largest retailers. A Visa representative confirmed that the warning was sent.

Some of Fujitsu's retail customers include Best Buy, Staples and OfficeMax, but it is not known which companies use the software Visa claims is flawed.

Visa's warning, which was first reported by The Wall Street Journal on Friday, has raised eyebrows in the financial and retail sectors. The software was flagged at a time when thousands of debit-card holders across the country have reported unauthorized withdrawals from their accounts.

Bank of America, Washington Mutual and Citibank are among the financial institutions that have replaced more than 200,000 debit cards in the past two months and have told customers that thieves obtained vital debit-card information as a result of a security breach at a large merchant.

One commonality among the fraud victims, according to law enforcement and banking officials, is that most had shopped at one of Fujitsu's clients: OfficeMax.

The office-supply retailer has said that it has found no indication that it suffered an illegal intrusion. Fujitsu, which did not return repeated phone calls from CNET News.com on Friday, denied that its software has had anything to do with any alleged security breach. A representative for the company told the Journal that customer data, such as PIN codes, could not be stored using just its software. Other software tools would have to be added.

Major credit-card companies have banned the storing of customer data and can fine merchants who do store such data. The fear is that customer information may be a sitting duck for hackers should it be left in a company's computer system.

What may be more worrisome for consumers is that it's not uncommon for merchants to accidentally stockpile their customers' data, says Branden Williams, a principal consultant at computer-infrastructure firm VeriSign.

One of VeriSign's offerings is that it will assess a company's computer systems to ensure they meet security standards required by the big credit-card firms.

During his white-glove inspections, Williams said, he has often found software that would trap customer data, including PIN information, without the retailer's knowledge. Big companies working with complex systems are more prone to such slipups he said.

"You could totally understand how they could forget to turn off some switch," he said.

But Williams said there's no reason for the problem to go unchecked. Not only are there companies like VeriSign that will monitor system security, but Visa also offers a list of software products proven not to store data.

Neither one of the Fujitsu products, RAFT and GlobalStore, is among the products approved by the major credit card companies. This doesn't mean that the software doesn't meet industry standards. It only means that the software hasn't undergone the review process needed for sanctioning by the group, according to a note on Visa's site.

"It's really the responsibility of a company doing business to protect their customers," said Williams. "Especially when you consider what's at stake: identity theft, bad public relations and potential fines. Software vendors should also have their applications checked for any vulnerabilities that could lead to a security breach."

[davaal]

i've known this for years

i worked for NCR - we service registers and sigcap machines at retailers like walmart and best buy. i've known for a while that the information was saved. i just didnt know what information was saved.

recently i was asked to sign the signature capture device 3 times because my first signatures didnt go through. 'go thru what?' i asked. the cashier was either ignorant or didnt wanna let me in on the secret. think about it: she asked for my zip code, my phone number and she had my debit card account number and my signature. because i had a best buy card, they also sometimes asked for my social at the counter. i signed it incorrectly a second time because i really have no idea what my sig looks like.

now i only use cash. i dont give away personal information. they dont need it. i've been giving my zip code and phone number for years - and i've never seen any change in the store's products. its supposed to personalize the experience so that the store wont waste money on things the local populace doesnt buy. but i dont see why they need my signature and social in a database.

best buy, you wanna help me? tell that fat bouncer at the door to worry less about seeing my receipt and more about helping me get my purchace thru the friggin door. its insulting. as if i'd come off register 1 with a PC and an HD TV, after giving them my social, zip code, phone number and signature, then scan my debit card, smile at the camera above the door and then make a run for it.

now i shop for electronics online. if and when i do venture to a circuit city or best buy - i use cash only and i give false information.

[penso]

I've known this for years

I can see you having to give your PIN and CC card number for purchases but you mention social. Is that your Social Security No.? Never give that to anybody,especially when someone could access it. With that they can retrieve any info about you,ie:medical,legal etc. Not very good if they have that. Cash is the best way.

[markdoiron]

Why a Switch?

Why would ANY business ever want to save customer acct numbers and PINs? Why should any software EVER have a switch that the end-user business must "remember" to turn off? Software like that should never have been written.

mark d.

[hercules0]

intentional theft

Why are words like 'inadvertently', 'accidentally', and 'forget to turn
off' used in this article? It makes it sound like it was a simple
mistake that this happened.

It was purposeful hacking done to facilitate theft. There is no other
reason why a PIN should be stored at a merchant.

