Like Tree3Likes

Groupon - HK - saving credit card data on website / server

Closed Thread
Page 2 of 2 FirstFirst 1 2
  1. #11

    Join Date
    Mar 2011
    Posts
    923

    Another option if you want to feel like you have some control is to get a card with a very low limit and only use it for online transactions.

    Football16 likes this.

  2. #12

    Ok, just to clarify some things. It is possible that groupon will save the full credit card number, even though they obfuscate it when showing it to you (showing only a few numbers plus lotsa *).
    They might even save the valid date.
    But what they won't save or they will be in a lot of legal trouble in USA and other countries, is the cv2 security number at the back of a creditcard.

    And without that security number, a hacker can't do much with a creditcard number. They certainly can't order things. Only when they create a card of their own a do some shopping in person, they can use it.

    You should worry more when you give your card to the waiter in a restaurant to pay a bill. Your whole card can be copied during that time. Heck the waiter might as well take 2 pics of the card.
    Why'd you be so easy to hand over your card in a restaurant to a stranger,but not online? Even though you're safer online...


  3. #13

    Join Date
    Apr 2008
    Posts
    2,879
    ********890
    Displaying the credit card number, even with **** 1234, means they stored it on their server. Normally along with expiry date, name, card holder address etc, and often with some GeoLocation data.

    And without that security number, a hacker can't do much with a creditcard number. They certainly can't order things.
    CVV2 should not be stored, you'd be surprised how many still do. They need to capture this information and pass it on to the card processor, so storing it often temporarily and then not removing it is wide spread. Nobody gets in trouble, because nobody knows (how would they?). Also, you'd be surprised how many places on the internet still work without giving a CVV2 code or without even asking one (it's not mandatory). How could a merchant charge your card when he ships the order (instead of when you place the order) if he doesn't store your code? How can they use your CC for subscription payments? What was a great idea on paper in the 90s is not always working well in real life...

    I doubt it's saved on the website. It's more likely it got saved on your computer and auto-populated when you went back to the website.
    Card numbers are usually not stored in your browser, unless you enable a feature to do that at one point in time. And in this case, your browser will simply fill in an input form field for you, it will not immediately pass the CC info to the web site.

    One additional thing you can do is contact your card issuing bank to enable "Verified by Visa" or "MasterCard SecureCode" (it can often be done online), which is an additional layer of security. It will show the merchant that you are real in most cases, and show you that you are really on the bank's web server (codes are entered on the bank server, not the merchant web site).

    Verified by Visa FAQ & Credit Card Security | Personal | Visa USA
    Support Securecode FAQs | MasterCard�

    When VBV or MSSC came out many years ago and we rolled it out, we thought the days of getting defrauded over the internet were over - but a few months later the usual suspects started placing plenty of orders with VBV or MS verified status. Nothing is bullet proof, not for the card holder and not for the merchant.

  4. #14
    Quote Originally Posted by 100LL:
    CVV2 should not be stored, you'd be surprised how many still do. They need to capture this information and pass it on to the card processor, so storing it often temporarily and then not removing it is wide spread. Nobody gets in trouble, because nobody knows (how would they?).
    I don't know the laws in every country, but in the USA there can be checks and it's a felony to actually save the CVV2.
    Companies can save it, sure. But if their server got hacked and the combo gets out and used by hackers, the company is going to get a lot of hurt.



    Also, you'd be surprised how many places on the internet still work without giving a CVV2 code or without even asking one (it's not mandatory). How could a merchant charge your card when he ships the order (instead of when you place the order) if he doesn't store your code? How can they use your CC for subscription payments? What was a great idea on paper in the 90s is not always working well in real life...
    The CVV2 code is only used once to verify the card (and to authorize the payment and thus the merchant) If one transaction is succesful, subsequent transactions are authorized based on the merchant ID and creditcard number.

    It's like the CC-company says: "hey, you paid that dude one, must be trustworthy. No need to ask you for other transactions". And heck, you as a customer has got your back covered anyway. Just keep an eye on your monthly statements.

    Card numbers are usually not stored in your browser, unless you enable a feature to do that at one point in time. And in this case, your browser will simply fill in an input form field for you, it will not immediately pass the CC info to the web site.
    yeah I know... I programmed and implemented online payments for several companies before...

  5. #15

    Join Date
    Apr 2008
    Posts
    2,879
    Quote Originally Posted by spammerhamster:
    I don't know the laws in every country, but in the USA there can be checks and it's a felony to actually save the CVV2.
    Felony and checks, huh? This is not the AA who ask you to open your fridge and socks drawer to check if you hide beer and rum... and the security audits banks do for larger merchants are a joke.

    And for using CVV2 only during pre-auth, that would be wonderful but many merchants (ie. Amazon) don't pre-auth at all or not for all orders (ie. pre-orders for items to be released at some point in the future). As said, there is nothing bullet proof. But you know all that...
    Last edited by 100LL; 09-05-2011 at 05:18 PM. Reason: added quote

  6. #16
    Quote Originally Posted by 100LL:
    Felony and checks, huh? This is not the AA who ask you to open your fridge and socks drawer to check if you hide beer and rum... and the security audits banks do for larger merchants are a joke.

    And for using CVV2 only during pre-auth, that would be wonderful but many merchants (ie. Amazon) don't pre-auth at all or not for all orders (ie. pre-orders for items to be released at some point in the future). As said, there is nothing bullet proof. But you know all that...
    Sure, but the point is, the risk for the merchant is much larger than for the customer.
    So as a customer being concerned about the possibility that a merchant save the CC-data is useless.

    In terms of risk: IT-company who made the site-> merchant > creditcard company > customer.

    Sure. The chance that a merchant is being audited is almost non-existent. But that chance is larger than that a customer would be affected negatively due to his data being stolen...

    Now if you're talking about paypal, then it's a completely different matter.