Do institutions have right to ask for your credit card security code and all other CC data?
A school wants my credit card data including a security code. They've sent me a form to fill in about my card. As I know security code is something that shouldn't be shared publicly. Should I provide it to them?
credit-card online-payment security electronic-payment
add a comment |
A school wants my credit card data including a security code. They've sent me a form to fill in about my card. As I know security code is something that shouldn't be shared publicly. Should I provide it to them?
credit-card online-payment security electronic-payment
30
Are you paying them for something, and using a credit card to do so? Or was this an unexpected request for your information?
– yoozer8
Dec 20 '18 at 12:53
5
It seems to me you might be thinking they are asking for what we call in the UK "a PIN number" because you say it "is something that shouldn't be shared publicly". You definitely shouldn't share the security code you use to pay for items in a shop, or get money out of an ATM, with anyone, ever. But, that's not what they are asking for here. It is a badly worded form, imho, and should make clear that they are asking for the last three digits from the signature strip on the back of the card. If you comply, it'll mean the school can charge your card, but the charge will be recorded.
– lukkea
Dec 20 '18 at 17:35
1
Consider editing the institution's name out of the post, then flagging your post asking a moderator for a revision purge. You don't want this institution coming after you for damages to their reputation.
– corsiKa
Dec 21 '18 at 22:13
Probably more than half of all merchants I interact with do this, and nearly all doctor and dentist offices (e.g. when receiving a bill). Similarly to the common practice of prohibiting certain symbols in password fields, I just write it off as inevitable overhead you have to pay to live in today's society.
– MooseBoys
Dec 21 '18 at 23:30
1
While the top-voted answers are accurate, they don't answer the obvious question: What can the customer do when faced with such a form? Can a customer report the merchant for doing this?
– krubo
Dec 22 '18 at 17:50
add a comment |
A school wants my credit card data including a security code. They've sent me a form to fill in about my card. As I know security code is something that shouldn't be shared publicly. Should I provide it to them?
credit-card online-payment security electronic-payment
A school wants my credit card data including a security code. They've sent me a form to fill in about my card. As I know security code is something that shouldn't be shared publicly. Should I provide it to them?
credit-card online-payment security electronic-payment
credit-card online-payment security electronic-payment
asked Dec 20 '18 at 11:51
GreenGreen
30436
30436
30
Are you paying them for something, and using a credit card to do so? Or was this an unexpected request for your information?
– yoozer8
Dec 20 '18 at 12:53
5
It seems to me you might be thinking they are asking for what we call in the UK "a PIN number" because you say it "is something that shouldn't be shared publicly". You definitely shouldn't share the security code you use to pay for items in a shop, or get money out of an ATM, with anyone, ever. But, that's not what they are asking for here. It is a badly worded form, imho, and should make clear that they are asking for the last three digits from the signature strip on the back of the card. If you comply, it'll mean the school can charge your card, but the charge will be recorded.
– lukkea
Dec 20 '18 at 17:35
1
Consider editing the institution's name out of the post, then flagging your post asking a moderator for a revision purge. You don't want this institution coming after you for damages to their reputation.
– corsiKa
Dec 21 '18 at 22:13
Probably more than half of all merchants I interact with do this, and nearly all doctor and dentist offices (e.g. when receiving a bill). Similarly to the common practice of prohibiting certain symbols in password fields, I just write it off as inevitable overhead you have to pay to live in today's society.
– MooseBoys
Dec 21 '18 at 23:30
1
While the top-voted answers are accurate, they don't answer the obvious question: What can the customer do when faced with such a form? Can a customer report the merchant for doing this?
– krubo
Dec 22 '18 at 17:50
add a comment |
30
Are you paying them for something, and using a credit card to do so? Or was this an unexpected request for your information?
– yoozer8
Dec 20 '18 at 12:53
5
It seems to me you might be thinking they are asking for what we call in the UK "a PIN number" because you say it "is something that shouldn't be shared publicly". You definitely shouldn't share the security code you use to pay for items in a shop, or get money out of an ATM, with anyone, ever. But, that's not what they are asking for here. It is a badly worded form, imho, and should make clear that they are asking for the last three digits from the signature strip on the back of the card. If you comply, it'll mean the school can charge your card, but the charge will be recorded.
– lukkea
Dec 20 '18 at 17:35
1
Consider editing the institution's name out of the post, then flagging your post asking a moderator for a revision purge. You don't want this institution coming after you for damages to their reputation.
– corsiKa
Dec 21 '18 at 22:13
Probably more than half of all merchants I interact with do this, and nearly all doctor and dentist offices (e.g. when receiving a bill). Similarly to the common practice of prohibiting certain symbols in password fields, I just write it off as inevitable overhead you have to pay to live in today's society.
– MooseBoys
Dec 21 '18 at 23:30
1
While the top-voted answers are accurate, they don't answer the obvious question: What can the customer do when faced with such a form? Can a customer report the merchant for doing this?
– krubo
Dec 22 '18 at 17:50
30
30
Are you paying them for something, and using a credit card to do so? Or was this an unexpected request for your information?
– yoozer8
Dec 20 '18 at 12:53
Are you paying them for something, and using a credit card to do so? Or was this an unexpected request for your information?
– yoozer8
Dec 20 '18 at 12:53
5
5
It seems to me you might be thinking they are asking for what we call in the UK "a PIN number" because you say it "is something that shouldn't be shared publicly". You definitely shouldn't share the security code you use to pay for items in a shop, or get money out of an ATM, with anyone, ever. But, that's not what they are asking for here. It is a badly worded form, imho, and should make clear that they are asking for the last three digits from the signature strip on the back of the card. If you comply, it'll mean the school can charge your card, but the charge will be recorded.
– lukkea
Dec 20 '18 at 17:35
It seems to me you might be thinking they are asking for what we call in the UK "a PIN number" because you say it "is something that shouldn't be shared publicly". You definitely shouldn't share the security code you use to pay for items in a shop, or get money out of an ATM, with anyone, ever. But, that's not what they are asking for here. It is a badly worded form, imho, and should make clear that they are asking for the last three digits from the signature strip on the back of the card. If you comply, it'll mean the school can charge your card, but the charge will be recorded.
– lukkea
Dec 20 '18 at 17:35
1
1
Consider editing the institution's name out of the post, then flagging your post asking a moderator for a revision purge. You don't want this institution coming after you for damages to their reputation.
– corsiKa
Dec 21 '18 at 22:13
Consider editing the institution's name out of the post, then flagging your post asking a moderator for a revision purge. You don't want this institution coming after you for damages to their reputation.
– corsiKa
Dec 21 '18 at 22:13
Probably more than half of all merchants I interact with do this, and nearly all doctor and dentist offices (e.g. when receiving a bill). Similarly to the common practice of prohibiting certain symbols in password fields, I just write it off as inevitable overhead you have to pay to live in today's society.
