New VISA machine - mandatory security code

"Postman Pat" wrote

We used a card processing machine supplied by HSBC and they too have recently upped the monthly rental from 15 to 20 (both +VAT), along with increased charges on individual transaction.

The security code is not needed for normal (in store) transactions, but is always required for those where the cardholder is not present.

It's amazing how the banks are screwing small businesses in this & similar ways. In our case (and numerous others that we know) they've also changed their charging regime (without any negotiation) for normal day-to-day banking services, and the changes are certainly not to our advantage.

The bank is now our single highest monthly expenditure (other than for stock purchases & wages); that despite the fact that we don't owe them any money or use any overdraft facilities, and our business account is usually substantially in credit. The amount they take from us each month exceeds our monthly business rates.

John.

If you have a Payment Card Industry Data Security Standard compliant system in place, taking the CV2 should not increase the risk to your customer.

I'm surprised to discover there are still machines around that permit CNP transactions without the CV2. However, on my machines, the CV2 is only 'mandatory' in that you have to enter one to complete the transaction. You could, in theory, enter any number you like and still accept the transaction when it says no data matches.

Colin Bignell

I`d say that regardless of how secure the system in place is, the company never having the CV2 number has got to be less risky to the customer than the company having the number, all other things being equal and assuming the zero fraud situation is still the case.

Of course that is true.

Most frauds are really obvious, like somebody from Russia ordering 100 of everything on our price list, with a credit card.

The problem is that most companies employ a load of chimps doing this work so the Russian's order will simply get processed with the account manager smiling at his month's bonus payment.

But the company will get a chargeback, CV2 or no CV2, because a CC payment is not "cleared funds"... not for about 6 months.

If the system is PCI DSS compliant, the increase in risk is minimal. The CV2 is only held long enough to obtain authorisation and if the transaction is being done by phone, need never even be written down.

Colin BIgnell

But even if they *need not* be written down, they still *can be* written down. The suggestion is that no matter how compliant or secure the machine is, the person operating it can still be a crook, and can write down the details and type them in later, and then sell his notepad to his accomplice in the pub.

On Fri, 30 Jul 2010 18:20:34 +0100, Ronald Raygun wrote (in article ):

I was horrified when I had ordered a book on a local booksellers website for collection at their premises.

I had paid online with my credit card and address, CV2 details etc.

When I got to their collections desk, there was my order, printed out in full, card number, CV2, address, the lot lying on the desk. In a public space, on full view, with other customers just milling about looking at books

- as you would in a book shop.

Apparently, their https:// website's e-commerce system consists of taking the entered details, and printing them out. When I collected my book, they typed the number and CV2 into a terminal by hand, and processed the order.

I left them with no doubt about what I thought of their ordering system and security.

Colin Harper wrote

That's quite normal in small companies.

On Fri, 30 Jul 2010 19:22:45 +0100, Postman Pat wrote (in article ):

What? And leaving them on a desk in a public space?

In a staff only office, perhaps - just perhaps.

Not in any company I'm involved in. You just know that these guys were using an email enabled form that was sending the data in plain text to a mail-box waiting to be cracked.

There's no wonder card fraud is rife with this kind of idiocy, it's as bad as TKMax but on a smaller scale

My wife is a member of the local health centre and was asked by the receptionist to complete a new application. The receptionist then picked the top form off the pile sitting on the reception counter and the wife brought it home to complete.

The form was a duplicate, top white and bottom pink. When I looked closely, the white had imprints of someone else's details and the pink CLEARLY showed every detail of someone else, card number, bank account, sort code, CV2, address, home phone, mobile, the whole works. This person must have filled out their form on the top of the pile, at the counter, not realising one or more of the forms below were duplicating her details. Now there's security for you.

Exactly. Regardless of how secure a system is, if a human is involved then that human can be corrupt. Not giving that human the CV2 code means that they are unable to use it or distribute it further, which has got to be more secure than using it to verify orders in a company that has a 0% fraud rate.

It is completely unacceptable.

And if your card service ever gets wind of it, is likely to lead to your authorisation being withdrawn.

You should NEVER print out the full card number, nor the CV2. Under any normal processing circumstances.

"Mark Opolo" wrote

The reality however is that this is unlikely to result in card fraud. It's a bit like parking your car unlocked. The chance of a thief just happening to walk past is small.

Most card fraud is done with large-scale break-ins into company databases and servers, where the full cardholder details are held, even if only temporarily. Or thefts of card machines from garage forecourt shops, which are followed by an extraction of the transaction logs.

I had to fill in that card processing security verification form the other week. It was all meaningless bollox. A bit like those brainless forms generated by brainless self-important ISO9000 quality managers asking whether you segregate defective incoming goods. NO SIR WE MIX IT ALL UP AND USE IT IN PRODUCTION... what a load of w*ankers. The card security form asks a load of questions which are obvious as to how they should be answered, and anyway most small companies won't have the IT resources to really conform. We still use paper, which is why we don't ask for the security code.

"Simon Finnigan" wrote

But surely the whole purpose of the CV2 number is to provide extra security for CNP transactions? I can't think of any other circumstances in which it is used - can you?

John.

They are in breach of their agreement with their card handling provider in a number of ways and a complaint to the provider would be in order and probably a lot more effective:

1) As payment was taken on collection, it was wrong to take the CV2 in the first place. 2) As you were present during the transaction, it was wrong to process it as cardholder not present. It should have been verified by PIN (or signature in some cases) 3) They breached the following requirements of the Payment Card Industry Data Security Standard

Requirement 3 - Protect stored card holder data

Requirement 7 - Restrict access to cardholder data by business need-to-know

Requirement 9 - Restrict physical access to cardholder data

and probably, Requirement 12 - Maintain a policy that addresses information security.

Colin Bignell

....

Not if the system is properly implemented. It is a requirement of the PCI DSS that a CV2 that is stored in any way is securely destroyed immediately after authorisation is obtained. There therefore has to be at least two failures in the system for there to be a risk. Against that, taking the CV2 protects the cardholder by ensuring that the person placing the order is in possession of the card, not just a record of the number and expiry date.

The vendor has control over who they employ and how well they implement their security systems. They have no control over who places orders with them.

Colin Bignell

Or the person has had sight of the card (eg during a customer present C&P transaction) and has noted or memorised the CV2 number. Prior to Chip&PIN, with every Customer Present transaction the cashier would have had sight of the CV2 number when they checked the signature.

Is it OK to obliterate the CV2 number? You could memorise it or copy it somewhere else first.