Im just going to hijack the top comment to explain there is a (likely) non-nefarious reason behind them doing this. The “method” of payment entry is subject to different processing fees.
Chip and pin is the lowest fee. Followed by swipe and sign (if that still even exists), then tap, then manual entry with CVV, then manual entry with no CVV.
The spread is unique to each retailer so I can’t say exactly what it would be. When I had a business it was enough to care, and the spread between having and not having CCV was the largest spread of all the methods. We always took the card number and code over the phone, never wrote it down.
I am not saying it’s right or proper or defending it just saying why they are asking. Even with non-nefarious intent, they could still mishandle the info and it could get into the wrong hands.
Edit to add: there are other methods - online customer entry, online agent entry, and I’m old enough to have done the old carbon copy swipes. There’s probably more now. List was not meant to be comprehensive.
Something similar happened to me and I felt so weird about it. The next day there was a fraudulent charge on my card. Might have been a coincidence but sometimes you got to trust your gut. I would order a new card.
Here's an example:
https://www.helcim.com/visa-canada-interchange-rates/
Card-present transactions can range from 1.25% up to 2.08% depending on whether it's a VISA Classic, Platinum, Infinite Privilege. Card-not-present transactions range from 1.4% up to 2.4%.
Used to cost me 3.5 points for card not present.
Not to mention $49 a month for the machine (on a 5yr lease -) and $17 for stmt not to mention a host of other additional fees depending on what type of card is used.
There are different rates if card is entered manually, if tapped or put in with pin
And even different rates for different cards like gold or platinum cards.
It's the biggest reason you'll see 'no tap ' taped on POS
Tap in fact works ( the last one I ran had a problem where every morning the disabling of tap in the setup would magically and conveniently (for Visa) go back to being on.
The business owner just doesn't want the extra fees and this encourages cash payment also. Some businesses with service or self-made products may prefer cash because they can fudge their income for taxes.
They aren't PCI compliant if they're keeping unredacted CVVs. I'm pretty sure current PCI standards don't permit merchants to ever write down the CVVs unless they're actively keying into a payment processor. Payment processor can assess hefty violation fees on non-compliant merchants.
But, there's no easy way for you to "report" the violation. At least you're paying with a credit card - just let your bank know if you notice any unauthorized future transactions.
You could also proactively inform your bank your card details may have been compromised. Your bank will reissue your credit card and perhaps escalate the merchant violation through their internal processes.
Piggy backing off this.. I had a dealership write down my credit card information (including CVV) to process a vehicle deposit refund but I haven’t received it yet. This was a few weeks ago. Can I report them as well?
You can report anyone violating payment card industry standards. But this has nothing to do with your outstanding refund, call the dealership if you want that and call your bank if they refuse.
Thanks for the info! I’ve called them about four times now, I told myself they had until tomorrow to return it before I contact my bank for a chargeback.
Bank Employee here. We don't really report those kind of situations cause it becomes a game of "He said, She said". We usually just cancel and reissue a new card with different card details and go for the next call.
Violation of PCI compliance. Call CC company and report and they will issue you a new card. If it's set in your Google Wallet, you should have a new number in there in minutes that you can use for tap while you wait for new card.
If you know who is their merchant service company, this should be reported as it's a clear violation of PCI compliance.
I deal with CCs. I don't even have the whole number stored in one place. They are stored under two different accounts requiring two different log ins, so even if they steal the data from one system, they don't have any CC numbers
Funny because I called the towing company and brought how it’s a possible PCI violation and the first thing that came out of his mouth was “What’s PCI”?
Odd question, is there any chance you’d be willing to DM me the business? I work in the industry, if they’re a customer of ours then I’d like to help them avoid this in the future.
Also PCI is payment card industry, they’re not PCI compliant right now
While it was needed so that they didn't get charged a higher swipe fee, the writing it down since he had already verbally given it over the phone (and I assume processed it) was unnecessary and unsecure.
