Chip and pin mail order
Discussion
Chaps,
We sell supplies to retail outlets, orders are paid for in advance, by card or cheque. Customers must be registered and trained to use our product.
Most of our clients allow us to retain their credit card numbers so that shop assistants can ring in orders. We are being asked for security details when we use the PDQ machine; such as statement post code, last four digits of the card number, expiry date and the security code on the back.
I have been asked to find out the security details for clients cards. We intend to hold these details on file, then on a computer database. For the time being the PDQ machine can be over ridden; all we need is the card number and expiry date. If we do this then we become liable for any fraudulent transactions.
I am being asked to find out this information from clients. I am aghast that some of them are happily giving away their securty codes over the phone. My questions are
1. Is this legal
2. What about data protection
3. Are we liable if someone steals our records and then makes fraudulent transactions.
4. What do the banks and PDQ say we should be doing.
>> Edited by D Stanley on Sunday 19th March 19:57
We sell supplies to retail outlets, orders are paid for in advance, by card or cheque. Customers must be registered and trained to use our product.
Most of our clients allow us to retain their credit card numbers so that shop assistants can ring in orders. We are being asked for security details when we use the PDQ machine; such as statement post code, last four digits of the card number, expiry date and the security code on the back.
I have been asked to find out the security details for clients cards. We intend to hold these details on file, then on a computer database. For the time being the PDQ machine can be over ridden; all we need is the card number and expiry date. If we do this then we become liable for any fraudulent transactions.
I am being asked to find out this information from clients. I am aghast that some of them are happily giving away their securty codes over the phone. My questions are
1. Is this legal
2. What about data protection
3. Are we liable if someone steals our records and then makes fraudulent transactions.
4. What do the banks and PDQ say we should be doing.
>> Edited by D Stanley on Sunday 19th March 19:57
Should not be getting customers to give their PINs out! Chip'n'pin is ONLY for cardholder present transactions...if it's card holder not present, then like you say all you need is the card number and expiry date (and poss. start date/issue number/CSC depending on your setup and the card type). However, this puts the liabiltiy on the retailer (as you've said).
As such, doing CNP transactions should be unaffected by chip'n'pin...and if you're getting a PIN from customers and putting it through as a cardholder present transaction, you do stand to get a fairly substantial b*llocking if your acquirer finds out...
If you have any questions relating to the functionality of your PDQ machine (ie. if it won't let you do CNP transactions) I'd recommend contacting whoever supplied it.
Edited after re-reading original post and noticing the absence of the word "PIN" there to add...
Sounds like you might just have AV2/CSC set up - so you'll need things like postcode, "house" number, last three digits of the card signature. The address details you can get away with storing, as they're hardly "secure" - the card signature is intended to prove that the person making the transaction is the card holder, so you're starting to get on dodgy territory with storing this. I'd be inclined to store everything *except* this, and then when your clients phone up to place orders, make them give the CSC number for the transaction each time...
Rob.
>> Edited by Skoda_Rob on Thursday 9th March 10:34
I have had one customer try to give me their pin number! I have also looked up the Barclaycard Merchant Services website. It says several times that security details should not be held on file. I also phoned them up and asked what we should do. They said that we should keep the security details on file but they must be kept under lock and key. They also declined to put this in writing.
We are thinking about storing the information electronically. A simple database will do with the files stored in a 125bit encrypted folder.
Our problem is that our customers are business owners who are not in their businesses all of the business opening hours. They are used to delegating ordering supplies for us to a junior member of staff. The junior member of staff rings us places the order and we charge the owner's card. Our product is not the sort of thing you order for personal use and is of little value without specialist training and equipment.
We are thinking about storing the information electronically. A simple database will do with the files stored in a 125bit encrypted folder.
Our problem is that our customers are business owners who are not in their businesses all of the business opening hours. They are used to delegating ordering supplies for us to a junior member of staff. The junior member of staff rings us places the order and we charge the owner's card. Our product is not the sort of thing you order for personal use and is of little value without specialist training and equipment.
D Stanley said:
We are thinking about storing the information electronically. A simple database will do with the files stored in a 125bit encrypted folder.
I would also encourage you (if it's possible and you don't already have it in place) to have some way of logging which particular person is accessing the database at which particular time (and what they're looking up if that's possible with the system you're proposing). That way you have some sort of accountability, so that if there was any dodgy dealings from anyone within your place, you would have some sort of audit trail of who looked at various details and when...
D Stanley said:
They are used to delegating ordering supplies for us to a junior member of staff. The junior member of staff rings us places the order and we charge the owner's card.
If the business owner is delegating the purchasing process, then they should be the ones giving the delegate the card details for the purchase - it shouldn't fall to you to store details. Of course, I appreciate there is a difference between "shoulds" and what actually happens, and changing policies like these would be very likely to put peoples' noses out of joint...
Rob.
>> Edited by Skoda_Rob on Monday 13th March 09:56
I wouldn't be keen to have these details stored about me, but I guess if your asking the customers first then its their choice.
I'm surprised that BMS are OK with it. This seems to bypass the whole point of bringing in these extra checks. The liability will almost certaintly be with you and I'd suggest that you look into some kind of insurance to cover it.
