In May, a movie theater near my house installed those handy credit card swipe machines. For those who haven’t seen them, the customer swipes his/her card in machine, ok’s charges on screen, and possibly signs a touchscreen, all without giving the clerk the card.
My girlfriend and I went to see a movie, The Italian Job (we think), at the end of May. I paid by credit card, and used the swipe machine. Two days ago, a charge shows up on my card from the theater. We did not see a movie anytime in the last few months, because, really, what has there been to see? So I called the theater. Their response: “Well, the swipe readers hadn’t been completing the transaction. We’ve basically had no credit card charges for five months. And when we fixed the problem, we found that your charges had been approved, but never completed. So we charged you.” I checked back statements, and they’re right, I was never charged…
This is the part that gets me though, and please tell me if I’m just horrendously naive: In order for them to charge me now, doesn’t it imply that they stored my credit card number and verification information in some local database for three months? Or do the credit card companies provide some means of repeat/updated billing? Also, if its legal/standard procedure/common for them to store information like this, what’s to prevent a clerk/manager with access rights from going to town with my card?
I was under the assumption that charges were (more or less) automatic - the machines linked directly to Visa or MC or whoever, and the store never really knew or needed to know anything that wasn’t on the receipt (the last 4 digits and my signature).
Yes, it’s perfectly common for merchants to store your credit card numbers.
It is also perfectly common for employeed of those merchants to steal credit card numbers and have a grand ol’ time. The only thing preventing it is adequate security procedures on the part of the merchant, and plain ol’ human honesty.
When you swipe your card all the information that the theatre would keep would be encoded and unless someone at the theatre had the software to decode it, they would have no way to obtain your CC number or other information. Look at the cookies store on your computer. Do they make any sense to you? Of course not. The information you are worried about is stored in the same manner. I would worry more about the low paid data entry clerk that works for the credit card company stealing your info than some low paid theatre manager.
As I can attest from professional experience (which I won’t get into for fear of violating some NDA I signed to gain employment sometime in the past) you are most certainly incorrect.
It is common practice for merchants to keep logs of all the payment information, including full CC# and all the other info relevant to the transaction. Although in some cases this information might be encoded, in my experience it usually isn’t and isn’t required to be. Whatever security there is keeping your information private is up to the merchant. It might make you feel more secure to draw a parallel between how cookies are stored on your computer and how merchants store payment information, but there really isn’t any similarity whatsoever.
Now, PIN#'s for debit cards and such are a totally different story. Those ARE indeed secure and the only way a clerk could get your PIN is if they watched you enter it and they memorized it. The terminals where you enter your PIN# use encryption and a merchant has no way of keeping track of people’s PIN#'s, since they go directly from the terminal (which encrypts them on the spot) to the clearinghouse which routes all the transactions directly to the various debit networks.
I can tell you that, at the place where I work, I have access to EVERY credit card number of EVERY credit card we’ve swiped for at least the past seven years, thousands I’d imagine. In fact I believe we are required to keep records of all our credit card transactions (which include the CC numbers). But like voltaire said, I don’t have PINS, nor do I have the verification numbers, zip codes or addresses of those cards (which makes it about .005% harder to use them if I so chose to).
As I sit here at work (I’m spending the weekend again – long story) I have, within this very room, boxes of those old-fashioned two-part carbonless CC receipts that go through the clackety Credit Card machine. Well, I mean, we only have the merchant copy. The customer got their copy.
They all have CC impressions on them. Some of the older ones are actually waiting to be shredded.
Credit cards aren’t nearly as secure as most people think.
Credit Cards work two ways one is a SALE and one is an AUTHORIZATION. Let me use my hotel knowledge to explain. When you check into a hotel they swipe your card. The swipe AUTHORIZES your card for the amount of a stay and a set fee or percentage over that stay (for room service charges etc). You are NOT billed. Simply the amount is verified to be ABLE to be billed. So you could stay one night for say 100 dollars (room and tax included). The credit card would authorize typically 150 dollars. When you check out the actual amount is sent to a machine that typically transmits the charge to be billed after midnight.
A point of sale charge bills you immediately. For instance on certain reservations you must pay in advance as the rate is non refundable. Those are billed as immediately and for exact amounts.
I have worked in hotels my whole life and if you want numbers check their garbage. You will find more credit card numbers there than in any computer.
Markxxx is on to a good portion of credit card operations, as are most of the previous posters. Frequently restaurants will send a request through to the credit card database that assumes a %15 or %20 tip in the total request, not that that amount is being charged, just that it is approved. Web statements often don’t jibe with these “debits”.
Credit card numbers are repeated over the phone constantly, and most people know that without the expiration date, they are useless. There is one physical feature on most newer cards that helps with fraud, check digits. If your card has it’s number printed on the signature line, it probably has 3 extra digits printed after it, check digits. This is simply a method of identifying a stolen impression number from the sequence on the actual card. Check digits are not usually shared information. You can only see them on the back of the card itself, fewer stolen card #s and expirations.
Last month the state of California enacted a law that mandates merchants to notify customers if there has been any security breach that could have exposed credit card numbers. It is thought that this will then open up the merchant to lawsuits. As a result, merchants are going to tighten up their protection of credit card numbers. I work in the POS industry and we have been doing a rush job to minimize the amount of time that a credit card number exists on the POS system.
The merchant needs to keep the cc # somewhere for dispute resolution or, as the OP found, for resissuing failed charges. Plus some retailers keep the number for loss prevention analysis such as tracking the credit cards used most in refunds, which can indicate fraudulent activity (e.g. buy something, pick up another off the shelf and “return” it). What the new laws are going to do is force the retailer to show appropriate care in handling of cards.
dnooman, what you say is correct, but it is called a verification number. The las digit of the regular credit card number is the check digit and is calculated from all the other digits. It is used as a check that the number is 90% likely to be in a valid format - if the check digit is wrong, the system will not even attempt to authorize.
voltaire is also correct - cc details are usually not kept encrypted, but the PIN is safe. The recent legislation that I mention will drive retailers to use more encryption (we have one customer asking us to do it). But remember that the retailer needs the details for a legitimate purpose, so there are going to be some employees who will still see the number after it has been decrypted. The retailer will need to provide authorization only to the minimum number of people.