Hotels Lead the Industry In Credit Card Theft 135
katarn writes "A study released this year found that, of the credit card hacking cases last year, 38 percent involved the hotel industry. At hotels with inadequate data security, the greatest amount of credit card information can be obtained using the simplest methods. It doesn't require brilliance on the part of the hacker. Most of the chronic security breaches in the hotel industry are the result of a failure to equip, or to store or transmit this kind of data properly, and that starts with the point-of-sale credit card swiping systems."
Wait...what? (Score:1, Redundant)
Hotels lead the industry in credit card theft.
Wait...which industry? The hotel industry? So hotels lead the hotel industry in credit card theft?
Redundant statement is redundant. Or poorly worded. Or just plain stupid.
Re:Wait...what? (Score:5, Funny)
Re:Wait...what? (Score:5, Funny)
And nose snorts. Don't forget about the nose snorts.
Re: (Score:2)
Re: (Score:2)
Brother, you don't even want to KNOW what body parts my fiancee can use to make snorting sounds...
Re: (Score:2)
I do now.
Re: (Score:2)
>>>>>Pedantry. One of the disadvantages of living with a nerd.
Where I come from, we call them anal-retentive bastards. Or grandpas. Same difference.
.
>>>Wait...which industry? The hotel industry?
"Hotels lead the [credit] industry in credit card theft." There. Fixed that for you. Are you happy now? Here let the gorgeous Michelle Branch sing you the song: http://www.youtube.com/watch?v=d1vjRu3WUEE#t=14s [youtube.com]
I was a victim of this. I stayed in a Motel 6 in Oregon. About two months later
Re: (Score:3, Insightful)
I could be wrong, but if I were walking into a Walmart with a rigged-up card, I think I'd want a fresh number, something from the previous 48 hours, maybe. Sixty days seems like an awfully long time in hot-CC-number-years. If nothing else, it shows tremendous restraint on the part of a small-time criminal, most of whom can't seem to wait sixty minutes before they spend the money (unless, of course, her name badge read, "D. B. Cooper.")
I read the article (Score:5, Informative)
Re:I read the article (Score:4, Insightful)
That is an inversion of purposes, between the headline and the article.
The Slashdot editors have dug down past simpleton level grammar and emerged not at the bottom of the scale, but somehow at the top, and turned the industry on its ear.
Which industry? I have no idea.
Re: (Score:2)
>>>Wait...which industry? The hotel industry?
"Hotels lead the [credit] industry in credit card theft." Fixed it. Are you happy now? Here let the gorgeous Michelle Branch sing you the song: http://www.youtube.com/watch?v=d1vjRu3WUEE#t=13s [youtube.com]
I think I was a victim of this a few years ago. I had driven to Oregon for a vacation where I stayed in a Motel 6. About two months later some guy in California spent $3500 at Walmart on my Discover credit account. Of course I didn't have to pay, since my sig
Re: (Score:2)
This just happened to us on a trip to Colorado. We stayed at a Super 8 and a Motel 6 while there, and at a Super 8 in Omaha. About a week after we got back we got 4 charges on our card that appeared to originate in Mexico. 2 of them were blocked by fraud detection of the card issuer, and 2 made it through. As it was a debit card, we were liable for $50 of the $600 in charges that made it through. Card was canceled and a new one issued. We are also going to use a credit card instead, so the card company in o
Re: (Score:2)
>>>As it was a debit card, we were liable for $50 of the $600
Why oh why do people continue using debit cards? If you had used a credit card, you would have been liable for *nothing*. And even if the Visa/Mastercard company tried to collect, you don't have to pay the bill. The money would be sucked from their account, not yours.
>>>We are also going to use a credit card instead
Good.
Re: (Score:2)
>>>"This video contains content from WMG, who has blocked it in your country on copyright grounds. "
>>>LOL sad
Yep. This link might work, although you won't get to see her sexy asian-european-american body :-( http://s0.ilike.com/play#Michelle+Branch:Are+You+Happy+Now:28704:s526903.8517444.2883784.0.2.20%2Cstd_b74cb0d1d0f64605a4ed1cfaaef4553a [ilike.com]
Re: (Score:1, Offtopic)
Redundant statement is redundant. Or poorly worded. Or just plain stupid.