– MooseBoys
Dec 21 '18 at 23:30
Probably more than half of all merchants I interact with do this, and nearly all doctor and dentist offices (e.g. when receiving a bill). Similarly to the common practice of prohibiting certain symbols in password fields, I just write it off as inevitable overhead you have to pay to live in today's society.
– MooseBoys
Dec 21 '18 at 23:30
1
1
While the top-voted answers are accurate, they don't answer the obvious question: What can the customer do when faced with such a form? Can a customer report the merchant for doing this?
– krubo
Dec 22 '18 at 17:50
While the top-voted answers are accurate, they don't answer the obvious question: What can the customer do when faced with such a form? Can a customer report the merchant for doing this?
– krubo
Dec 22 '18 at 17:50
add a comment |
5 Answers
5
active
oldest
votes
It means that the merchant (here, a university)'s process is to deceive their processor by falsely submitting the charge as a "CVV2 with Magnetic Stripe failure" transaction.
Having the card present during a transaction reduces fraud, so the card issuer and processing network are less likely to incur fraud investigation costs (or even eat the whole charge), and this savings is passed along to the merchant in the form of lower fees.
The merchant is trying to qualify for those lower fees when the card is not actually present at the time of authorization (it's a very high risk situation). In the process, they're putting you at increased risk of fraudulent future charges, and making it more difficult for you to contest those charges (because the thief will have the CVV code which serves as evidence, not incontrovertible, but still strong evidence, of your agreement to the charge).
In the process, they are violating the clear wording of the Visa rules:
Comments are not for extended discussion; this conversation has been moved to chat.
– JohnFx♦
Dec 23 '18 at 3:40
3
To summarise my downvote, which I stand by despite other discussion: there are several reasons they might be asking for this information, and even if they are all morally or legally wrong, this answer provides no evidence for its assertion of one specific reason. The answer could be greatly improved by removing the overconfident "this means that..." summary, and listing some of the other possibilities (e.g. misuse of am e-commerce PDQ for convenience).
– IMSoP
Dec 24 '18 at 12:15
add a comment |
This violates PCI-DSS
They are only allowed to use security code or fullstripe data momentarily during a transaction. They are not allowed to retain it, even for a minute.
Even worse, this form has the fivefecta of the 3 credit card fields, cardholder name and Billing ZIP. That's all you need to plug into most website order forms.
This document appears to be a carrier document for a bunch of things, and is then filed or forwarded on as a proof of payment or somesuch. It sits in their mailbox, sits in some clerk's inbox, gets stacked and piled, gets passed around the university departments, and you know they file it. Retaining this is the height of moronitude, and someone needs to explain it to them.
All it takes is for someone who knows their mechanism to grab a stack and run, then later sit somewhere on campus on their WiFi ordering Macbook Pros. For double laughs, from the Apple student webstore for that university, so it's hard to tell it from a bona-fide student purchase.
Due to the liability shift, the university would be on the hook for the subsequent audit, fines, and every fraudulent charge.
They need to make whatever arrangement they need to make with their bank such that they can run these charges without the security code.
9
Incorrect. Words of PCI "PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized." They can collect the information on paper, as long as it is shredded after they obtain authorization.
– user71659
Dec 21 '18 at 19:51
@user71659 on second read of that, I see where that makes sense, but I find it difficult to believe the text imagines extended retention of that data, on paper, sent through mail, intercampus mail, handled in offices etc. for days. Maybe if it was handled in the same manner that they handle cash payments, but I really do not think that is the case.
– Harper
Dec 21 '18 at 20:33
Did OP ever indicate the intention is to print this form and fill it out on paper? We all seem to have assumed that. They could well expect it to be filled electronically and e-mailed to them; in which case it is basically impossible to actually destroy the information after use in a PCI compliant way. While it's possible this could be part of a technically compliant with regulation if not intent process (the form is printed and shredded properly immediately after use), the process would be burdensome and unlikely to actually be followed.
– Affe
Dec 21 '18 at 23:56
add a comment |
The reason that they are asking for it is because they need it in order to process the credit card payment. They are required by their credit card processor to enter it. If you do not provide it, they will not be able to charge your credit card.
If you want to pay for this service with your credit card, then yes, you should provide them with this code.
An unscrupulous worker at the school could use the information on this form to make fraudulent charges on your card, but that can happen at any time for a whole host of reasons that are out of your control. You need to scrutinize your credit card transactions continuously to look for bad charges and contact the credit card company if they are discovered.
When you find fraudulent transactions, they may be a result of someone from the school, but they could instead be a result of a hacking or skimming event that has nothing to do with this school. You will not be held liable for those charges.
13
Good answer, altough I wonder why this school is still using paper to process credit card payment. Online payments on secure page are safer than on paper. Where I live, you can pay college charges directly on the college's website (talking about cc payment).
– Gainz
Dec 20 '18 at 12:47
13
"If you do not provide it, they will not be able to charge your credit card." is flatly wrong. They may be unable to process it as a "Card Present" transaction, which may cause higher fees from their processor, but the only mandatory information is card number and expiration date -- even zip code mismatch is a warning not a fatal error. And the more information you provide, the stronger the bank's case that you authorized the use of your card (as opposed to initiating a single transaction). OP will be liable for transactions made by someone he authorized to use his card.
– Ben Voigt
Dec 20 '18 at 17:36
5
@BenVoigt I disagree, and I believe you are mistaken. The security code is not a secret PIN, it is not proof that you authorized a charge, and it will not make you liable for a fraudulent charge.
– Ben Miller
Dec 20 '18 at 17:45
22
@BenVoigt is correct, this answer is totally wrong and should be removed. Card verification numbers are not supposed to be stored. They are not secret (i.e. the customer can give them to a vendor), but recording them in non-volatile media (i.e. paper, database, etc.) would make this vendor non-PCI-compliant. The only reason they would need them would be to miscategorize their transaction. "Card-on-file" and "recurring" transactions don't require them.
– SaSSafraS1232
Dec 20 '18 at 21:30
10
@SaSSafraS1232 No, you're totally wrong about CVVs. CVVs may not be stored after authorization. Visa's exact words "Never retain full-track, magnetic-stripe, CVV2*, and chip data subsequent to transaction authorization." As long as they shred the form after authorization, they are in compliance. There is no requirement about "non-volatile media". And note their asterisk: "In certain markets, CVV2 is required to be present for all card-absent transactions."
– user71659
Dec 21 '18 at 3:48
|
show 23 more comments
This is completely insecure and personally, I wouldn't supply the info.