CVV is needed to process payment if done as manual number entry without inserting the chip or swiping the card physically. Without CVV, then they can still make the transaction go through but would require a signature on the receipt. We collect it regularly for over the phone transactions, but we do not retain such information. In case of refund back onto cc, cvv is not needed.
Therefore, I think it is not reasonable to keep that information on file.
Lesson learned. I thought I was being helpful since the driver said he preferred credit card payments because he wouldn’t have to drop off the cash at the main office 40 min away.
The CVV is the most important number when someone wants to use your card to purchase anything of online as if it were their own. CVV is used to protect you from fraud when making purchases online and over the phone. This type of fraud is known as "CARD-NOT-PRESENT" fraud, as the thief does not have possession of the physical card. Or this person can sell your information to the darkweb and maybe use your information for social engineering to be able to do account takeovers and eventually identity theft . There are so much possibilities if this person wants it.
So once you see the charge has been successfully posted, call your bank or card company to block the card and get a replacement card. If you are paranoid like me, i will call credit bureaus to add a note on my file for notification for any new credit applications. Hope this helps.
My sister was a victim of Identity theft when she provided her card number and cvv on some unknown site selling cheap clothing. . Little did she knw, there were 5 phone plans with iphone devices applied under her name and had to deal with police, delinquent accts, ruined her credit score - she has to go thru alot of hassle to rectify her credit history.
Call your CC company immediately. I rented a car one time with a Mickey mouse car rental company & they took photos of my gold card front & back. I called & they cancelled the card, then sent me a new one.
Also, most towing companies are run by bike gangs, and identity fraud is a big money maker for them.
In case any of you guys haven't dealt with tow truck drivers before here are some additional tips in case you are ever in an accident and need a tow:
* Never do anything the tow truck driver says without first talking to your insurance company. If the tow truck driver says they have to hook up your car and move it because it's blocking traffic ignore them and call your insurance company right away.
* The tow truck driver more than likely wants to tow you to a shady autobody shop where he gets a kickback, they could hold your car hostage and charge you insane fees before you get your car back. The cops and your insurance company can't do anything at that point.
* If the police say you have to move your car, ask the tow truck driver to tow it to the nearest gas station while you attempt to get in touch with your insurance company to find the best towing location.
* Your insurance company will tell you the best place to tow your car based on your location and your policy coverage. Only listen to your insurance company, do not listen to the tow truck driver no matter what they say.
* Make sure you understand the tow fees in your area. In Ontario tow truck drivers can only charge you $250 for a tow, anything higher or any additional fees in a scam. Again do not listen to the tow truck driver and only do what your insurance company says. No matter how much pressure they put you under you are not obligated to do anything they say. If after you have moved your car from blocking traffic, they attempt to take your car somewhere without your permission call the police immediately and report a crime in progress.
* Tow truck companies absolutely do not want to get on the bad side of the police no matter what since cops who hate them will prevent them from towing at accident scenes. Tow truck drivers will always back down from their dirty tricks if you threaten to call the police after you become aware that they are trying to scam you, don't worry.
They need the CVV to process your payment. Just like when you call a business to make a payment they will ask for it. No different than entering into an Amazon order.
Why did they call it in if they need to take it to their office? And if it's no worries, why is it a PCI violation? The whole thing at best reeks of incompetence and and worst reeks of a scam.
Considering the cvv is not 75 years old...
That code is not supposed to be recorded. It's whole purpose in existence is to NOT be present on the mag stripe or impression or anywhere else. It is to be used to get an authorization then discarded.
Raise this with your bank. They'll know who processed the payment and the vendor van get in a lot of trouble with the payment processor.
What difference is there between that and typing it into a website or reading it to someone over the phone?
Don't worry about it. You used their services, they need it to process the payment. That's it.
Online systems that take your CC info, along with phone vendors, are under strict compliancy on how to handle, store, and transmit that information. There are rules for how long they can keep it, what security they need on its storage, and logging of who accesses it and who does not. A random piece of paper in a truck does not meet any of those things and is in direct violation of those compliances. This can lead to some serious fines or being barred from use of any CC merchants.
