Credit Card cloned!!!

neil_g said:
ive always been told they need to be PCI compliant/registered to hold those details, its one reason why we didnt bother as our ecommerce platform guys are PCI and they hold the details not us. we can only see the last 4 digits of the card number in our back end.
Click to expand...

I implemented ours in a similar way, when people buy online they get sent to a page on the payment processing company's site to enter the card details, we don't see any of the card information at all unless they order by phone (in which case we enter it directly into the "virtual terminal" on the processing company's site and don't store it ourselves).

Not storing card information ever neatly avoids PCI DSS.
 
You should speak to the company that is providing your merchant account as entering card details into a computer is seen as the highest possible risk and you will most likely need to be PCI compliant for that to protect yourself if anything goes wrong.

someone entering card details into a computer is probably how the thread starter was scammed.
keylogger, network sniffer, dishonest employee etc.

There is a lot of confusion about PCI DSS

http://www.sagepay.com/pci-dss-compliance

http://www.streamline.com/pciportal
 
Mark Grant said:
You should speak to the company that is providing your merchant account as entering card details into a computer is seen as the highest possible risk and you will most likely need to be PCI compliant for that to protect yourself if anything goes wrong.

someone entering card details into a computer is probably how the thread starter was scammed.
keylogger, network sniffer, dishonest employee etc.

There is a lot of confusion about PCI DSS

http://www.sagepay.com/pci-dss-compliance

http://www.streamline.com/pciportal
Click to expand...

I don't think it is as complicated as key sniffing, it is nearly always a dishonest employee as you have mentioned. :)

I think the person wrote down the card details for use later on instead of directly into the machine. Whether they lost the details and someone else used them or they used the details themselves we don't know. If they repeated the numbers back, someone in the office could of been listening and writing the details down.
 
I would agree, dodgy staff.

Must be hard if a company employs lots of people and they have a dishonest one that is doing this kind of stuff.
 
mercedes said:
I'd love to, but it's a little unfair to the business if, as it seems, it's a rogue employee.
It is mainly an online business and I still find it strange that this isn't in the business section, where everyone who actually buys photographic gear for their part/full time business online could be pre-warned.
Click to expand...

But you aren't pre-warning anyone of anything if you don't say who the company is.

I'm not planning on buying anything online at the moment, but really, you aren't helping anyone without the name.
 
mercedes said:
I'd love to, but it's a little unfair to the business if, as it seems, it's a rogue employee.
It is mainly an online business and I still find it strange that this isn't in the business section, where everyone who actually buys photographic gear for their part/full time business online could be pre-warned.
Click to expand...

Talk Business
Discuss the business and financial side of professional photography.
Click to expand...
The business section is where professionals talk about their own business - not where people looking to buy stuff look.

At the most it should be in the shopping/suppliers section but tbh as many people look in out of focus as do in there so I reckon your thread is in the best place.

Of course if you disagree you are probably best reporting the thread or using the 'Contact' options for the forum.
 
Mark Grant said:
You should speak to the company that is providing your merchant account as entering card details into a computer is seen as the highest possible risk and you will most likely need to be PCI compliant for that to protect yourself if anything goes wrong.

someone entering card details into a computer is probably how the thread starter was scammed.
keylogger, network sniffer, dishonest employee etc.

There is a lot of confusion about PCI DSS

http://www.sagepay.com/pci-dss-compliance

http://www.streamline.com/pciportal
Click to expand...

where do you draw the line though? most retailers offer a mail order service and will take card details over the phone to manually enter into credit card terminal. as far as im aware a retail store doesnt require PCI compliance as at no time are they storing card details.
 
mercedes said:
Online and CC payment queried over the phone.
Click to expand...
For anyone who doesn't understand the system, it works like this...
1. You order online and are on the merchant's website until you have completed the shopping cart, entered your delivery info (name, address etc) and pressed the button to 'Continue to Sagepay' or whoever else is dealing with the payments.

2. You have now left the merchant's site and are on a secure site operated by the Company that takes the money (Sagepay?) It's secure.

3. The payment company 'tells' the merchant that your payment has gone through (or that it hasn't) so that the merchant knows that they can or can't send the goods. None of the info that you supplied to the payment company is passed on to the merchant, who doesn't even know what type of card you used.

Sometimes, people ring me because they want to give me, a total stranger to them, full details of their credit or debit card. Occasionally, it's because Sagepay didn't work for technical reasons but usually they say that they don't trust computers - even though the computer system is far more secure than giving card details to a fallible human being who may or may not be honest, and who may or may not be careful with that info.

Personally, I deal with it by putting the payment through immediately, and then the page in the notebook with the info goes straight into the shredder - but other people may not be as careful, and the potential for dishonesty seems pretty high to me.

I think that anyone who phones up and asks for card details should be regarded with extreme suspicion. If a payment doesn't go through for any reason it's surely up to the customer to ring up and ask for the payment to be put through manually, customers should never be asked to give this information.
 
If its dodgy staff, surely its the companies responsibility to vet there employees before trusting them with customers details. These things will always happen but I still think it'd be nice to know where it happened-might make them up there anti if they know its been told to other potential customers
 
Coley. said:
If its dodgy staff, surely its the companies responsibility to vet there employees before trusting them with customers details. These things will always happen but I still think it'd be nice to know where it happened-might make them up there anti if they know its been told to other potential customers
Click to expand...

like i said above, any retail chain can have a very high turnaround of staff. moreso this time of year when xmas temp cover is drafted in. where do you draw the line with checks on staff etc.
 
neil_g said:
like i said above, any retail chain can have a very high turnaround of staff. moreso this time of year when xmas temp cover is drafted in. where do you draw the line with checks on staff etc.
Click to expand...

all a background check, be it CRB or whatever, etc etc proves is that "they haven't been caught" doing anything naughty, not that they haven't done anything naughty. ot they haven't yet as not had the opportunity to do so.
 
neil_g said:
like i said above, any retail chain can have a very high turnaround of staff. moreso this time of year when xmas temp cover is drafted in. where do you draw the line with checks on staff etc.
Click to expand...

waterboarding :bat:
 
You must log in or register to reply here.
Back
Top