As you've reasoned, you will have no idea how your information is used once it's left your hands, and you'll never know if it's been disposed of properly (shredded/destroyed). Furthermore, the fact that they follow such insecure practices tells you that at the institution level they haven't a clue about the importance of protecting private and financial information. That means everyone from the janitor to the school president are going to be putting your information at risk.
If you must do this, some options:
- see if you can pay in person.
- create a temporary credit card number with a very low limit (some cc's offer this feature)
- pay by cash.
1
Do they really need your personal bank account number? ACH fraud is really dangerous.
– trognanders
Dec 21 '18 at 20:56
1
@trognanders, good info, removed the check comment!
– James
Dec 22 '18 at 16:10
add a comment |
Placing all of the information required to authorize a card not present transaction on a paper form that will be subject to potential mail theft of skimming in the office is not a particularly good idea. Other answers mention things the school should do. This is not a helpful way to think about the problem... you are not the school and have no agency over their practices. Instead, protect yourself.
Consider alternative payment options:
- Money order/cashiers check. Do not give them a personal check, the numbers on the bottom are much more dangerous than the CVV2 code on a credit card
- Cash (get a receipt though!)
- Prepaid Visa card.
They may be less keen on accepting checks or cash because it is not the process, but a prepaid Visa limits your risk to the stored value and you can throw it in the bin afterwards.
2
+1 for solving the real issue, since just saying "hey, your policy is bad, and you need to change it" is unlikely to have any effect, particularly since the people that the prospective student is likely to be able to speak to are unlikely to be people who have the authority to make a change.
– Beska
Dec 22 '18 at 18:17
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "93"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmoney.stackexchange.com%2fquestions%2f103121%2fdo-institutions-have-right-to-ask-for-your-credit-card-security-code-and-all-oth%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
It means that the merchant (here, a university)'s process is to deceive their processor by falsely submitting the charge as a "CVV2 with Magnetic Stripe failure" transaction.
Having the card present during a transaction reduces fraud, so the card issuer and processing network are less likely to incur fraud investigation costs (or even eat the whole charge), and this savings is passed along to the merchant in the form of lower fees.
The merchant is trying to qualify for those lower fees when the card is not actually present at the time of authorization (it's a very high risk situation). In the process, they're putting you at increased risk of fraudulent future charges, and making it more difficult for you to contest those charges (because the thief will have the CVV code which serves as evidence, not incontrovertible, but still strong evidence, of your agreement to the charge).
In the process, they are violating the clear wording of the Visa rules:
Comments are not for extended discussion; this conversation has been moved to chat.
– JohnFx♦
Dec 23 '18 at 3:40
3
To summarise my downvote, which I stand by despite other discussion: there are several reasons they might be asking for this information, and even if they are all morally or legally wrong, this answer provides no evidence for its assertion of one specific reason. The answer could be greatly improved by removing the overconfident "this means that..." summary, and listing some of the other possibilities (e.g. misuse of am e-commerce PDQ for convenience).
– IMSoP
Dec 24 '18 at 12:15
add a comment |
It means that the merchant (here, a university)'s process is to deceive their processor by falsely submitting the charge as a "CVV2 with Magnetic Stripe failure" transaction.
Having the card present during a transaction reduces fraud, so the card issuer and processing network are less likely to incur fraud investigation costs (or even eat the whole charge), and this savings is passed along to the merchant in the form of lower fees.
The merchant is trying to qualify for those lower fees when the card is not actually present at the time of authorization (it's a very high risk situation). In the process, they're putting you at increased risk of fraudulent future charges, and making it more difficult for you to contest those charges (because the thief will have the CVV code which serves as evidence, not incontrovertible, but still strong evidence, of your agreement to the charge).
In the process, they are violating the clear wording of the Visa rules:
Comments are not for extended discussion; this conversation has been moved to chat.
– JohnFx♦
Dec 23 '18 at 3:40
3
To summarise my downvote, which I stand by despite other discussion: there are several reasons they might be asking for this information, and even if they are all morally or legally wrong, this answer provides no evidence for its assertion of one specific reason. The answer could be greatly improved by removing the overconfident "this means that..." summary, and listing some of the other possibilities (e.g. misuse of am e-commerce PDQ for convenience).
– IMSoP
Dec 24 '18 at 12:15
add a comment |
It means that the merchant (here, a university)'s process is to deceive their processor by falsely submitting the charge as a "CVV2 with Magnetic Stripe failure" transaction.
Having the card present during a transaction reduces fraud, so the card issuer and processing network are less likely to incur fraud investigation costs (or even eat the whole charge), and this savings is passed along to the merchant in the form of lower fees.
The merchant is trying to qualify for those lower fees when the card is not actually present at the time of authorization (it's a very high risk situation). In the process, they're putting you at increased risk of fraudulent future charges, and making it more difficult for you to contest those charges (because the thief will have the CVV code which serves as evidence, not incontrovertible, but still strong evidence, of your agreement to the charge).
In the process, they are violating the clear wording of the Visa rules:
It means that the merchant (here, a university)'s process is to deceive their processor by falsely submitting the charge as a "CVV2 with Magnetic Stripe failure" transaction.
Having the card present during a transaction reduces fraud, so the card issuer and processing network are less likely to incur fraud investigation costs (or even eat the whole charge), and this savings is passed along to the merchant in the form of lower fees.
The merchant is trying to qualify for those lower fees when the card is not actually present at the time of authorization (it's a very high risk situation). In the process, they're putting you at increased risk of fraudulent future charges, and making it more difficult for you to contest those charges (because the thief will have the CVV code which serves as evidence, not incontrovertible, but still strong evidence, of your agreement to the charge).
In the process, they are violating the clear wording of the Visa rules:
edited Dec 22 '18 at 17:44
answered Dec 20 '18 at 17:42
Ben VoigtBen Voigt
1,6431115
1,6431115
Comments are not for extended discussion; this conversation has been moved to chat.
– JohnFx♦
Dec 23 '18 at 3:40
3
To summarise my downvote, which I stand by despite other discussion: there are several reasons they might be asking for this information, and even if they are all morally or legally wrong, this answer provides no evidence for its assertion of one specific reason. The answer could be greatly improved by removing the overconfident "this means that..." summary, and listing some of the other possibilities (e.g. misuse of am e-commerce PDQ for convenience).
– IMSoP
Dec 24 '18 at 12:15
add a comment |
Comments are not for extended discussion; this conversation has been moved to chat.
– JohnFx♦
Dec 23 '18 at 3:40
3
To summarise my downvote, which I stand by despite other discussion: there are several reasons they might be asking for this information, and even if they are all morally or legally wrong, this answer provides no evidence for its assertion of one specific reason. The answer could be greatly improved by removing the overconfident "this means that..." summary, and listing some of the other possibilities (e.g. misuse of am e-commerce PDQ for convenience).
– IMSoP
Dec 24 '18 at 12:15
Comments are not for extended discussion; this conversation has been moved to chat.
