Licence - credit card security code ?

[Clifford]

Does anyone with a knowledge of banking have a view on the security aspects of this?

 

We bought the boat last year, with a licence until 31 Mar 2014.

 

I've just applied to renew. You have to do it on the paper form if you have not held a licence before. (This would have been nice to know in advance, because when the the online system rejected my customer number etc I spent ages re-entering and re-entering the numbers reeeeeeaaaaaaallllllly carefully, before I rang them up).

 

So I filled in the paper form. As part of the credit/debit card details you have to supply the three-letter security code from the back of the card.

 

After I sent it off, it suddenly occurred to me that putting the security code on a posted form is very insecure.

 

Isn't that code meant to be the strongest part of the security of a card transaction? If the letter goes astray, that form now has ALL the details needed to empty my bank account via fraudulent online purchases. (I don't mind giving the security code in a proper secure online system, because the clever encryption stuff will stop eavesdroppers from reading it).

 

I really think CaRT should NOT ask for it on a paper form intended to be posted. Any banking experts agree with me?

[b0atman]

I think you are right to worry this needs sorting asap.

Also why can it not be done online

[Alan de Enfield]

When we bought our present boat it was un-licensed as it was kept in a non-NAA marina.

 

The marina is an agent for C&RT so could issue licence receipts, but are not allowed to collect the money.

 

We completed the forms, received a receipt (to stick in the window) and were told C&RT would phone us to collect the money from the credit card.

 

Three days later (and stuck in the Trent Floods) we received call from C&RT - gave them the credit card details and by the time we arrived home (a week later) the licence was waiting

 

Seems simple enough to me.

 

NB - you can also licence at BWML marinas (two in Yorkshire) or C&RT local offices.

[DustyDave]

I'm not sure it is the strongest part of the card security. You hand it over every time you pay for something on the internet or over the phone. The internet is a little more secure because you are most likely using a payment gateway rather than the company selling you the item. Over the phone could be to anybody and everybody.

 

Check with you credit card company on whether cart should be asking for this. If it really is an issue they will sort cart out with a lot more force than you can.

 

Dave

[rrt2]

Once the payment has gone through - get a new card.

[cotswoldsman]

Send a cheque!!

[pearley]

When I've been asked for credit card details on a form that goes in the post I just write on it, please phone for credit card. Has never been a problem.

 

I am a bit more concerned about giving the details over the phone to a supplier I don't know as, knowing from our own business, these tend to be written on a scrap of paper and then discarded. Had my card details stolen like this. After the card was replaced and the new details stolen I worked out who did it. A bit dim of the thief pinching details from the same person twice!

[Bobbybass]

My wifes credit card was almost 'done' a few weeks back.

 

They took 54p and then followed it up with £1200 which luckily was over the credit limit.

We couldn't obtain any details about this attempted fraud because it VIOLATED THE DATA PROTECTION ACT !!!

 

The ONLY recent transaction she had used it for was 'Staysure' travel insurance...who she had used before.

 

I Googled Staysure, and it said that a few years back (the last time my wife used them) their computer had been hacked, and they (Staysure) hadn't encrypted the 3 digit security numbers and over 90,000 had been stolen. I 'think' that although they (villains) had these 3 digit numbers, they did not have the main details and when my wife used it recently, it 'triggered' something so that they could match it with the previously obtained security code.

 

That is my 'theory'...

[Guest]

Yes once some body has 'the long card number' as they tend to call it, the expiry date and the three digit security code they may as well have your card in your hard.

 

Some retailers however insist that any goods purchased are only delivered to the same address the debit/credit card is registered too and if they don't match the details the order wont be processed. However there are some who allow goods to be delivered to an address that is not the 'registered billing address'.

 

No doubt anybody who uses stolen debit/credit card details just avoid using retailers who insists the details match to order to make their purchases.

 

So once the details are given whether it be over the phone or written down if the retailer is not careful with them you are at risk. That said millions of transactions like this are processed each and every day and I guess the number of problems are very very small in comparison.