Like the guy who moderated your post "redundant". Why are people with two digit IQs allowed at a nerd site, anyway?
Re: (Score:2)
Because they would sue for discrimination otherwise. One has to wonder if they crash Mensa parties...
Re: (Score:1)
People with too much time on their hands (Score:5, Insightful)
What was not mentioned in the article is that some of this may be caused by the hotel staff. The folks who work the night shift are frequently underpaid and have a bunch of spare time to browse through the credit card numbers and transactions of the folks who have checked in that evening.
they can also clone your card to a room key as wel (Score:3, Interesting)
they can also clone your card to a room key as well if they want to I don't think they do that by default any more.
Re:they can also clone your card to a room key as (Score:5, Informative)
Most room keys do not offer a mag-stripe that is capable of holding all 3 tracks of CC data properly...
Re: (Score:3, Informative)
Most room keys do not offer a mag-stripe that is capable of holding all 3 tracks of CC data properly...
They don't need to create new, valid-looking cards on-site. Besides, all the fun stuff is replicated in tracks 1 and 2.
The room-key card system could provide a means of swiping (hah!) customer credit cards that doesn't require the same level of auditing that the actual payment systems should have. That could give them an easy way to grab the data for later.
Re: (Score:2)
That said, I did read once that police were puzzled at one point when some people arrested were carrying large numbers of assorted gift cards for various retailers. It turns out that not only are they useful for laundering money, but many were over-written with stolen CC data.
Re: (Score:2)
On television they showed how waitresses, clerks, and other staff snake-in a machine (looks like a cellphone) and swipe the card directly through it. They can compile about 100 numbers per day and then produce fake cards in their home basement. ----- I was a victim of this. I stayed in a Motel 6. About two months later some guy in California spent $3500. Seems obvious the girl behind the desk swiped the number off my card.
>>>Wait...which industry? The hotel industry?
"Hotels lead the [credit] in
Re: (Score:2, Insightful)
Re: (Score:1)
Re:People with too much time on their hands (Score:5, Informative)
We have been vacationing on Hilton Head Island for over 20 years. Back in the late 1980s/early 1990s we were ripped off in a hotel employee scam. My mother would always pay in cash. Four crisp 100 dollar bills were laid on the counter and slid across to the staffer behind for our week long stay in paradise (we always found it hilarious that it was 1/6th as expensive as a shitty two bed hotel room on the Jersey shore). This year, however, the clerk requested that we put down a credit card to cover any damages which may occur during our stay. My mother, not one for hucksters, agreed reluctantly only because a young boy of no more than 10 or 11 was whining in the backseat of the minivan about how he had to pee.
After another excellent vacation we arrived home and a letter came in the mail with our receipt of a credit card charge in the amount of $400. My mother knowing this had to be a mistake as she had a similar receipt for $400 in cash called and explained the situation and expected it to be cleared up--after all we always paid with cash and never had problems before. After accusations of lying and trying to scam the resort out of money it was later determined that 7 or 8 other families met similar fates.
One of the employees was pocketing the cash and charging the credit cards. We were later begged to stay, free of charge, the next summer. My parents ignored the request and we spent the next few years in a far less cozy location on the other side of the island.
So yeah, some employees truly do suck--always have and always will.
Re:People with too much time on their hands (Score:4, Insightful)
So yeah, some employees truly do suck--always have and always will.
And should not be trusted with consumer financial data, which is a management error that is totally avoidable.
Re: (Score:2)
Re: (Score:3, Insightful)
Just because the hotel needs a credit card from me doesn't mean the guy behind reception needs to see the data. Simply put a swipe machine on the customer side of the desk, and don't show anything other than "OK"/"NOT OK" to the employee. If Best Buy can manage it anyone can :)
Re:People with too much time on their hands (Score:4, Interesting)
That's why I always pay by credit card from a reputable bank. You just dispute the payment and they cancel it for you. Some vendors have disputed my disputes after a quick call they have always refunded bad charges. Cash is so outdated and easy to lose.
