Wednesday, October 03, 2007

Westside in Mumbai stores your credit card numbers..

Hi,

If you are a Mumbai local, I am sure you would have visited Westside - one of the famous retail shops. I happened to bump into their store in Andheri(W) Infinity Mall and to my surprise, when I gave my credit card for swipe, they swiped it twice. :(
- Once on the processing machine and second on his computer.

I asked the fellow, "Why are u swiping my card twice?"

He replies, "Sir, we need to store your card information for tallying it at the end of day."
I was really disturbed by this. They stored my name, card number and expiry date. Only thing remaining was the CCV number. Remember this is generally a 3 or 4 digit number usually at the back of the card.

I am surprised that these merchants are allowed to store credit card information. No PCI compliance required ??

I felt like calling up the media - Mumbai Mirror, DNA or Times and yelling them that see these guys....what are they upto ?? Why the hell are they storing credit card information and if they need it, why is is not encrypted??

A hacker's mind would surely think of compromising their database having thousands and thousands of credit card holders information.

To add to all my fuss that day, they gave me a printed receipt to sign off and that too printed my entire credit card number (none of the digits were masked) and even the expiry date.

I am sure there are many such places in mumbai where credit card information is stored and is highly likely for hackers to get inside them very easily. If the merchants or shop owners do not bother to care about the credit card information, they must be banned from handling these transactions.

I wanted to raise my voice for all the people who actually opt for credit card transactions. Please make sure and shout if you find they are storing your credit card information. If they are swiping the card twice for their sake. This is illegal.

Visa / Mastercard and other card issuers must look into this matter asap.

Please send in your comments and let's raise this to get in media of possible and spread awareness.

Thanks.

Dharmesh.

14 comments:

  1. I had a similar experience at Crosswords. The next day I rang up my bank informing about the same. They had no clue about it. They assured me that it was secure. I send them an email highlighting the same, I am yet to get a reply.

    Apart from this, some of the banks have ATMs positioned in a manner where a person standing outside the ATM room can clearly see the keyboard and see the PIN that has been entered. In case the customer forgets the card and the next person standing outside sees the PIN, the first person will stand to lose a lot.

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Dear Raju,

    Your observation at ATM's is absolutely true. I too have noticed that at many ATM's. I am not sure if standards exists for setting up an ATM location.. :(

    I wish if banks take this seiously and improve their services for the common man.

    ReplyDelete
  4. Why is the CVN number printed on the card. If the card is misplaced or stolen, a large number of transactions can be carried out till the card is blocked. A person will only realize that the card is missing only when he wants to use it, by then it may be too late. The CVN number should be like the PIN number sent in a separate mail.
    I hope that the card issuers realize this.

    ReplyDelete
  5. Dear Raju,

    True, the bank card issuers did realize that having CVN number on card would be a problem. I think that 's one of the reasons that the 'Chip and PIN' concept was introduced. This is a government-backed initiative in the United Kingdom to implement the EMV standard for secure payments.

    Until the introduction of Chip and PIN, all face-to-face credit or debit card transactions used a magnetic stripe or mechanical imprint to read and record account data, and a signature for verification. Under this system, the customer hands their card to the clerk at the point of sale, who either "swipes" the card through a magnetic reader or makes an imprint from the raised text of the card. In the former case, the account details are verified and a slip for the customer to sign is printed. In the case of a mechanical imprint, the transaction details are filled in and the customer signs the imprinted slip. In either case, the clerk verifies that the signature matches that on the back of the card to authenticate the transaction.

    This system has proved reasonably effective, but has a number of security flaws, including the ability to steal a card in the post, or to learn to forge the signature on the card. More recently, technology has become available on the black market for both reading and writing the magnetic stripes, allowing cards to be easily cloned and used without the owner's knowledge.

    ReplyDelete
  6. @Raju:

    I think signature verification on receipt at POS suffices the security required. Hence CVN number may be printed on the card. It should be practiced to check these signatures during sale.

    @Dharmesh:
    Chip & Pin is practiced in Ireland also apart from UK.

    ReplyDelete
  7. Internet Transactions and Kiosk transactions do not have a signature but depend on the CVN number

    ReplyDelete
  8. @Raju:

    Oops....You got a right point..

    Denis

    ReplyDelete
  9. Damn! I am super scared now. I am paranoid of using internet banking and stuff but I am generally careless with my credit card. I haven't ever bothered seeing how many times my card gets swiped. I guess I will have to be more aware now. But how do you manage it at restaurants where they take your card away only to bring it back later? I guess I will have to start going along with the waiter to wherever the card is being swiped...it might look funny...but what the hell, looking funny is a small price to pay for security:) hai na?

    ReplyDelete
  10. @256shadesofgrey:

    It's true that we might need much more awareness to secure our credit card transactions. The restaurants example you gave is a very real life and scaring one ...

    Thanks.

    ReplyDelete
  11. You would need to memorize the CVN number and tear out the part of the strip that has the CVN number

    ReplyDelete
  12. Dear Raju,

    This is truly a good idea. Security for the end user !!

    Just precaution would be not to tamper the signature part which is in the same strip as CVN number. Signature serves as a verification at POS (iff they verify) :)

    ReplyDelete
  13. i have experienced this as well with credit card transactions. especially with lodging. i have gone to hotels that take photocopies of my drivers license and credit card. the important thing to know is that businesses aren't allowed to store that information if the customer does not want them to. so if you notice this happening to you, raise your voice!!

    ReplyDelete
  14. Hi,

    Yes, this is a serious concern where the normal users are not at all aware of risk associated with it. Definitely We should raise our voice. But how? to whom? and which department will be taking care of this?

    ReplyDelete