Retail Stores & Credit Card Heists

The recent news of a retail chain’s computers being hacked and consumer’s credit card numbers being stolen makes me have to ask…why the heck are they storing credt card numbers in the first place? Even if it is an internet sale, why should merchants be storing our personal info? Once paid, shouldn’t the credit card info be wiped…and quite frequently, for that matter? Am I missing something here?

I forget the estimated number of stolen credit card numbers, but it was staggering. Surely, these are not all recent sales pending submission for payment, are they?

  • Jinx

A more in-depth article. Apparently, this information should have been routinely deleted in the course of business, but wasn’t for some reason:

And, they are in some hot water themselves:

Personal anecdote. Last week my wife got a call from her credit card company, asking if she really wanted to spend $1299 in Texas. Since we are in Oregon, she said of course not. I assume it was an online purchase from Dell. We had the account cancelled and the balance transferred to new account, and since they had put an immediate hold on the account, there were no issues with authorized fraudulent charges. I was impressed that they were so on top of it.

I read the article about the stolen numbers on Wendesday, and noticed TJMaxx… Lo and behold, my wife had used her card there during one of the periods in question! (in 2005, I believe)

In some cases it’s for convenience when placing orders under an established account. “Use credit card ending 1234” as a checkbox choice.

I agree they were storing the credit card info for MUCH longer than they should have, but it seems to me that merchants would probably want to store credit card info for a couple of months to simplify resolving disputed charges.

Another personal anecdote, I work in a high-end furniture store which does not store credit card numbers in its computer system. After deliveries, I often get customers being “annoyed” that they have to provide their credit card numbers again. Obviously, when the customer orders we ring in a deposit for the furniture (30%). When I am arranging deliveries I’ll get the question, “so you’ll just charge the balance to my card?” No. We do not store credit card numbers because we don’t want the liability of having customer’s numbers on record. That doesn’t stop people from being annoyed. No wonder credit card fraud/theft is so rampant, consumers don’t care.

I actually used to work at the TJX headquarters and data center as an IT consultant during the period mentioned. I am just waiting for someone to break down the door at any time. It is very unfortunate but large-scale IT in fractures lend themselves to bad as well as good.

Companies collect whatever info they can and try to keep it safe for whatever use they may need in the future. All of them do it and it can be used nefariously if someone slips in the door even as part of a short-term contracting job. The TJX scandal was an inside job just like bank heists that have always happened. Large scale databases like I work with every day can be scary things. I have always been amazed that companies don’t appreciate the damage an IT professional can cause given a motive.

I really don’t know how you could fix it all. Large scale databases have lots of valuable info and lots of employees and contractors need complete access to that info to do their jobs.

I used to write Duty Free sales systems for airlines.

It was quite common for people to ‘forget’ about buying something, the accounts department would regularly have to ‘find’ a credit card transaction, then locate the signed docket.

Clearing the credit card transactions is done by batching them up and transmitting them electronically to a clearer - one needs to know what is in a batch and be able to re-create it at will.

Credit cards have two magnetic tracks, Track 1 is known as the IATA track, but the airlines never got round to doing anything meaningful with it. It contains the card holders name, then number and date(s). Track 2 is the track that the banks like to use, it is (nearly)purely numeric. It contains the number followed by ‘=’ then the expiry date. The information that follows is loosely defined.

Historically I would store the number as seen on the front of the card, that worked fine for about 15 years. A few years ago VISA International came up with the smart idea of insisting that all 64 bytes of Track 2 were stored and transmitted to them to ‘prove’ that the card had really been swiped through the reader. I said it was idiotic, but who listens to a programmer.

A few months later they realized that huge numbers of perfect images of Track 2 were being collected and stored on central computers. Absolutely ideal for cloning cards. VISA came out with an edict that after 3 months the Track 2 data should be erased from all records. Naturally I wrote a utility to do that, but it does not work very well on compressed backups on DVDs :slight_smile:

The first rule of managing data is not to change it, the next rule is to back it up, and the third rule is to archive it. Making sure that you have plenty of copies at different locations is generally regarded as sensible.

The Credit card companies were insane insisting on full track storage by retailers, they were then stupid for thinking that anyone would delete historical data. They created the problem. Track 2 was good for ensuring a card was ‘valid’ in an ATM while online, but insisting that retailers store it in full was madness.

I have test data on one of my machines containing at least 20,000 perfect Track 2 images, all I need is a pack of card blanks and a mag strip writer.

As easy as pie! No wonder it was so easy to steal people’s ATM card numbers at that phoney ATM machine in a mall outside DC about 10 years ago!

Thanks all for the insider’s view on this! Very eye-opening!

  • Jinx

TJX (or TK Max as they are called over here) are also in trouble with the UK Information Commissioner. This is because the CC details of British customers have also been stolen.