Re: (Score:3, Insightful)
Cash may be outdated, but it's really hard for someone to duplicate your cash and make it disappear from your pocket. Credit cards on the other hand, are trivial to duplicate, and if you know the mark is traveling, it's easy to get away with charges for days before they find out there is any fraudulent activity.
Cash is hard to lose, if you maintain proper control over it. If you aren't advertising that you carry large amounts of cash, random people won't know you have it. The
Re: (Score:2)
But the amount of the loss is 100% vs 0%. I simply don't understand carrying anything other than trivial amounts of cash - why take the (small, but non-zero) risk of loss? Why deal with the inconvenience of running out at an inopportune moment? Sure I'm trading away some degree of privacy, and if that's an issue for you then fine. It's not for me.
Re: (Score:2)
I've found cash works a lot better for gray market purchases too. :)
Re: (Score:2)
That's why I always pay by credit card from a reputable bank. You just dispute the payment and they cancel it for you. Some vendors have disputed my disputes after a quick call they have always refunded bad charges. Cash is so outdated and easy to lose.
Define reputable bank. When the idiot Lypozene scam kept charging my card, after I'd notified them to stop (in writing even), the cc company did "investigate" and reversed the charges - then added back the charges, even though I cited the fraud charges against them, simply because they claimed the Lypozene people claimed their website said what they were doing was ok.
The bank was Chase, btw.
Re: (Score:2)
I've heard similar stories from Chase so they might not be as good with it. PNC Bank also seems hesitant sometimes (will wait for the vendor to explain) but in the end always delivers. I have very good experiences with BoA (world platinum cards - immediately taking charges off the account, not charging interest while investigating), HSBC (commercial accounts) and local credit unions.
Re: (Score:2)
I keep a low-credit limit card from a large bank just for this purpose. I make various online purchases with it and use it for proof of solvency for reserving a room at a hotel or such, but never make a purchase over about $50 with it. Its very very easy to spot any fraud on the bill at the end of the month, and very easy to call and explain and have the charges removed. As a Canadian I can heartily recommend both Canadian Tire Credit and the Bank of Montreal Mastercards for being very quick and easy goi
Re: (Score:2)
Let's be fair. You take people, pay them minimum wage, a wage that provides for now future with the claim that they deserve it for not trying hard enough whilst simultaneously claiming that must fawn and bend over backwards to serve the slightest whim of whiny pretentious customers, that sort of psychological stress will result in poor behaviour.
It would be interesting to see if this tendency is global or whether it's frequency closely aligns with with the paltriness of the salary and the attitude of cus
Re: (Score:2)
Your mother called who? The hotel, or the credit card company? You'll almost always have better results (and fewer accusations of lying) with the lat
Re: (Score:2)
Re:People with too much time on their hands (Score:5, Interesting)
Here's the scary thing, plenty of people made it extra, extra easy for an employee to steal. We had this ridiculous backup process that had to be run nightly which would make our computers inoperable for about 90 minutes. If someone with a reservation came to check in I could do so, but any walk-ins would have to wait. Around 2-3 times a month people would come in so exhausted from driving all day that they'd just hand me their credit card and say "I'll pick it up in the morning, just give me a room key". I think that since it was an upscale Marriott people just assumed everything was safe.
Re: (Score:1)
Anyway, if you went apeshit, they could dispute the charges as fraud. It's kind of a pain in the ass (faxed signed affidavit ) but if you have a decent bank, they'll stand behind you.
Comment removed (Score:5, Interesting)
Re: (Score:1)
I now use my personal credit card and enjoy the loyalty bonuses as a result
My company also forces us to use a corporate Amex card for all business-related expenses ... and I am happy to do so because the Amex rewards program is actually way better than any of the other loyalty programs I've come across. The rewards points accrue to me, personally, rather than my company, and the rewards/expenditure ratio is really nice.