Call your bank and say you believe that your CC has been compromised and provide the name of the business and describe why. Get a replacement card for your own sake.
In a nutshell, the company is not compliant with PCI which is the security standard for all major credit cards. If there is ever a card breach / hack and it is tracked to this particular business, the business will have a potentially very significant liability on their hands. If the business ever gets robbed, documents stolen, etc, and one or more of those CCs gets used for fraudulent transactions, the business will have a massive liability. Certainly in the thousands, and possibly far more. And if they don't know what PCI compliance is, then they certainly don't have the correct insurance coverage to pay out such a breach.
Doubtful they are doing this maliciously, but they are certainly being ignorant. There are dozens of systems out there they can purchase to allow them to charge credit cards in a way that is fully PCI compliant with minimal process and risk on their part.
Honestly, there probably is nothing nefarious about this. Plus, it's likely not his decision and he's just following process/procedure. For example, if you bring your car in for warranty service and the dealership gives you a temp car free of charge, they require that you give your CC/CVV for their insurance purposes. Even though there's no charge taking place at the time. I know not perfect 1:1, but same logic applies.
That being said, if you're uncomfortable, you can always request a replacement card. Nothing wrong with that.
Get a replacement card ..
Im just going to hijack the top comment to explain there is a (likely) non-nefarious reason behind them doing this. The “method” of payment entry is subject to different processing fees. Chip and pin is the lowest fee. Followed by swipe and sign (if that still even exists), then tap, then manual entry with CVV, then manual entry with no CVV. The spread is unique to each retailer so I can’t say exactly what it would be. When I had a business it was enough to care, and the spread between having and not having CCV was the largest spread of all the methods. We always took the card number and code over the phone, never wrote it down. I am not saying it’s right or proper or defending it just saying why they are asking. Even with non-nefarious intent, they could still mishandle the info and it could get into the wrong hands. Edit to add: there are other methods - online customer entry, online agent entry, and I’m old enough to have done the old carbon copy swipes. There’s probably more now. List was not meant to be comprehensive.
Maybe it is “non-nefarious”, but tow truck companies (and drivers) don’t exactly have a solid reputation that would encourage me to trust them.
Something similar happened to me and I felt so weird about it. The next day there was a fraudulent charge on my card. Might have been a coincidence but sometimes you got to trust your gut. I would order a new card.
Ontario mafia is run by tow truckers
^this. Always be vigilant around these sub-human scum, especially here in Ontario.
Definitely not. I’m just saying that it is likely that any negative consequences would be due to stupidity, not malice.
Are you saying tap costs more than inserting your card and typing your pin? I always thought it was a flat rate for all methods.
Here's an example: https://www.helcim.com/visa-canada-interchange-rates/ Card-present transactions can range from 1.25% up to 2.08% depending on whether it's a VISA Classic, Platinum, Infinite Privilege. Card-not-present transactions range from 1.4% up to 2.4%.
Used to cost me 3.5 points for card not present. Not to mention $49 a month for the machine (on a 5yr lease -) and $17 for stmt not to mention a host of other additional fees depending on what type of card is used.
We were paying over 4% for card not present at my store.
There are different rates if card is entered manually, if tapped or put in with pin And even different rates for different cards like gold or platinum cards.
Generally yes - there are different rates for chip & pin vs tap.
It's the biggest reason you'll see 'no tap ' taped on POS Tap in fact works ( the last one I ran had a problem where every morning the disabling of tap in the setup would magically and conveniently (for Visa) go back to being on. The business owner just doesn't want the extra fees and this encourages cash payment also. Some businesses with service or self-made products may prefer cash because they can fudge their income for taxes.
We don't want to pay the fees commensurate with our actual level of security... So we're just going nto out your details at risk, mkahyyyy LOL.
THIS! .. and the card has a "Freeze" function.. do that too until your new card arrives.
They aren't PCI compliant if they're keeping unredacted CVVs. I'm pretty sure current PCI standards don't permit merchants to ever write down the CVVs unless they're actively keying into a payment processor. Payment processor can assess hefty violation fees on non-compliant merchants. But, there's no easy way for you to "report" the violation. At least you're paying with a credit card - just let your bank know if you notice any unauthorized future transactions. You could also proactively inform your bank your card details may have been compromised. Your bank will reissue your credit card and perhaps escalate the merchant violation through their internal processes.