 

The banks do have increasingly sophisticated ways of detecting unusual activity on an account and I know I have had 'out of normal pattern' transactions blocked until I have spoken to the bank to confirm it is actually me making the purchase, clearly though they are not infallible and some will get through.

 

Personally I like Pearly's suggestion - at least then if the paper work is lost or stolen in the post you have cut out one avenue of potential loss.

[nicknorman]

The banks do have increasingly sophisticated ways of detecting unusual activity on an account and I know I have had 'out of normal pattern' transactions blocked until I have spoken to the bank to confirm it is actually me making the purchase, clearly though they are not infallible and some will get through.

 

Interestingly Jeff and I both have M&S credit cards (not joint cards), we both have a completely clean credit record, always pay the card off at the end of the month etc but we get treated quite differently by their quasi intelligent security system. Jeff has had his card cancelled 3 times as a result of him making valid transactions whilst abroad. He now has to tell them each time he goes abroad, which is quite often (for work). But I travel abroad as much or more than he does (well, not since I retired last year) but have never had an issue with the card nor told them I was going overseas. Also, every time we book an intercontinental flight with British Airways, this gets queried. It wouldn't seem likely that a crook would book a flight for November in March and expect to get away with it. I guess this is the "quasi" bit in quasi-intelligent!

[Clifford]

Thanks for the replies. I wish now I'd anticipated the excellent suggestion of writing "ring me for card details".

 

 

But I'm sure now that CaRT should NOT be asking for the security code on a snail-mailed form, even though we can think of ways round it.

 

I bet my bank wouldn't be very sympathetic about any fraudulent transactions once I told them I'd written down the CVC (the proper name, I think).

[AndrewIC]

If they are storing the "long number" (the PAN - primary account number), they should be doing so in accordance with the PCI DSS standards for payments security. They should not be storing the CVV number off the back at all, it is intended for real time processing.

 

This isn't chapter and verse, but summarises the different issuers' stance:

http://en.wikipedia.org/wiki/Talk%3ACard_Security_Code#Prohibition_on_recording_codes_on_paper_forms

[Chalky]

Interestingly Jeff and I both have M&S credit cards (not joint cards), we both have a completely clean credit record, always pay the card off at the end of the month etc but we get treated quite differently by their quasi intelligent security system. Jeff has had his card cancelled 3 times as a result of him making valid transactions whilst abroad. He now has to tell them each time he goes abroad, which is quite often (for work). But I travel abroad as much or more than he does (well, not since I retired last year) but have never had an issue with the card nor told them I was going overseas. Also, every time we book an intercontinental flight with British Airways, this gets queried. It wouldn't seem likely that a crook would book a flight for November in March and expect to get away with it. I guess this is the "quasi" bit in quasi-intelligent!

 

I had that happen to me a couple of times when I was travelling a lot on business. Wasn't so much of an issue in Europe (Munich, Cologne, Gothenburg) but happened to me once in Amsterdam whist waiting for a connecting flight and in Detroit where it was embarrasing. Happened with a corporate Citi bank card (which was used for business travel) and my own private bank cards. I now tell them when I'm going abroad and haven't had a problem since. On balance I'd rather them err towards cautious.

[NB Lola]

CRT is violating their obligations born out of PCI-DSS, which sets requirements in terms of credit card data management. They should have accepted the info over the phone. When they pass the data to the card services provider the process does not allow for the card number or the security code to be kept or stored by the merchant, in this case CRT, I bet they have.

[MartinC]

As this topic has wandered on to overseas transactions I am surprised that nobody has mentioned the benefits of pre-paid cards which avoid a lot of the problems that people seem to be having and, of course, does away with the risk of emptying your bank account.

[Phoenix_V]

We act as CRT agents for licence issue. We were told many weeks ago that they had stopped asking for credit card details on the forms (which were being reissued) for just these security issues, if a customer used an old form to delete the details and advise the customer that CRT would phone them to collect the details, if we did not do this the form would be rejected.

 

Haventy seen any forms recently so don't know if they have amended them yet, but if not no need to complete this section just tell them you wish to pay by card and they will call you to take details (is that more secure, I am not sure!)

[bigcol]

Thank you!!