– JohnFx♦
Dec 23 '18 at 3:40
Comments are not for extended discussion; this conversation has been moved to chat.
– JohnFx♦
Dec 23 '18 at 3:40
3
3
To summarise my downvote, which I stand by despite other discussion: there are several reasons they might be asking for this information, and even if they are all morally or legally wrong, this answer provides no evidence for its assertion of one specific reason. The answer could be greatly improved by removing the overconfident "this means that..." summary, and listing some of the other possibilities (e.g. misuse of am e-commerce PDQ for convenience).
– IMSoP
Dec 24 '18 at 12:15
To summarise my downvote, which I stand by despite other discussion: there are several reasons they might be asking for this information, and even if they are all morally or legally wrong, this answer provides no evidence for its assertion of one specific reason. The answer could be greatly improved by removing the overconfident "this means that..." summary, and listing some of the other possibilities (e.g. misuse of am e-commerce PDQ for convenience).
– IMSoP
Dec 24 '18 at 12:15
add a comment |
This violates PCI-DSS
They are only allowed to use security code or fullstripe data momentarily during a transaction. They are not allowed to retain it, even for a minute.
Even worse, this form has the fivefecta of the 3 credit card fields, cardholder name and Billing ZIP. That's all you need to plug into most website order forms.
This document appears to be a carrier document for a bunch of things, and is then filed or forwarded on as a proof of payment or somesuch. It sits in their mailbox, sits in some clerk's inbox, gets stacked and piled, gets passed around the university departments, and you know they file it. Retaining this is the height of moronitude, and someone needs to explain it to them.
All it takes is for someone who knows their mechanism to grab a stack and run, then later sit somewhere on campus on their WiFi ordering Macbook Pros. For double laughs, from the Apple student webstore for that university, so it's hard to tell it from a bona-fide student purchase.
Due to the liability shift, the university would be on the hook for the subsequent audit, fines, and every fraudulent charge.
They need to make whatever arrangement they need to make with their bank such that they can run these charges without the security code.
9
Incorrect. Words of PCI "PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized." They can collect the information on paper, as long as it is shredded after they obtain authorization.
– user71659
Dec 21 '18 at 19:51
@user71659 on second read of that, I see where that makes sense, but I find it difficult to believe the text imagines extended retention of that data, on paper, sent through mail, intercampus mail, handled in offices etc. for days. Maybe if it was handled in the same manner that they handle cash payments, but I really do not think that is the case.
– Harper
Dec 21 '18 at 20:33
Did OP ever indicate the intention is to print this form and fill it out on paper? We all seem to have assumed that. They could well expect it to be filled electronically and e-mailed to them; in which case it is basically impossible to actually destroy the information after use in a PCI compliant way. While it's possible this could be part of a technically compliant with regulation if not intent process (the form is printed and shredded properly immediately after use), the process would be burdensome and unlikely to actually be followed.
– Affe
Dec 21 '18 at 23:56
add a comment |
This violates PCI-DSS
They are only allowed to use security code or fullstripe data momentarily during a transaction. They are not allowed to retain it, even for a minute.
Even worse, this form has the fivefecta of the 3 credit card fields, cardholder name and Billing ZIP. That's all you need to plug into most website order forms.
This document appears to be a carrier document for a bunch of things, and is then filed or forwarded on as a proof of payment or somesuch. It sits in their mailbox, sits in some clerk's inbox, gets stacked and piled, gets passed around the university departments, and you know they file it. Retaining this is the height of moronitude, and someone needs to explain it to them.
All it takes is for someone who knows their mechanism to grab a stack and run, then later sit somewhere on campus on their WiFi ordering Macbook Pros. For double laughs, from the Apple student webstore for that university, so it's hard to tell it from a bona-fide student purchase.
Due to the liability shift, the university would be on the hook for the subsequent audit, fines, and every fraudulent charge.
They need to make whatever arrangement they need to make with their bank such that they can run these charges without the security code.
9
Incorrect. Words of PCI "PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized." They can collect the information on paper, as long as it is shredded after they obtain authorization.
– user71659
Dec 21 '18 at 19:51
@user71659 on second read of that, I see where that makes sense, but I find it difficult to believe the text imagines extended retention of that data, on paper, sent through mail, intercampus mail, handled in offices etc. for days. Maybe if it was handled in the same manner that they handle cash payments, but I really do not think that is the case.
– Harper
Dec 21 '18 at 20:33
Did OP ever indicate the intention is to print this form and fill it out on paper? We all seem to have assumed that. They could well expect it to be filled electronically and e-mailed to them; in which case it is basically impossible to actually destroy the information after use in a PCI compliant way. While it's possible this could be part of a technically compliant with regulation if not intent process (the form is printed and shredded properly immediately after use), the process would be burdensome and unlikely to actually be followed.
– Affe
Dec 21 '18 at 23:56
add a comment |
This violates PCI-DSS
They are only allowed to use security code or fullstripe data momentarily during a transaction. They are not allowed to retain it, even for a minute.
Even worse, this form has the fivefecta of the 3 credit card fields, cardholder name and Billing ZIP. That's all you need to plug into most website order forms.
This document appears to be a carrier document for a bunch of things, and is then filed or forwarded on as a proof of payment or somesuch. It sits in their mailbox, sits in some clerk's inbox, gets stacked and piled, gets passed around the university departments, and you know they file it. Retaining this is the height of moronitude, and someone needs to explain it to them.
All it takes is for someone who knows their mechanism to grab a stack and run, then later sit somewhere on campus on their WiFi ordering Macbook Pros. For double laughs, from the Apple student webstore for that university, so it's hard to tell it from a bona-fide student purchase.
Due to the liability shift, the university would be on the hook for the subsequent audit, fines, and every fraudulent charge.
They need to make whatever arrangement they need to make with their bank such that they can run these charges without the security code.
This violates PCI-DSS
They are only allowed to use security code or fullstripe data momentarily during a transaction. They are not allowed to retain it, even for a minute.
Even worse, this form has the fivefecta of the 3 credit card fields, cardholder name and Billing ZIP. That's all you need to plug into most website order forms.
This document appears to be a carrier document for a bunch of things, and is then filed or forwarded on as a proof of payment or somesuch. It sits in their mailbox, sits in some clerk's inbox, gets stacked and piled, gets passed around the university departments, and you know they file it. Retaining this is the height of moronitude, and someone needs to explain it to them.
All it takes is for someone who knows their mechanism to grab a stack and run, then later sit somewhere on campus on their WiFi ordering Macbook Pros. For double laughs, from the Apple student webstore for that university, so it's hard to tell it from a bona-fide student purchase.
Due to the liability shift, the university would be on the hook for the subsequent audit, fines, and every fraudulent charge.