The previous posters point about keeping an audit trail is sound advice. I'd add that you've seen how easily peope give up their details. Train your staff so they you are CERTAIN that if Chief Imbokwe from the Nigerian branch of Barclays calls up to confirm details they don't give them out. You will have to check that your listing in the Data Protection Register allows for this kind of storing and usage of data too.
I'm not too knowledgeable on how these card machines work as my experience with this kind of thing is with online payments, but I know that sometimes an internet payment gateway (such as www.protx.com) will give you a transaction number which you can use to rebill the client. Storing this is obviously low risk as it can't be used for anything else. Maybe Barclays have an equivalent? (Though their epdq system is prehistoric so I doubt it)
Your system would be far from the worst out there. I've seen companies who have stored their clients card details in a shocking fashion (folders kept in open offices stuffed with full card details!) and never actually have any problems. However any problem could be hugely damaging to the company.
>> Edited by rpguk on Monday 13th March 11:28
I'm surprised that BMS are OK with it. This seems to bypass the whole point of bringing in these extra checks. The liability will almost certaintly be with you and I'd suggest that you look into some kind of insurance to cover it.
The previous posters point about keeping an audit trail is sound advice. I'd add that you've seen how easily peope give up their details. Train your staff so they you are CERTAIN that if Chief Imbokwe from the Nigerian branch of Barclays calls up to confirm details they don't give them out. You will have to check that your listing in the Data Protection Register allows for this kind of storing and usage of data too.
I'm not too knowledgeable on how these card machines work as my experience with this kind of thing is with online payments, but I know that sometimes an internet payment gateway (such as www.protx.com) will give you a transaction number which you can use to rebill the client. Storing this is obviously low risk as it can't be used for anything else. Maybe Barclays have an equivalent? (Though their epdq system is prehistoric so I doubt it)
Your system would be far from the worst out there. I've seen companies who have stored their clients card details in a shocking fashion (folders kept in open offices stuffed with full card details!) and never actually have any problems. However any problem could be hugely damaging to the company.
>> Edited by rpguk on Monday 13th March 11:28
The companies that we sell to probably think that we are more trustworthy than some of their employees. I do not want to go into details but they want their staff to be able to pick up the phone, order materials crucial to their business and have us take care of all of the details.
I think that an audit trail is a good idea. The PDQ machine sits on a desk in plain sight of two employees. They would both need to be in Cahoots for an unauthorised payment to be made. I think the risk is much more likely to be in theft of the data.
Many thanks for all of your replies, you are all genuinely helping to shape policy in our company.
I think that an audit trail is a good idea. The PDQ machine sits on a desk in plain sight of two employees. They would both need to be in Cahoots for an unauthorised payment to be made. I think the risk is much more likely to be in theft of the data.
Many thanks for all of your replies, you are all genuinely helping to shape policy in our company.
D Stanley said:
I do not want to go into details but they want their staff to be able to pick up the phone, order materials crucial to their business and have us take care of all of the details.
I would have thought this would be better suited to having a "credit account" for each customer, and then invoicing them monthly/after each purchase? Although this does set you up for the hassle of chasing invoices and the like (which won't be popular with your managers!), it will save you any risk of improper use of card details - all it would take would be one disgruntled customer to claim they didn't order something and report it as credit card fraud, and chances are you will have a visit from the BiB...if they then find you are storing card details and making each transaction without the card holder's consent it could land your company in hot water.
Do you have any formal agreement with your clients about the storage of credit card information? It might be an idea to have some kind of letter with specific details about what is being stored and why, so that at least customers cannot claim to be ignorant of this. If they have to sign something to confirm that they are happy for their card to act as the purchasing account (and as such any transactions which you have good reason to believe are requested by their employees will be made), then you would at least evidence that you aren't taking payments without the customer's consent.
It would also have the added bonus that any customers who are likely to be awkward in the future will probably complain at the point of signing the letter (and you can then make alternative payment arrangements), and everyone else who is happy with the status quo will just sign and there won't be any problems...it's not watertight by any means though!
You might also have to address the issue of the Data Protection Act - it's pretty straightforward really, it's just 7 or so simple points. The two main areas I suspect would be retention of data (if you don't need the details - ex-customer, etc. then delete them), and that customers have a right to know what information is stored (but you are allowed to charge them an admin fee for telling them this!).
Rob.
The "customer not present" option is not being withdrawn, but if you do not provide the security information with a "customer not present" transaction then you run the risk of having the payment clawed back if there is any claim of fraud. My senior colleagues do not want to have this happen, they are not keen on taking risks.
We have sent letters to all of our customers stating our intentions and inviting them to provide the necessary details in writing on a form with a signature at the bottom. We got about a 10% reply.
A small team of us have been trying to contact the rest by phone for several weeks now. We might be approaching a 30% response. They can contact us prety quickly when they need our product but they are very slippery when we need to get hold of them.
You can see why we do not operate credit accounts, only 10% of our invioces would be paid!
Our business will probably remain cash up front.
We have sent letters to all of our customers stating our intentions and inviting them to provide the necessary details in writing on a form with a signature at the bottom. We got about a 10% reply.
A small team of us have been trying to contact the rest by phone for several weeks now. We might be approaching a 30% response. They can contact us prety quickly when they need our product but they are very slippery when we need to get hold of them.
You can see why we do not operate credit accounts, only 10% of our invioces would be paid!
Our business will probably remain cash up front.
Gassing Station | Business | Top of Page | What's New | My Stuff