 

Off to check my bank account!

[Alan de Enfield]

We act as CRT agents for licence issue. We were told many weeks ago that they had stopped asking for credit card details on the forms (which were being reissued) for just these security issues, if a customer used an old form to delete the details and advise the customer that CRT would phone them to collect the details, if we did not do this the form would be rejected.

 

Haventy seen any forms recently so don't know if they have amended them yet, but if not no need to complete this section just tell them you wish to pay by card and they will call you to take details (is that more secure, I am not sure!)

 

See post #3

[Clifford]

Alan,

 

Thanks for replying. I got my letter a few weeks ago now, so perhaps just too early for the new forms. It's good to know the issue was recognised and (hopefully) addressed.

[Athy]

John's advice is, I think, the most sensible: pay by cheque. I have never heard of a cheque book being "hacked".

[RichardH]

Does anyone with a knowledge of banking have a view on the security aspects of this?

 

We bought the boat last year, with a licence until 31 Mar 2014.

 

I've just applied to renew. You have to do it on the paper form if you have not held a licence before. (This would have been nice to know in advance, because when the the online system rejected my customer number etc I spent ages re-entering and re-entering the numbers reeeeeeaaaaaaallllllly carefully, before I rang them up).

 

So I filled in the paper form. As part of the credit/debit card details you have to supply the three-letter security code from the back of the card.

 

After I sent it off, it suddenly occurred to me that putting the security code on a posted form is very insecure.

 

Isn't that code meant to be the strongest part of the security of a card transaction? If the letter goes astray, that form now has ALL the details needed to empty my bank account via fraudulent online purchases. (I don't mind giving the security code in a proper secure online system, because the clever encryption stuff will stop eavesdroppers from reading it).

 

I really think CaRT should NOT ask for it on a paper form intended to be posted. Any banking experts agree with me?

 

You are right to question this - as far as I know this does not meet PCI compliance standards set by the card industry.

[Cheshire cat]

Cheque books don't get hacked but they do get cloned.

I had a call from a debt collection agency wanting to know when I was likely to pay for a laptop "I had bought".

I hadn't made a purchase so thought the message on the answer machine was a hoax. We checked the number and found it was a genuine agency operating out of Birmingham.

A cheque had been presented and had bounced. They were trying to recover the debt.

They had details of my name and address but the account was with HSBC who I don't bank with.

Obligingly, they told me the account number they were trying to draw against and I went to see the local branch manager. They looked at the account in question and could see that lots of goods had been bought in a very short timeframe until there was no money in the account. The account owner lived at the other end of the country and didn't have the same name as me.

Apparently the villain chooses an account at random and a person from the electoral register who lives in an affluent area. They produced a false company cheque book with my name on it. They then need some business letters with the right headers and proof of address and they pass off the purchase as a business related purchase.

The outlet does some basic checks that I live at the disclosed address and that I am credit worthy and hands over the goods. Cheques were honoured until the funds ran out.

It was a pain in the bum to sort out. The debt agency needed convincing to stop chasing me and to preserve my credit record. I had to get a crime number which involved a lengthy interview. No idea if the police ever caught up with anyone.

[RockSodem]

To the OP, your payment may have been refused because you were either on an open wifi connection or one of the multitude of middle man payment firms organisations use thought your connection unsafe, whether it be an unsecured connection or they felt some not right about the connection..... And yes this can be seen by them to a degree. If they feel that there is any risk of a chargeback on them... Transaction rejected. They play it safe, to our benefit. Snail mail, now being less used, is consequently less of a target. You would be very unlucky to get spiked this way and if you did, it wouldn't take long to get your money back off the firm asking for that method... Unless you used a transparent envelope!

[boots]

Just for clarity with respect to PCI

- they are allowed to ask for it, however there are strict rules as to how the handle the data once received.

- they are not allowed to retain the security code (3 numbers on the back of the card) in any shape or form once the transaction has been authorised. (For the record, this is not a PCI requirement, rather a general condition from the card schemes, though PCI does inherit the requirement)

 

Due to the onerous nature of PCI, most merchants stop accepting credit card details on paper.