They need to make whatever arrangement they need to make with their bank such that they can run these charges without the security code.
answered Dec 20 '18 at 21:41
HarperHarper
20.8k43168
20.8k43168
9
Incorrect. Words of PCI "PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized." They can collect the information on paper, as long as it is shredded after they obtain authorization.
– user71659
Dec 21 '18 at 19:51
@user71659 on second read of that, I see where that makes sense, but I find it difficult to believe the text imagines extended retention of that data, on paper, sent through mail, intercampus mail, handled in offices etc. for days. Maybe if it was handled in the same manner that they handle cash payments, but I really do not think that is the case.
– Harper
Dec 21 '18 at 20:33
Did OP ever indicate the intention is to print this form and fill it out on paper? We all seem to have assumed that. They could well expect it to be filled electronically and e-mailed to them; in which case it is basically impossible to actually destroy the information after use in a PCI compliant way. While it's possible this could be part of a technically compliant with regulation if not intent process (the form is printed and shredded properly immediately after use), the process would be burdensome and unlikely to actually be followed.
– Affe
Dec 21 '18 at 23:56
add a comment |
9
Incorrect. Words of PCI "PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized." They can collect the information on paper, as long as it is shredded after they obtain authorization.
– user71659
Dec 21 '18 at 19:51
@user71659 on second read of that, I see where that makes sense, but I find it difficult to believe the text imagines extended retention of that data, on paper, sent through mail, intercampus mail, handled in offices etc. for days. Maybe if it was handled in the same manner that they handle cash payments, but I really do not think that is the case.
– Harper
Dec 21 '18 at 20:33
Did OP ever indicate the intention is to print this form and fill it out on paper? We all seem to have assumed that. They could well expect it to be filled electronically and e-mailed to them; in which case it is basically impossible to actually destroy the information after use in a PCI compliant way. While it's possible this could be part of a technically compliant with regulation if not intent process (the form is printed and shredded properly immediately after use), the process would be burdensome and unlikely to actually be followed.
– Affe
Dec 21 '18 at 23:56
9
9
Incorrect. Words of PCI "PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized." They can collect the information on paper, as long as it is shredded after they obtain authorization.
– user71659
Dec 21 '18 at 19:51
Incorrect. Words of PCI "PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized." They can collect the information on paper, as long as it is shredded after they obtain authorization.
– user71659
Dec 21 '18 at 19:51
@user71659 on second read of that, I see where that makes sense, but I find it difficult to believe the text imagines extended retention of that data, on paper, sent through mail, intercampus mail, handled in offices etc. for days. Maybe if it was handled in the same manner that they handle cash payments, but I really do not think that is the case.
– Harper
Dec 21 '18 at 20:33
@user71659 on second read of that, I see where that makes sense, but I find it difficult to believe the text imagines extended retention of that data, on paper, sent through mail, intercampus mail, handled in offices etc. for days. Maybe if it was handled in the same manner that they handle cash payments, but I really do not think that is the case.
– Harper
Dec 21 '18 at 20:33
Did OP ever indicate the intention is to print this form and fill it out on paper? We all seem to have assumed that. They could well expect it to be filled electronically and e-mailed to them; in which case it is basically impossible to actually destroy the information after use in a PCI compliant way. While it's possible this could be part of a technically compliant with regulation if not intent process (the form is printed and shredded properly immediately after use), the process would be burdensome and unlikely to actually be followed.
– Affe
Dec 21 '18 at 23:56
Did OP ever indicate the intention is to print this form and fill it out on paper? We all seem to have assumed that. They could well expect it to be filled electronically and e-mailed to them; in which case it is basically impossible to actually destroy the information after use in a PCI compliant way. While it's possible this could be part of a technically compliant with regulation if not intent process (the form is printed and shredded properly immediately after use), the process would be burdensome and unlikely to actually be followed.
– Affe
Dec 21 '18 at 23:56
add a comment |
The reason that they are asking for it is because they need it in order to process the credit card payment. They are required by their credit card processor to enter it. If you do not provide it, they will not be able to charge your credit card.
If you want to pay for this service with your credit card, then yes, you should provide them with this code.
An unscrupulous worker at the school could use the information on this form to make fraudulent charges on your card, but that can happen at any time for a whole host of reasons that are out of your control. You need to scrutinize your credit card transactions continuously to look for bad charges and contact the credit card company if they are discovered.
When you find fraudulent transactions, they may be a result of someone from the school, but they could instead be a result of a hacking or skimming event that has nothing to do with this school. You will not be held liable for those charges.
13
Good answer, altough I wonder why this school is still using paper to process credit card payment. Online payments on secure page are safer than on paper. Where I live, you can pay college charges directly on the college's website (talking about cc payment).
– Gainz
Dec 20 '18 at 12:47
13
"If you do not provide it, they will not be able to charge your credit card." is flatly wrong. They may be unable to process it as a "Card Present" transaction, which may cause higher fees from their processor, but the only mandatory information is card number and expiration date -- even zip code mismatch is a warning not a fatal error. And the more information you provide, the stronger the bank's case that you authorized the use of your card (as opposed to initiating a single transaction). OP will be liable for transactions made by someone he authorized to use his card.
– Ben Voigt
Dec 20 '18 at 17:36
5
@BenVoigt I disagree, and I believe you are mistaken. The security code is not a secret PIN, it is not proof that you authorized a charge, and it will not make you liable for a fraudulent charge.
– Ben Miller
Dec 20 '18 at 17:45
22
@BenVoigt is correct, this answer is totally wrong and should be removed. Card verification numbers are not supposed to be stored. They are not secret (i.e. the customer can give them to a vendor), but recording them in non-volatile media (i.e. paper, database, etc.) would make this vendor non-PCI-compliant. The only reason they would need them would be to miscategorize their transaction. "Card-on-file" and "recurring" transactions don't require them.
– SaSSafraS1232
Dec 20 '18 at 21:30
10
@SaSSafraS1232 No, you're totally wrong about CVVs. CVVs may not be stored after authorization. Visa's exact words "Never retain full-track, magnetic-stripe, CVV2*, and chip data subsequent to transaction authorization." As long as they shred the form after authorization, they are in compliance. There is no requirement about "non-volatile media". And note their asterisk: "In certain markets, CVV2 is required to be present for all card-absent transactions."
– user71659
Dec 21 '18 at 3:48
|
show 23 more comments
The reason that they are asking for it is because they need it in order to process the credit card payment. They are required by their credit card processor to enter it. If you do not provide it, they will not be able to charge your credit card.
If you want to pay for this service with your credit card, then yes, you should provide them with this code.
An unscrupulous worker at the school could use the information on this form to make fraudulent charges on your card, but that can happen at any time for a whole host of reasons that are out of your control. You need to scrutinize your credit card transactions continuously to look for bad charges and contact the credit card company if they are discovered.