Re: (Score:2)
So, you're able to hand in expenses using your personal card? (which contradicts the part about your company insisting on a corporate AMEX) Or you just don't get reimbursed?
At my old company, your choices were comply with the requirements, don't get reimbursed, or leave the company (voluntarily or not). With dozens of thousands of people, they just didn't care about your personal feelings on third party vendors.
Re: (Score:2)
It was kind of crazy how often my GM would have to fight these dispute charges. People would get enraged that their breakfast wasn't gluten free or that the tv in the room wasn't big enough and then have their
Re: (Score:2)
There might be problems with using a personal CC in the near future. I believe you will be required to give every vendor a 1099 for business purchases over $600/yr. The record keeping will be a lot of trouble. I'm sure it's only the first step to a VAT.
Re: (Score:1)
Re: (Score:2)
What was not mentioned in the article is that some of this may be caused by the hotel staff. The folks who work the night shift are frequently underpaid and have a bunch of spare time to browse through the credit card numbers and transactions of the folks who have checked in that evening.
New York has enacted legislation to help prevent some of this type of fraud, by making it illegal to print whole CC numbers on receipts or to store them in the terminal (meaning immediate processing, with batches being done by transaction number IDs and not the CC number).
Problem is, I have STILL walked into places where the whole CC number and exp date are printed - even though it's in violation of the law. Makes it pretty easy to print out a list of the day's cc receipts, whole credit card numbers and e
Re: (Score:2)
There are in fact Federal laws about that - look here: http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt007.shtm [ftc.gov] - but even if there weren't, there are many state laws, and there are network rules about it too, which you clearly know.
A merchant cannot show more than the last 5 digits of the card number or the expiration date on the receipt.
If you encounter a merchant in violation you can complain to the FTC.
I made a bunch of changes to a POS system 7 to 8 years ago to start accepting credit cards. Our dat
Re: (Score:1)
Re: (Score:2)
I travel a lot, and frequently grit my teeth when I call a hotel I've stayed at before and confirm only my name before they ask if I'd like to use the same card I used before, then reserve the room for me on the stored card info.
Re: (Score:2)
Not surprising... (Score:5, Informative)
I recently had a hotel leave one of those quick check-out forms partially slid under my door. The problem was that it had my credit card information printed on it. It would have been quite easy to walk down the how and grab a dozen names, credit card numbers and expiration dates. On top of that, who knows what happens to the forms once you sign them as I highly doubt they go through a shredder.
Re: (Score:2)
I highly doubt they go through a shredder.
Paranoid as I tend to be, I would hope most of them would. Dumpster diving at a hotel would seem like an otherwise excellent way to dug up some fraud otherwise. If not just for the hotel staff then for the patrons. Makes one wonder just how much sensitive information gets casually tossed in the hotel room trashscan by the average guest? I can't say that I've EVER seen a shredder next to the bible and alarm clock before.
Re: (Score:2)
While a horrible practice, this is why the security code is printed on the back of the card and not included in normal credit card number print-outs.
The security code should be required for any payment, but is never displayed for security reasons.
Re: (Score:2)
Technology is supposed to solve problems, but often creates problems. Back before computers and the internet when a CC transaction involved simply a pre-printed form with carbon paper and the card's embossed name/number, these security problems were very rare. But technology isn't the problem here, it's merchants who treat the new technology like it was identical to the old technology, and governments who fail to keep regulation up to date being aware of how new technology can create new problems. Merchants
Re: (Score:1)
carbon paper and the card's embossed name/number, these security problems were very rare
Rare, but not unheard of.
I know of somebody who had a fraudulent transaction applied against their credit card, and after investigating the police determined that some fraudster must have gone dumpster diving for discarded carbon slips, and copied the information/signature from there.
Re: (Score:2)
And some here will no doubt remember when those carbon forms went from having a single piece of carbon paper to a piece that was perforated half-way through where the card number would hit. Half the carbon would go in the garbage, the other half stayed with the merchant copy if I remember correctly.
Re: (Score:2)
Merchants are lax with security because there's no reason not to be.
