The Framers Forum

I had a big shock today when I placed an order by phone with a well known tools company who told me that they no longer need to ask for my debit card number, because it is saved on their computer system and all they need is my three digit security number to complete the transaction. I use this company on a regular basis and probably can't find another company which stocks all the things which I need to get from them.

I can remember that TK Max was also keeping customers card numbers on their computer system and someone hacked into their system stealing customers card numbers and TK Max had to warn these customers, resulting in some very bad publicity for TK Max. With this in mind, I am very concerned about this and will be waiting outside my bank when they open tomorrow morning to get my debit card cancelled and a new one issued with a different number.

So what on earth is the point in them doing this? In future, I will have no chioce, but to send them a cheque in the post and pay for a postage stamp and envelope, or else find another supplier. I really can't believe that this can be happening, or that companies are even allowed to do this? Sadly, I think I now need to ask all my other suppliers if they are doing this too!

I hate to think how many companies hold card details of mine - from Amazon, Tesco, insurance companies for automatic renewals and even Parentpay to put money on our boys accounts to pay for school dinners and trips. The list goes on and on. Some need the 3 digit security number to authorise payment, others don't. The company holding the information is legally obliged to store it safely and securely and it is their cost if there is a problem and your data gets lost and fraudulently used. They would have your details for each transaction stored anyway for their record purposes so it's not much different from that. I doubt the operator could see the whole number, they probably only see the last four digits of the long number to be able to identify the card, I expect the rest is encrypted.

If you are that worried about it then it might be worth getting a credit card to use rather than a debit card (you can earn points or whatever on those too which is another bonus) but using a credit card does give you other legal protection against fraud over and above those on debit cards.

I certainly don't think you need to cancel the card, as I said they would have your information from the other transactions you'd done with them anyway, even if they agree to not automatically call it up for future transactions. This really is quite a normal thing to have this sort of information stored these days. But if you aren't happy with it then ask them if they can sort it for you.

It concerns me that it is not difficult to clone a credit or debit card if you can get the customers details and card number. All valid card numbers are based upon a mathamatical construction known as Modulo 10, which makes it possible to reconstruct the data stored in the chip on the card and program a card to appear to be a valid card.

It then only requires an undetected virus on the companies computer system to steal the three digit security number during an actual transaction. One of the most difficult viruses to detect is called a rootkit and these viruses are usually almost impossible to detect by normal anti-virus programs. The normal way to detect these is by looking for particular behaviour patterns. Finding and removing the virus can be even more difficult.

One of the things which I object to is the fact that the company does not consider that I ought to have the chance to decline to have my card details stored on their system for future transaction and instead choose to tell me nothing about this. My home telephone provider offered me the opportunity to store my card details on their system for my convenience and I was able to decline this, but this other company in question just did it and said nothing.

Keeping your card data comes under PCI and data protection rules. I would ask them if they conform to both and if they don't to please remove your card details. They risk a massive fine if they allow your card details to be accessed by a third party.

I've ordered a new card and the old one has been cancelled.

Personally it doesn't bother me. I use one supplier regularly that I have to keep giving them my full card number every month and I keep asking when they will store the information.
My card details are on databases all over the world with Amazon, eBay, Google, AA, Privelege, O2, to name just a few.
If one of them gets hacked it will not be my fault and I will not be held responsible, so the only issue will be the hassle of getting a new card and updating details, but I'm willing to take the chance so that I don't have to re-enter card details every time I want to make a purchase or settle a bill.