When you find fraudulent transactions, they may be a result of someone from the school, but they could instead be a result of a hacking or skimming event that has nothing to do with this school. You will not be held liable for those charges.
13
Good answer, altough I wonder why this school is still using paper to process credit card payment. Online payments on secure page are safer than on paper. Where I live, you can pay college charges directly on the college's website (talking about cc payment).
– Gainz
Dec 20 '18 at 12:47
13
"If you do not provide it, they will not be able to charge your credit card." is flatly wrong. They may be unable to process it as a "Card Present" transaction, which may cause higher fees from their processor, but the only mandatory information is card number and expiration date -- even zip code mismatch is a warning not a fatal error. And the more information you provide, the stronger the bank's case that you authorized the use of your card (as opposed to initiating a single transaction). OP will be liable for transactions made by someone he authorized to use his card.
– Ben Voigt
Dec 20 '18 at 17:36
5
@BenVoigt I disagree, and I believe you are mistaken. The security code is not a secret PIN, it is not proof that you authorized a charge, and it will not make you liable for a fraudulent charge.
– Ben Miller
Dec 20 '18 at 17:45
22
@BenVoigt is correct, this answer is totally wrong and should be removed. Card verification numbers are not supposed to be stored. They are not secret (i.e. the customer can give them to a vendor), but recording them in non-volatile media (i.e. paper, database, etc.) would make this vendor non-PCI-compliant. The only reason they would need them would be to miscategorize their transaction. "Card-on-file" and "recurring" transactions don't require them.
– SaSSafraS1232
Dec 20 '18 at 21:30
10
@SaSSafraS1232 No, you're totally wrong about CVVs. CVVs may not be stored after authorization. Visa's exact words "Never retain full-track, magnetic-stripe, CVV2*, and chip data subsequent to transaction authorization." As long as they shred the form after authorization, they are in compliance. There is no requirement about "non-volatile media". And note their asterisk: "In certain markets, CVV2 is required to be present for all card-absent transactions."
– user71659
Dec 21 '18 at 3:48
|
show 23 more comments
The reason that they are asking for it is because they need it in order to process the credit card payment. They are required by their credit card processor to enter it. If you do not provide it, they will not be able to charge your credit card.
If you want to pay for this service with your credit card, then yes, you should provide them with this code.
An unscrupulous worker at the school could use the information on this form to make fraudulent charges on your card, but that can happen at any time for a whole host of reasons that are out of your control. You need to scrutinize your credit card transactions continuously to look for bad charges and contact the credit card company if they are discovered.
When you find fraudulent transactions, they may be a result of someone from the school, but they could instead be a result of a hacking or skimming event that has nothing to do with this school. You will not be held liable for those charges.
The reason that they are asking for it is because they need it in order to process the credit card payment. They are required by their credit card processor to enter it. If you do not provide it, they will not be able to charge your credit card.
If you want to pay for this service with your credit card, then yes, you should provide them with this code.
An unscrupulous worker at the school could use the information on this form to make fraudulent charges on your card, but that can happen at any time for a whole host of reasons that are out of your control. You need to scrutinize your credit card transactions continuously to look for bad charges and contact the credit card company if they are discovered.
When you find fraudulent transactions, they may be a result of someone from the school, but they could instead be a result of a hacking or skimming event that has nothing to do with this school. You will not be held liable for those charges.
edited Dec 20 '18 at 12:47
answered Dec 20 '18 at 12:09
Ben MillerBen Miller
77.3k19210277
77.3k19210277
13
Good answer, altough I wonder why this school is still using paper to process credit card payment. Online payments on secure page are safer than on paper. Where I live, you can pay college charges directly on the college's website (talking about cc payment).
– Gainz
Dec 20 '18 at 12:47
13
"If you do not provide it, they will not be able to charge your credit card." is flatly wrong. They may be unable to process it as a "Card Present" transaction, which may cause higher fees from their processor, but the only mandatory information is card number and expiration date -- even zip code mismatch is a warning not a fatal error. And the more information you provide, the stronger the bank's case that you authorized the use of your card (as opposed to initiating a single transaction). OP will be liable for transactions made by someone he authorized to use his card.
– Ben Voigt
Dec 20 '18 at 17:36
5
@BenVoigt I disagree, and I believe you are mistaken. The security code is not a secret PIN, it is not proof that you authorized a charge, and it will not make you liable for a fraudulent charge.
– Ben Miller
Dec 20 '18 at 17:45
22
@BenVoigt is correct, this answer is totally wrong and should be removed. Card verification numbers are not supposed to be stored. They are not secret (i.e. the customer can give them to a vendor), but recording them in non-volatile media (i.e. paper, database, etc.) would make this vendor non-PCI-compliant. The only reason they would need them would be to miscategorize their transaction. "Card-on-file" and "recurring" transactions don't require them.
– SaSSafraS1232
Dec 20 '18 at 21:30
10
@SaSSafraS1232 No, you're totally wrong about CVVs. CVVs may not be stored after authorization. Visa's exact words "Never retain full-track, magnetic-stripe, CVV2*, and chip data subsequent to transaction authorization." As long as they shred the form after authorization, they are in compliance. There is no requirement about "non-volatile media". And note their asterisk: "In certain markets, CVV2 is required to be present for all card-absent transactions."
– user71659
Dec 21 '18 at 3:48
|
show 23 more comments
13
Good answer, altough I wonder why this school is still using paper to process credit card payment. Online payments on secure page are safer than on paper. Where I live, you can pay college charges directly on the college's website (talking about cc payment).
– Gainz
Dec 20 '18 at 12:47
13
"If you do not provide it, they will not be able to charge your credit card." is flatly wrong. They may be unable to process it as a "Card Present" transaction, which may cause higher fees from their processor, but the only mandatory information is card number and expiration date -- even zip code mismatch is a warning not a fatal error. And the more information you provide, the stronger the bank's case that you authorized the use of your card (as opposed to initiating a single transaction). OP will be liable for transactions made by someone he authorized to use his card.
– Ben Voigt
Dec 20 '18 at 17:36
5
@BenVoigt I disagree, and I believe you are mistaken. The security code is not a secret PIN, it is not proof that you authorized a charge, and it will not make you liable for a fraudulent charge.
– Ben Miller
Dec 20 '18 at 17:45
22
@BenVoigt is correct, this answer is totally wrong and should be removed. Card verification numbers are not supposed to be stored. They are not secret (i.e. the customer can give them to a vendor), but recording them in non-volatile media (i.e. paper, database, etc.) would make this vendor non-PCI-compliant. The only reason they would need them would be to miscategorize their transaction. "Card-on-file" and "recurring" transactions don't require them.