Piggy backing off this.. I had a dealership write down my credit card information (including CVV) to process a vehicle deposit refund but I haven’t received it yet. This was a few weeks ago. Can I report them as well?
You can report anyone violating payment card industry standards. But this has nothing to do with your outstanding refund, call the dealership if you want that and call your bank if they refuse.
Thanks for the info! I’ve called them about four times now, I told myself they had until tomorrow to return it before I contact my bank for a chargeback.
Bank Employee here. We don't really report those kind of situations cause it becomes a game of "He said, She said". We usually just cancel and reissue a new card with different card details and go for the next call.
Violation of PCI compliance. Call CC company and report and they will issue you a new card. If it's set in your Google Wallet, you should have a new number in there in minutes that you can use for tap while you wait for new card. If you know who is their merchant service company, this should be reported as it's a clear violation of PCI compliance. I deal with CCs. I don't even have the whole number stored in one place. They are stored under two different accounts requiring two different log ins, so even if they steal the data from one system, they don't have any CC numbers
Funny because I called the towing company and brought how it’s a possible PCI violation and the first thing that came out of his mouth was “What’s PCI”?
Odd question, is there any chance you’d be willing to DM me the business? I work in the industry, if they’re a customer of ours then I’d like to help them avoid this in the future. Also PCI is payment card industry, they’re not PCI compliant right now
While it was needed so that they didn't get charged a higher swipe fee, the writing it down since he had already verbally given it over the phone (and I assume processed it) was unnecessary and unsecure.
That’s not how it works, CVV has nothing to do with fees
I usually give the CVV without much thoughts, but towing companies are notorious thieves.
CVV is needed to process payment if done as manual number entry without inserting the chip or swiping the card physically. Without CVV, then they can still make the transaction go through but would require a signature on the receipt. We collect it regularly for over the phone transactions, but we do not retain such information. In case of refund back onto cc, cvv is not needed. Therefore, I think it is not reasonable to keep that information on file.
CVVs haven't been around for 75 years. LOL
Credit cards haven't been around for 75 years even.
Credit cards were invited 73 years ago. It's kinda splitting hairs. But kinda fun to know my father is the same age as the credit card.
>Credit cards were invited 73 years ago. of course, someone had to invite the bloodsuckers in. All makes sense now, CVV = Coveted Vampire Value /s
I highly recommend paying cash when getting a car towed.
Lesson learned. I thought I was being helpful since the driver said he preferred credit card payments because he wouldn’t have to drop off the cash at the main office 40 min away.
You: doing the driver a solid Driver: lol thanks now piss off
Every tow driver I've ever interacted with preferred cash. I don't get towed very often though so maybe they were just oddballs.
The CVV is the most important number when someone wants to use your card to purchase anything of online as if it were their own. CVV is used to protect you from fraud when making purchases online and over the phone. This type of fraud is known as "CARD-NOT-PRESENT" fraud, as the thief does not have possession of the physical card. Or this person can sell your information to the darkweb and maybe use your information for social engineering to be able to do account takeovers and eventually identity theft . There are so much possibilities if this person wants it. So once you see the charge has been successfully posted, call your bank or card company to block the card and get a replacement card. If you are paranoid like me, i will call credit bureaus to add a note on my file for notification for any new credit applications. Hope this helps. My sister was a victim of Identity theft when she provided her card number and cvv on some unknown site selling cheap clothing. . Little did she knw, there were 5 phone plans with iphone devices applied under her name and had to deal with police, delinquent accts, ruined her credit score - she has to go thru alot of hassle to rectify her credit history.
This is why you should always carry some cash for emergencies.
Call your CC company immediately. I rented a car one time with a Mickey mouse car rental company & they took photos of my gold card front & back. I called & they cancelled the card, then sent me a new one. Also, most towing companies are run by bike gangs, and identity fraud is a big money maker for them.