[GreenPlastics]

intentional theft & Accessories to a Crime

Yes you are right.

The PINS were intentionally stored and then intentionally used -- perhaps by a different party than the party who stored the PINs.

But doesn't this storage transgression make for two crimes?

A: Storing the personal information breaks their contractual legal obligations.

B. And AIDING and ABETTING the thieves, by providing data ("accidently" or otherwise) should make OfficeMax at least an ACCESSORY to that felony.

These companies should be punished on both counts.

[mikeallgaier]

Won't Biometrics Solve This Problem?

Why don't they (CC companies) just go with Biometrics (home and
retail) and be done with the fraud thing?

[volterwd]

Dont have your thinking cap on?

If they are currently storing your pin... whats to stop them from storing a copy of your biometrics?

[Zymurgist]

Because...

Biometric devices are prone to error (false-positive and false-negative error rates both high). Some people would find that their fingers will never scan right and will get frustrated, others will find that almost anyone's fingers will scan just as their own.

[BobCat01]

No - biometrics won't solve the problem

Hi there,

I noticed your posting. I had the same question a while back but there are some other considerations which factor in. First off, people aren't fond of biometrics. They feel it is invasive to privacy. Next up, some privacy legislation requires biometrics to be optional (an truly optional - not optional as in "you can choose not to use it but its at your peril" - there has to be another good alternative available). These two things alone make it a poor business choice in most cases. Lastly, it doesn't necessarily solve the problem. If software security holes allow PIN numbers to be read in the clear, what's to prevent similar programming holes from allowing a fingerprint to be re-created? The encryption could be weak in the system or even non-existent. I tested a system recently where a replay attack was possible because of an error in the driver code. Its easier to replace a card and a PIN than a fingerprint that has been compromised.

Chip cards are coming and they will likely address these issues but without the privacy concerns that surround biometrics.

[ordaj]

They pay FINES?!? Yeah, right.

Not according to this story:

http://news.yahoo.com/s/ap/20060319/ap_on_bi_ge/unpaid_fines

[ordaj]

They pay FINES?!? Yeah, right.

Not according to this story:

http://news.yahoo.com/s/ap/20060319/ap_on_bi_ge/unpaid_fines

[jtpickering]

Read. Process. Re-read.

Your post refers to people and companies who have not paid the US GOVERNMENT. The c-net article refers to the credit card associations fining merchants.

MasterCard, Visa, AmEx, et. al. have created an entity named PCI (Payment Card Industry) which has consolidated data security standards (DSS) from several of the founding companies into a single standard. PCI DSS enforcement is rumored to be turned over to a 3rd party.

The fines, should they be levied, are significant. Penalties vary, but include the revocation of merchant rights for MasterCard, Visa, or American Express. Additionally, a merchant is responsible for all entities that participate in the storage, process, or handling of credit card data.

[Stating]

VISA Blames The Consumer

Take a look at the security section of Visa's website (visa.com). Their entire spiel about security and identity theft blames the victim.
No advice about not giving out unnecessary personal information to merchants, about reporting merchants whose swipe machines DO NOT require a PIN to be entered, etc.

It's the same old garbage that if you were hacked, it's YOUR FAULT. To VISA I say, "Kiss My Grits."

/personal/security/protect_yourself/id_theft/how_it_happens%2Ehtml

[jtpickering]

VISA, Master Card, et. al. hold the merchant responsible

Caveat lector ? My reply is limited to space, among other things. Reseach PCI DSS, Visa?s CISP program, and MasterCard?s SDP program for a more thorough understanding of this topic.

A post stated:
?Take a look at the security section of Visa's website (visa.com). Their entire spiel about security and identity theft blames the victim.
No advice about not giving out unnecessary personal information to merchants, about reporting merchants whose swipe machines DO NOT require a PIN to be entered, etc.

It's the same old garbage that if you were hacked, it's YOUR FAULT.?

On the site you mention, under ?Use credit and debit cards safely? it says (in part): ?When using your credit card do not volunteer any personal information.? The page goes on to give some good advice. I will admit it does not specifically state that you shouldn?t give personal info to the merchant, but if a reasonable person reads the information, he/she will come to the conclusion that personal information (other than identity authentication) is not required to complete a credit/debit card transaction.

A sale is a business transaction, not an exchange of personal information - caveat emptor. You do not owe the merchant your phone number, zip code, or mother?s maiden name when you want to buy goods from them. If the merchant won?t complete the transaction without that information, get creative.