Not exactly the case... a merchant found to be in breach of their PCI standards (which you agree to when you set up a gateway account) can have their charge privileges suspended or denied. And a hotel who couldn't process Visa/MC/Amex/Disc cards wouldn't last very long at all. You can argue that there should be more sport-checks, but PCI auditing is already a very expensive process, especially for smaller companies (you can easily spend $50K+ on an audit at PCI level one).
Re: (Score:2)
All of this because banks REFUSE to implement simple and effective security procedures using smart cards even though the technology to do so has been easily available for decades now.
Re: (Score:2)
They have no incentive to do so. If they had to pay through the nose for data breaches, you can bet that they would impliment those technologies.
Re: (Score:2)
I'm sure they would. But that means it's not a failure of technology, it's a failure of businessmen to do the right thing.
As you say, as long as they are allowed to externalize the costs of their repeated failures, they will continue.
Re: (Score:1)
Re: (Score:3, Funny)
They don't. I'll name names.
I was at the Doubletree in Crystal City, VA (just outside DC). I used the "Print from your room" facility.
My printout was on the BACK of printouts that included names, addresses, and phone numbers (no CC's though). I told the front desk that they might want to look into their paper recycling policy...
Re: (Score:2)
Re: (Score:1)
Care to enlighten me?
It doesn't seem very logical to get stuff shipped to your house that you bought with a stolen credit card. I mean, chances are that you'll have police knocking at your door before the package even arrives.
Re: (Score:2)
Why do merchants need to retain CC info? (Score:5, Insightful)
Obviously, at the time of transaction, the CC info is needed to make the transaction, but why do they retain the info after that? Don't the credit card networks issue a transaction ID for every transaction? If, after a transaction, the hotel needs to do something like refund part or all of the charge (e.g. returning a deposit), it would seem like they should be able to do that with just the transaction ID. Is there something I'm missing?
This, it seems to me, applies to almost every merchant - retail, dining, entertainment, services, hotels, whatever. Why do they need to retain the info?
If the end-user is not responsible, and this all becomes the responsibility of the credit card networks and banks, then I suppose I don't care too much, but if this can end up adversely affecting the credit reports of the victims, then I think the credit card industry needs some reform, beginning with mandates that info not be retained by merchants. A hacker can't steal what isn't there (although, a hacker could still potentially capture the CC info in real-time at the moment of the transaction, but at least you've reduced stored-data attacks).
Re: (Score:1, Interesting)
I think with hotels the issue is less of a refund than it is an extra charge. Let's say someone checks out at 10am and leaves town. The cleaning staff get to the room at 11:30 to find that anything not nailed down was taken (carried out a side door at 2am) and the room completely trashed. Hotels keep those numbers to protect themselves without putting a reserve of $1,000 on your card for a one-night stay in a two-star hotel.
I can't think of any reason for other merchants to keep your data beyond the poin
Re: (Score:2)
Re: (Score:2)
With a decent gateway you don't even have to do that. You take your gateway credentials and the credit card information, and use them to create a unique storable key. The only thing you can do with that key is to move money between that one particular CC and your gateway account (refund, add'l charge, etc). Technically someone could steal it and either issue refunds or make additional charges, but they generally wouldn't because there's no incentive for them to do so. Far safer (and more PCI compliant)
Re: (Score:2)
Hotels might have a valid reason. Other merchants do not. They can refund charges without having the number. This is another case where I think we have to resort to legislation making it illegal to retain credit card numbers. It's stupid though on so many levels though.
1. The merchant shouldn't retain the credit card number (it is in their own best interest NOT to, since they are liable for the resulting fraud).
2. The credit card company shouldn't let the store retain the credit card information (fraud
Re: (Score:2)
It's my understanding that the CC companies are moving towards what you are talking about (store transaction tokens, not CC details). But the CC companies are very reluctant to really push all the merchants to upgrade their systems.
The merchants, of course, don't want to spend any money updating their systems. And the CC companies can't afford to simply cut off large numbers of merchants that won't upgrade or comply to guidelines.
