WHY do they store the CVV
Surely totally unnecessary
And how come it was not encrypted?
GPS and wearables maker Garmin has warned customers in South Africa that their personal info and payment data were pinched after they shopped on the shop.garmin.co.za portal. The stolen data, which the emailed notice said was limited to Garmin's South Africa site, included customers' home addresses, phone numbers and emails as …
This post has been deleted by its author
They've taken the website down so I can't check but it seems to be the norm these days to have bucket loads of third-party scripts loaded on payment pages. All those popular JavaScript libraries must be so tempting for card-skimmers to try and inject their code. I use the uMatrix add-on so I get a handy number pop-up in Firefox's toolbar that tells me how many external resources are being loaded on a page. In my experience websites that use eCommerce content management systems like Magento are often the worse. The web designer adds 15 JavaScript libraries to help the product pages look great and to track visitors and never thinks to remove them from the payment page. Every page uses the same template. Of course the libraries are loaded from a CDN (Credible? Don't Know) as well, not from the local server. I'm not offering any solutions, just complaining about a problem. It will be tough to fix although I suppose the Payment Card Industry Data Security Standard should have more to say about this practice.
I agree with Trollslayer - I have my issues with Paypal but not having to type in my credit card details into a site that doesn't follow best practice is a winner every time. Also, in the past websites have saved my card details without asking and I only find out next time I visit - they can't do that with Paypal.
Another paypal user here - it's one place less that has a debit/credit card stored if I can purchase via a single on-line point (though it does, as pointed out above, make paypal an obvious target - so the card linked at paypal is deliberately restricted in its access to cash).
A couple of points:
- in the vast majority of cases, there is absolutely no need for a company to store *any* details about me, whether that be my name and address or my payment details. If there are legal requirements to log the purchase, then surely all that is needed is an encrypted record that the purchase has taken place.
- every company with whom I might deal on the internet seems to suffer from the delusion that I am now in a relationship with them. This is emphatically not the case. Each and every purchase is a single discrete event. I am quite happy to spend the couple of minutes that it takes to fill out the details each time, but it seems that my co-habitees on this planet are happy to take the risk of having their details stored willy-nilly throughout the world. (Admittedly, this would not have helped in a scraping case like this).
- STOP allowing random scripts to run. The majority are trackers in one form or another: you are under no obligation to allow yourself to be tracked. Others are potentially dangerous - particularly if they call other scripts - or annoying, in the case of every advert ever made. Allow only those scripts that *must* be run to run, e.g. payment services. As a courtesy detail, if a site presents an empty page unless its scripts are allowed, I consider that site broken by design and avoid using it.
"Each and every purchase is a single discrete event"
This is something marketing people just can't get their heads round. The local village hall uses a ticketing site. It's reasonable that such a site has an email address for e-tickets and retains it long enough to notify of any last minute changes. It's very much more doubtful that they need a password and they have no business whatsoever spamming that email address without explicit opt-in. So now the email address will be useless for notifying changes, it's set to bounce and, should they bother to read the bounce notices, it will tell them why. If I ever need to use it again the non-bouncing window will last just long enough to get the tickets.
I use a combination of alternative addresses and plus-delimited addresses to segregate received mail. Every site gets its own alias, and most correspondence gets tagged with a label. If I start getting spam to a specific address, I cut all ties with that company. because I know at that point they've done me wrong.