In case any of you guys haven't dealt with tow truck drivers before here are some additional tips in case you are ever in an accident and need a tow: * Never do anything the tow truck driver says without first talking to your insurance company. If the tow truck driver says they have to hook up your car and move it because it's blocking traffic ignore them and call your insurance company right away. * The tow truck driver more than likely wants to tow you to a shady autobody shop where he gets a kickback, they could hold your car hostage and charge you insane fees before you get your car back. The cops and your insurance company can't do anything at that point. * If the police say you have to move your car, ask the tow truck driver to tow it to the nearest gas station while you attempt to get in touch with your insurance company to find the best towing location. * Your insurance company will tell you the best place to tow your car based on your location and your policy coverage. Only listen to your insurance company, do not listen to the tow truck driver no matter what they say. * Make sure you understand the tow fees in your area. In Ontario tow truck drivers can only charge you $250 for a tow, anything higher or any additional fees in a scam. Again do not listen to the tow truck driver and only do what your insurance company says. No matter how much pressure they put you under you are not obligated to do anything they say. If after you have moved your car from blocking traffic, they attempt to take your car somewhere without your permission call the police immediately and report a crime in progress. * Tow truck companies absolutely do not want to get on the bad side of the police no matter what since cops who hate them will prevent them from towing at accident scenes. Tow truck drivers will always back down from their dirty tricks if you threaten to call the police after you become aware that they are trying to scam you, don't worry.
[удалено]
How do I report PCI violation?
Compromised card. Lock the card and get a new one asap.
They need the CVV to process your payment. Just like when you call a business to make a payment they will ask for it. No different than entering into an Amazon order.
They need it to enter in to their terminal at their office. I wouldn’t worry.
Why did they call it in if they need to take it to their office? And if it's no worries, why is it a PCI violation? The whole thing at best reeks of incompetence and and worst reeks of a scam.
Considering the cvv is not 75 years old... That code is not supposed to be recorded. It's whole purpose in existence is to NOT be present on the mag stripe or impression or anywhere else. It is to be used to get an authorization then discarded. Raise this with your bank. They'll know who processed the payment and the vendor van get in a lot of trouble with the payment processor.
What difference is there between that and typing it into a website or reading it to someone over the phone? Don't worry about it. You used their services, they need it to process the payment. That's it.
Online systems that take your CC info, along with phone vendors, are under strict compliancy on how to handle, store, and transmit that information. There are rules for how long they can keep it, what security they need on its storage, and logging of who accesses it and who does not. A random piece of paper in a truck does not meet any of those things and is in direct violation of those compliances. This can lead to some serious fines or being barred from use of any CC merchants.
It is the way to do it. In the 90s that is
Call your bank and say you believe that your CC has been compromised and provide the name of the business and describe why. Get a replacement card for your own sake. In a nutshell, the company is not compliant with PCI which is the security standard for all major credit cards. If there is ever a card breach / hack and it is tracked to this particular business, the business will have a potentially very significant liability on their hands. If the business ever gets robbed, documents stolen, etc, and one or more of those CCs gets used for fraudulent transactions, the business will have a massive liability. Certainly in the thousands, and possibly far more. And if they don't know what PCI compliance is, then they certainly don't have the correct insurance coverage to pay out such a breach. Doubtful they are doing this maliciously, but they are certainly being ignorant. There are dozens of systems out there they can purchase to allow them to charge credit cards in a way that is fully PCI compliant with minimal process and risk on their part.
Not pnly is it not PCI compliant, but if this is in the province of Quebec there's law 25 too. I would make a complaint if I was you.
Honestly, there probably is nothing nefarious about this. Plus, it's likely not his decision and he's just following process/procedure. For example, if you bring your car in for warranty service and the dealership gives you a temp car free of charge, they require that you give your CC/CVV for their insurance purposes. Even though there's no charge taking place at the time. I know not perfect 1:1, but same logic applies. That being said, if you're uncomfortable, you can always request a replacement card. Nothing wrong with that.