– SaSSafraS1232
Dec 20 '18 at 21:30
10
@SaSSafraS1232 No, you're totally wrong about CVVs. CVVs may not be stored after authorization. Visa's exact words "Never retain full-track, magnetic-stripe, CVV2*, and chip data subsequent to transaction authorization." As long as they shred the form after authorization, they are in compliance. There is no requirement about "non-volatile media". And note their asterisk: "In certain markets, CVV2 is required to be present for all card-absent transactions."
– user71659
Dec 21 '18 at 3:48
13
13
Good answer, altough I wonder why this school is still using paper to process credit card payment. Online payments on secure page are safer than on paper. Where I live, you can pay college charges directly on the college's website (talking about cc payment).
– Gainz
Dec 20 '18 at 12:47
Good answer, altough I wonder why this school is still using paper to process credit card payment. Online payments on secure page are safer than on paper. Where I live, you can pay college charges directly on the college's website (talking about cc payment).
– Gainz
Dec 20 '18 at 12:47
13
13
"If you do not provide it, they will not be able to charge your credit card." is flatly wrong. They may be unable to process it as a "Card Present" transaction, which may cause higher fees from their processor, but the only mandatory information is card number and expiration date -- even zip code mismatch is a warning not a fatal error. And the more information you provide, the stronger the bank's case that you authorized the use of your card (as opposed to initiating a single transaction). OP will be liable for transactions made by someone he authorized to use his card.
– Ben Voigt
Dec 20 '18 at 17:36
"If you do not provide it, they will not be able to charge your credit card." is flatly wrong. They may be unable to process it as a "Card Present" transaction, which may cause higher fees from their processor, but the only mandatory information is card number and expiration date -- even zip code mismatch is a warning not a fatal error. And the more information you provide, the stronger the bank's case that you authorized the use of your card (as opposed to initiating a single transaction). OP will be liable for transactions made by someone he authorized to use his card.
– Ben Voigt
Dec 20 '18 at 17:36
5
5
@BenVoigt I disagree, and I believe you are mistaken. The security code is not a secret PIN, it is not proof that you authorized a charge, and it will not make you liable for a fraudulent charge.
– Ben Miller
Dec 20 '18 at 17:45
@BenVoigt I disagree, and I believe you are mistaken. The security code is not a secret PIN, it is not proof that you authorized a charge, and it will not make you liable for a fraudulent charge.
– Ben Miller
Dec 20 '18 at 17:45
22
22
@BenVoigt is correct, this answer is totally wrong and should be removed. Card verification numbers are not supposed to be stored. They are not secret (i.e. the customer can give them to a vendor), but recording them in non-volatile media (i.e. paper, database, etc.) would make this vendor non-PCI-compliant. The only reason they would need them would be to miscategorize their transaction. "Card-on-file" and "recurring" transactions don't require them.
– SaSSafraS1232
Dec 20 '18 at 21:30
@BenVoigt is correct, this answer is totally wrong and should be removed. Card verification numbers are not supposed to be stored. They are not secret (i.e. the customer can give them to a vendor), but recording them in non-volatile media (i.e. paper, database, etc.) would make this vendor non-PCI-compliant. The only reason they would need them would be to miscategorize their transaction. "Card-on-file" and "recurring" transactions don't require them.
– SaSSafraS1232
Dec 20 '18 at 21:30
10
10
@SaSSafraS1232 No, you're totally wrong about CVVs. CVVs may not be stored after authorization. Visa's exact words "Never retain full-track, magnetic-stripe, CVV2*, and chip data subsequent to transaction authorization." As long as they shred the form after authorization, they are in compliance. There is no requirement about "non-volatile media". And note their asterisk: "In certain markets, CVV2 is required to be present for all card-absent transactions."
– user71659
Dec 21 '18 at 3:48
@SaSSafraS1232 No, you're totally wrong about CVVs. CVVs may not be stored after authorization. Visa's exact words "Never retain full-track, magnetic-stripe, CVV2*, and chip data subsequent to transaction authorization." As long as they shred the form after authorization, they are in compliance. There is no requirement about "non-volatile media". And note their asterisk: "In certain markets, CVV2 is required to be present for all card-absent transactions."
– user71659
Dec 21 '18 at 3:48
|
show 23 more comments
This is completely insecure and personally, I wouldn't supply the info.
As you've reasoned, you will have no idea how your information is used once it's left your hands, and you'll never know if it's been disposed of properly (shredded/destroyed). Furthermore, the fact that they follow such insecure practices tells you that at the institution level they haven't a clue about the importance of protecting private and financial information. That means everyone from the janitor to the school president are going to be putting your information at risk.
If you must do this, some options:
- see if you can pay in person.
- create a temporary credit card number with a very low limit (some cc's offer this feature)
- pay by cash.
1
Do they really need your personal bank account number? ACH fraud is really dangerous.
– trognanders
Dec 21 '18 at 20:56
1
@trognanders, good info, removed the check comment!
– James
Dec 22 '18 at 16:10
add a comment |
This is completely insecure and personally, I wouldn't supply the info.
As you've reasoned, you will have no idea how your information is used once it's left your hands, and you'll never know if it's been disposed of properly (shredded/destroyed). Furthermore, the fact that they follow such insecure practices tells you that at the institution level they haven't a clue about the importance of protecting private and financial information. That means everyone from the janitor to the school president are going to be putting your information at risk.
If you must do this, some options:
- see if you can pay in person.
- create a temporary credit card number with a very low limit (some cc's offer this feature)
- pay by cash.
1
Do they really need your personal bank account number? ACH fraud is really dangerous.
– trognanders
Dec 21 '18 at 20:56
1
@trognanders, good info, removed the check comment!
– James
Dec 22 '18 at 16:10
add a comment |
This is completely insecure and personally, I wouldn't supply the info.
As you've reasoned, you will have no idea how your information is used once it's left your hands, and you'll never know if it's been disposed of properly (shredded/destroyed). Furthermore, the fact that they follow such insecure practices tells you that at the institution level they haven't a clue about the importance of protecting private and financial information. That means everyone from the janitor to the school president are going to be putting your information at risk.
If you must do this, some options:
- see if you can pay in person.
- create a temporary credit card number with a very low limit (some cc's offer this feature)
- pay by cash.
This is completely insecure and personally, I wouldn't supply the info.
As you've reasoned, you will have no idea how your information is used once it's left your hands, and you'll never know if it's been disposed of properly (shredded/destroyed). Furthermore, the fact that they follow such insecure practices tells you that at the institution level they haven't a clue about the importance of protecting private and financial information. That means everyone from the janitor to the school president are going to be putting your information at risk.
If you must do this, some options:
- see if you can pay in person.