Re: (Score:3, Insightful)
If the end-user is not responsible, and this all becomes the responsibility of the credit card networks and banks, then I suppose I don't care too much, but if this can end up adversely affecting the credit reports of the victims, then I think the credit card industry needs some reform, beginning with mandates that info not be retained by merchants.
They used to call it Fraud and it was the banks problem. Now they call it Identity Theft and it's your problem.
Re: (Score:2)
The fact that VISA/Mastercard/etc (or by proxy, most payment processors) provide no way to do that.
When the customer inquires about a charge, they don't/can't/won't have a transaction identifier. There is no transaction identifier issued
...and outright fraud (Score:5, Interesting)
I recently stayed at a cheap chain motel while traveling for a softball tournament. They had a sign posted (in the disused lavoratory, etc.) along the lines of:
Theft is a problem. We have a safe in your room. If you use it and someone steals your stuff, we'll insure you up to $10,000. For your convenience, a $1.50 charge will be added to your bill for the rental of the safe. If you don't want to pay the charge, let us know and we'll remove it.
(Part in bold is as verbatim as my memory allows.)
When I checked out the next morning, I asked the clerk to remove the $1.50 fee. She kind of huffed, spent the next 5 minutes messing around with the computer, then gave me a receipt for the correct amount that I expected to pay. Two days later, I noticed that my online statement was off $1.50+tax. Sure enough, they'd charged me anyway. When I called them to say that I wanted it fixed - yes, I am that stubborn and nitpicky - they assured me that this never happens and they were so sorry.
As cheap as the motel was, that was an extra 3% or so in automatic free revenue. If they're operating at a 10% profit margin, that's about a 66% increase in actual profit. How many times to people look that closely at their credit card bills? I'd be willing to bet that 99 times out of 100, people see that the charge was correct to the nearest $10 and don't check it to the penny, or they figure it's not worthwhile and don't follow up on it.
Re:...and outright fraud (Score:4, Interesting)
Re: (Score:2)
The desk clerk had corrected the charge and finished my bill and now was just concerned with getting rid of me so he finally said, "Sometimes, sir, hotels just try to rip you off". I had no response.
I worked the night shift at a reasonably nice motel when I was in college so that I could study during all the down-time. Although the management had their own set of annoyances like overcharging for every little thing, they were scrupulously honest. For example, the phones had the ridiculous rates printed on the face around the buttons so you could easily see the prices, and part of my night audit job was to compare the phone system's logs with the room charges. If I found that we'd accidentally overcharge
Re: (Score:2)
I used KMyMoney for quite a while before going with a checkbook program on my iPod. It's always with me and I've gotten in the habit of entering transactions as I'm standing at a store checkout and waiting for my transaction to be approved.
PS: Why, oh why, can't someone write a iPhone checkbook app that understands the conception of reconciliation as a batch transaction?
Thank you (Score:3, Insightful)
Re: (Score:1)
Does using your email name for spam qualify?
--
I was cold called by someone offering "indemnity theft."
wonder if it includes the social engineering side (Score:5, Interesting)
Hackers often target hotel pbx systems to call rooms and "confirm" credit cards with people staying there.. Its one of those big issues you never hear about until someone is caught and its easily done since 99% of the hotel rooms don't offer any caller-id functionality. So if you get a call while in a room to confirm your credit card, just ask to go downstairs and confirm at desk.
My college advisor told us about this years ago (Score:2)
Although it was about traveling outside the country.
He was teaching the Networking course, and during a brief section on security and encryption he mentioned how he had recently been traveling (he wouldn't say where, but he was born in India) and stayed at a five-star hotel while he was out of the country. He then pointed out how he had requested a new/temporary credit card from his bank for the trip, which he only used to pay for the hotel, and he canceled the card as soon as he was back in the US.
By the
Wardriving (Score:4, Interesting)
I remember years ago I drove around a little with my laptop on the passenger seat recording the SSIDs I'd passed. Always fun to see how people name things. One that stood out was a Pik N Save or something... they strangely had a Wifi setup but the name was.
