So, another large retailer (Jewel-Osco, in the Chicago area) has been hacked, and credit card information such as card numbers, PINs, etc. have been exposed to outsiders. My question is this: why does Jewel, or Home Depot, or Target have that information on file? If I use my card in their store, and they want to track my purchases, it’s not necessary for them to have my credit card information. They just need a name and maybe address, and that’s pretty much it. I’m reconciled to the fact that these companies want to know what I’m buying and their marketing policies may rest on such information. But why is my credit card number on file there, just sitting, waiting for some dickwad to hack the system and cause me to get still another new credit card, contact several companies that charge my card number automatically every month, and have to watch my credit card invoices for the next 6 months to be sure I haven’t had my own account compromised?
Have you ever ordered from them online with a non-store credit card and forgot to uncheck the box that says “Keep your information on file?” If you’re talking about an actual Target credit card, why would they not have your information on file if they issued the card?
I think in some cases it’s not that they are keeping the information, but that they were hacked over a period of time so that anyone who used his card during that period might be compromised. It might not be just a one day hack.
Except for the fact that Target was hacked and no matter what credit card you used (ours is an BAC card), you had to get a new one. Why the hell Target had to keep that information on file is beyond me and prompts my attempt at understanding these systems.
TOTALLY guessing here, but one possibility that comes to mind is the possibility of disputed charges; with credit card numbers associated with purchases for a reasonable amount of time it would be easier to investigate whether (from the store’s point of view) it was a legitimate screwup that there is no point in contesting or whether it’s a customer trying to pull a scam and it should be contested.
Your card info may not be stored by them at all, but it is traveling through their systems.
Some of the recent “breaches” at retailers compromised the very edge where you meet them - the checkout lane - point of sale terminals have been compromised with skimmer devices or has had malware inserted to capture card data before it even enters the merchant’s network.
Target did *not *hold your CC info on file. Nor do they now.
Instead, the bad guys had installed spyware inside Target’s systems that eavesdropped on the conversation between Target’s cash registers and the VISA & MasterCard networks. So they captured your CC number as it flew by on the wires inside Target’s systems. And promptly smuggled the illicitly-gotten information out to the bad guys.
The spyware sat undetected at the core of Target’s infrastructure for about 6 months. And during that time about 1/2 of US consumers bought something at Target. And duly had their CC information eavesdropped and sent to Bulgaria or wherever.
Are you sure?
Unless they have changed their policy very recently, if you try to return or exchange an item but have lost the receipt, Target can use your credit card number, gift card number, or checking account number (if you paid with one of those instruments) to pull up your transaction and process your return. And it doesn’t have to be a Target credit card.
That’s really not an uncommon policy. I was once behind a man at a Safeway grocery store who was trying to pay with some kind of corporate check. The cashier called over the manager who looked up the history of previous purchases with the same checking account number and approved it.
I have also tried to get refunds and use a different credit card than the one I paid with. At some stores the system rejects it, at others it doesn’t care.
People in this thread are discounting the theory that retailers keep records of credit card numbers for tracking purposes without citing any evidence. Credit card numbers provide valuable data linking purchases to customers and creating a history. I think retailers are more than eager to exploit this sort of data.
What Visa and Mastercard rules prohibit is the storing of PIN numbers and the full magnetic stripe data. The magnetic stripe contains numbers in addition to the account number and expiration date that is used to verify that the actual card was swiped. But even then, some merchants have been caught keeping this data.
Alley Dweller that can (and should) be accomplished by linking the purchase with a hash of the card / account number, not storing the number itself.
For one retailer I’ve worked with the transaction doesn’t flow from the POS to the bank for instant processing. There may be an instant approve/deny decision but the processing happens at HQ. The way it worked there is that the card data was encrypted at the POS, then sent to an in-store system. The stores batch up the encrypted transactions and send them to HQ. At HQ the transactions are gathered into bigger batches which are finally decrypted and sent to the banks for settlement.
For the Target attack the malware got into the POS and siphoned off the card data before the encryption step.
Am I the only one that has gone to one of these stores for a refund and said “I don’t have my receipt, but I do have the card I bought this with”, and that’s all they needed to look up the purchase? They’d have to keep the card on file to do that.
EDIT: I suppose they could keep a one-way hash of the card number of file, but you know what I mean.
I can’t speak for all retailers but you can handle disputed charges perfectly well without the card number. Payment processors (like Authorize) maintain lots of information from the transaction, it just obscures part of the credit card number. I can still do a last-4 check, see expiration dates, names, amounts and date/time of charges, etc. It’s very easy to see all the charges from one person (as to help locate things like accidental duplicates). But this level of fraud investigation typically isn’t very fruitful at the retailer end in terms of time and effort. It’s more likely that the credit card company would investigate you, if you’re doing a lot of chargebacks.
The problem is generally not retailers retaining credit card information but that credit card information has to be captured and relayed to another party. That communication can be vulnerable to “listening in”. Barring exceedingly rare and backwards companies, nobody is hacking into a store’s (or even a company’s) computer and getting a file full of unencrypted card numbers. It’s one of the advantages to using a credit card processor – you can get plenty of history but you don’t have the liability for storing sensitive data yourself.
So it seems that we’re learning that most companies do not keep our credit card numbers on file someplace. The numbers and other information are captured at the point of sale. I don’t feel good about having my number filched, but I am glad to see that the numbers aren’t in some file waiting to be hacked, misused, or purloined over and over.