vancel at winfreeacademy.com
Mon Mar 20 16:39:27 GMT 2006
>Most online credit card transactions now require CVV2 numbers be inputted.
>This is the direction all transactions are headed in. Our merchant provider
>has CVV2 as standard and will not process any transaction without it. Visa
>here in Canada has been using "VERIFIED by VISA" systems for 2 years now.
>All in all, this means that having just the number and expiry doesn't cut it
>I think the idea here of bombarding phishers is good one....but like said
>previously, you would need to tap into BOTNET or have a widely dispersed
>group of systems available to you to pull it off. I have myself gone to
>phish sites and inputted BS info by proxy just to tick them off....I would
>love to see some sort of application that inputs all kind of false data that
>they would have to wade through. Heck, they force us to wade through all the
>phish-mail they proliferate.
Sorry for the late reply, I was on spring break last week.
There are guidelines set forth by Visa every year, and merchants always
have the option to follow or not follow them. The CVV2 is merely a
guideline... the merchant is charged more if they don't provide certain
key information in the transaction, but it is by no means required.
We provided a service that allowed each merchant to force certain fields
to be present. If the merchant decided they wanted us to decline any
transaction through their account that didn't have (for example) at
least the card number, date, CVV2, zip code, and cardholder name, our
system would block the transaction. However, that was a function set up
by the merchant. I'm sure there are some card processors and merchant
banks that don't give the merchant the option, but it's not required by
Visa. Think about when you use your credit card at a gas pump. Until
recently all you did was slide the card and the pump came to life. Now
there are certain gas stations that require you to input your zip
code... and that's it.
Here's a little FYI tidbit. In 2001, Visa set forth a guideline that
nothing printed out or given back to the customer is supposed to have
the entire credit card number.... not even the "merchant copy" that you
sign. That copy is usually left on the table, and the merchant
computers have your whole number, so there is no need to print it on the
reciept. There is a provision in that guideline that gives this rule a
little more bite in that if you report the merchant to Visa, that
merchant will lose their credit card processing until they fix their
systems. I only know about that rule because we had to modify our
systems to hide the full number after the transaction.
Since my time with that company, there are a few things that I've
changed about my credit card usage. First, I have a super low limit
credit card that I use for Internet transactions ($300 max). That way
if my number is stolen, it doesn't hurt much if I can't dispute the
charges. I also use this card for any business that I don't completely
trust the minimum wage cashiers to not get my number later and try to
use it. Second, if I see my full card number on a receipt, I physically
hand the signed copy to either my server or a nearby server so it
doesn't sit on the table waiting for someone to copy it down (or I
scribble it out). Third, I shred everything that has more than my name
and address pre-printed on it. Anything that is "pre-approved" with an
activation code gets shredded... any credit card application form gets
shredded (the cute letter just goes in the trash). And fourth, I don't
give any credit card information to anyone that called me unless they
can give me specific information about my account that's not generally
available to the public and not guessable. People can say they are
anyone with any company and it's amazing how many people believe them.
Someone a while back (it may not have been this list) posted that they
don't give their entire credit card number to their bank only the last 4
digits, because they're afraid of fraud. The examples that were given
were situations like changing an account password or transferring funds
or something like that. If you think about it, if you decide that all
you want your bank to require from you is the exact information that is
on every receipt for your credit card, you've nullified one of the
reasons for not printing the entire card number on the receipt. I want
my bank to ask my entire card number, my address, my zip code, my middle
name, my birthdate.... as much as it takes to verify that it's really me
before they change something on my account.
Winfree Academy Charter Schools
More information about the list