PIKSAVPOS
Yeah, their Point of Sales network was unencrypted and accessible throughout the huge parking lot and onto the main road.
Nice.
Perhaps the hotels used the same contractor. Very cheap and fast setup, works great.
Re: (Score:2)
Re: (Score:2)
That's true but anyone could sit in the parking lot and record everything going over that wire for months. Or hide a little sniffer box under a bush somewhere and record all year long. It was probably around 2000 that this happened so I'm gonna guess they weren't using RC4 or anything like that. Eventually you could brute force it with so many samples.
Shoot in those days I opened up my laptop at work, it automatically joined the open wireless there and my boss screamed that I'd "Hacked" into the network.
Re: (Score:2)
Re: (Score:2)
Wait, you had your laptop configured to automatically join any available open wireless network? And you are worrying about other people's security practices?
Re: (Score:2)
I don't have any services on, and that was 10 years ago.
Re:Wardriving (Score:4, Interesting)
Now with smartphones people aren't quite so retarded.
Ummm... We found one of the office girls plugged in her little Apple Air-Port Express to the LAN under her desk, so she could use the WLAN on her iPhone at her desk.
When was confronted, she couldn't comprehend why it was a bad thing she was doing.
Fortunately the policy (which we thoughtfully presented her with a paper copy of) clearly states that allowing strangers onto the company LAN can be a firing offense.
That she understood (if not why)
No punishment for the crooks anyhow? (Score:2)
Re: (Score:2)
Re: (Score:2)
Come on. That's totally pathetic.
To try and make a point about people evaluating the cost of particular actions(like prosecuting credit card fraud) and occasionally choosing an option which is cheaper for them but worse for everyone else, which is bad, and then try to compare it to companies being realistic about their ability to deliver. Then you throw in a dig towards the US.
You can't ever guarantee 100% of anything. No matter how many people you employ in your call center there's always a call rate which
Re: (Score:2)
I worked night audit... (Score:1)
The night auditors would go through the thousand or so CC slips, and using CC software on a PC, pull up the authorization by CC Number and enter the final amount.
Anyway... long story longer
My experience in Geneva . . . (Score:2)
I had a business trip there about 15 years ago. About a year later, I got a snail mail birthday card greeting from the hotel. I thought that is was kind of cute, and mentioned it to another colleague who often traveled to Geneva at that time. He is a security weenie, and told me:
Just think what will happen when the hotel retires their PC, and gives it to a child of one of the employees, without scrubbing the disk.
There goes your name, credit card number, and birthday info . . .
Analog or digital? (Score:2)
There are two ways to steal credit card numbers: getting them from a computer system of some kind (up to an including things like putting a stripe reader on the front of an ATM) and the old-fashioned way of a clerk or waiter or whoever just looking at a card and copying the numbers. Does anyone know of any data showing which is more common?
This is what PA-DSS is about (Score:2)
We'll be working on a build of our opensource POS designed for hospitality starting in October and ready for release early next year. We've gone through the PA-DSS audit process and frankly, with todays payment systems, if your POS system is storing any card holder data, you're doing it wrong. We off load that data to the CC processor and only store either a transaction ID that can referenced later or a token of that card, not the card data itself.
Re: (Score:2)
Unless you're using POTS and modems for authorization, you're going to have some down time due to connectivity outages, due to the cheapo DSL your locations will probably have.
During that time, it probably won't be acceptable to not accept credit cards, so what you do is accept it, save the card info, and hope it gets approved when connectivity returns. There's some risk to that method, but really, the vast majority of transactions get approved, so there isn't that much risk. And it's better than pissing of
One Time Password Credit Card Numbers (Score:2)
The only time my credit card was robbed was by a hotel, in Paris. The FBI ignored me, the French police ignored me, my credit card company ignored me after they canceled the charge (without evidence). It's a "cost of doing business" to them, but my hours of time, long distance phone bills, and inconvenience are a cost to me. And to the next person that hotel robs, or the hotel down the street.
It's obvious that credit cards should have one-time passwords for distribution. One password per transaction, assign