- create a temporary credit card number with a very low limit (some cc's offer this feature)
- pay by cash.
edited Dec 22 '18 at 16:10
answered Dec 21 '18 at 15:14
JamesJames
32016
32016
1
Do they really need your personal bank account number? ACH fraud is really dangerous.
– trognanders
Dec 21 '18 at 20:56
1
@trognanders, good info, removed the check comment!
– James
Dec 22 '18 at 16:10
add a comment |
1
Do they really need your personal bank account number? ACH fraud is really dangerous.
– trognanders
Dec 21 '18 at 20:56
1
@trognanders, good info, removed the check comment!
– James
Dec 22 '18 at 16:10
1
1
Do they really need your personal bank account number? ACH fraud is really dangerous.
– trognanders
Dec 21 '18 at 20:56
Do they really need your personal bank account number? ACH fraud is really dangerous.
– trognanders
Dec 21 '18 at 20:56
1
1
@trognanders, good info, removed the check comment!
– James
Dec 22 '18 at 16:10
@trognanders, good info, removed the check comment!
– James
Dec 22 '18 at 16:10
add a comment |
Placing all of the information required to authorize a card not present transaction on a paper form that will be subject to potential mail theft of skimming in the office is not a particularly good idea. Other answers mention things the school should do. This is not a helpful way to think about the problem... you are not the school and have no agency over their practices. Instead, protect yourself.
Consider alternative payment options:
- Money order/cashiers check. Do not give them a personal check, the numbers on the bottom are much more dangerous than the CVV2 code on a credit card
- Cash (get a receipt though!)
- Prepaid Visa card.
They may be less keen on accepting checks or cash because it is not the process, but a prepaid Visa limits your risk to the stored value and you can throw it in the bin afterwards.
2
+1 for solving the real issue, since just saying "hey, your policy is bad, and you need to change it" is unlikely to have any effect, particularly since the people that the prospective student is likely to be able to speak to are unlikely to be people who have the authority to make a change.
– Beska
Dec 22 '18 at 18:17
add a comment |
Placing all of the information required to authorize a card not present transaction on a paper form that will be subject to potential mail theft of skimming in the office is not a particularly good idea. Other answers mention things the school should do. This is not a helpful way to think about the problem... you are not the school and have no agency over their practices. Instead, protect yourself.
Consider alternative payment options:
- Money order/cashiers check. Do not give them a personal check, the numbers on the bottom are much more dangerous than the CVV2 code on a credit card
- Cash (get a receipt though!)
- Prepaid Visa card.
They may be less keen on accepting checks or cash because it is not the process, but a prepaid Visa limits your risk to the stored value and you can throw it in the bin afterwards.
2
+1 for solving the real issue, since just saying "hey, your policy is bad, and you need to change it" is unlikely to have any effect, particularly since the people that the prospective student is likely to be able to speak to are unlikely to be people who have the authority to make a change.
– Beska
Dec 22 '18 at 18:17
add a comment |
Placing all of the information required to authorize a card not present transaction on a paper form that will be subject to potential mail theft of skimming in the office is not a particularly good idea. Other answers mention things the school should do. This is not a helpful way to think about the problem... you are not the school and have no agency over their practices. Instead, protect yourself.
Consider alternative payment options:
- Money order/cashiers check. Do not give them a personal check, the numbers on the bottom are much more dangerous than the CVV2 code on a credit card
- Cash (get a receipt though!)
- Prepaid Visa card.
They may be less keen on accepting checks or cash because it is not the process, but a prepaid Visa limits your risk to the stored value and you can throw it in the bin afterwards.
Placing all of the information required to authorize a card not present transaction on a paper form that will be subject to potential mail theft of skimming in the office is not a particularly good idea. Other answers mention things the school should do. This is not a helpful way to think about the problem... you are not the school and have no agency over their practices. Instead, protect yourself.
Consider alternative payment options:
- Money order/cashiers check. Do not give them a personal check, the numbers on the bottom are much more dangerous than the CVV2 code on a credit card
- Cash (get a receipt though!)
- Prepaid Visa card.
They may be less keen on accepting checks or cash because it is not the process, but a prepaid Visa limits your risk to the stored value and you can throw it in the bin afterwards.
answered Dec 21 '18 at 20:52
trognanderstrognanders
54336
54336
2
+1 for solving the real issue, since just saying "hey, your policy is bad, and you need to change it" is unlikely to have any effect, particularly since the people that the prospective student is likely to be able to speak to are unlikely to be people who have the authority to make a change.
– Beska
Dec 22 '18 at 18:17
add a comment |
2
+1 for solving the real issue, since just saying "hey, your policy is bad, and you need to change it" is unlikely to have any effect, particularly since the people that the prospective student is likely to be able to speak to are unlikely to be people who have the authority to make a change.
– Beska
Dec 22 '18 at 18:17
2
2
+1 for solving the real issue, since just saying "hey, your policy is bad, and you need to change it" is unlikely to have any effect, particularly since the people that the prospective student is likely to be able to speak to are unlikely to be people who have the authority to make a change.
– Beska
Dec 22 '18 at 18:17
+1 for solving the real issue, since just saying "hey, your policy is bad, and you need to change it" is unlikely to have any effect, particularly since the people that the prospective student is likely to be able to speak to are unlikely to be people who have the authority to make a change.
– Beska
Dec 22 '18 at 18:17
add a comment |
Thanks for contributing an answer to Personal Finance & Money Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmoney.stackexchange.com%2fquestions%2f103121%2fdo-institutions-have-right-to-ask-for-your-credit-card-security-code-and-all-oth%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
30
Are you paying them for something, and using a credit card to do so? Or was this an unexpected request for your information?
– yoozer8
Dec 20 '18 at 12:53
5
It seems to me you might be thinking they are asking for what we call in the UK "a PIN number" because you say it "is something that shouldn't be shared publicly". You definitely shouldn't share the security code you use to pay for items in a shop, or get money out of an ATM, with anyone, ever. But, that's not what they are asking for here. It is a badly worded form, imho, and should make clear that they are asking for the last three digits from the signature strip on the back of the card. If you comply, it'll mean the school can charge your card, but the charge will be recorded.
– lukkea
Dec 20 '18 at 17:35
1
Consider editing the institution's name out of the post, then flagging your post asking a moderator for a revision purge. You don't want this institution coming after you for damages to their reputation.
– corsiKa
Dec 21 '18 at 22:13
Probably more than half of all merchants I interact with do this, and nearly all doctor and dentist offices (e.g. when receiving a bill). Similarly to the common practice of prohibiting certain symbols in password fields, I just write it off as inevitable overhead you have to pay to live in today's society.
– MooseBoys
Dec 21 '18 at 23:30
1
While the top-voted answers are accurate, they don't answer the obvious question: What can the customer do when faced with such a form? Can a customer report the merchant for doing this?
– krubo
Dec 22 '18 at 17:50