Do institutions have right to ask for your credit card security code and all other CC data?












38















A school wants my credit card data including a security code. They've sent me a form to fill in about my card. As I know security code is something that shouldn't be shared publicly. Should I provide it to them?



enter image description here










share|improve this question


















  • 30





    Are you paying them for something, and using a credit card to do so? Or was this an unexpected request for your information?

    – yoozer8
    Dec 20 '18 at 12:53








  • 5





    It seems to me you might be thinking they are asking for what we call in the UK "a PIN number" because you say it "is something that shouldn't be shared publicly". You definitely shouldn't share the security code you use to pay for items in a shop, or get money out of an ATM, with anyone, ever. But, that's not what they are asking for here. It is a badly worded form, imho, and should make clear that they are asking for the last three digits from the signature strip on the back of the card. If you comply, it'll mean the school can charge your card, but the charge will be recorded.

    – lukkea
    Dec 20 '18 at 17:35






  • 1





    Consider editing the institution's name out of the post, then flagging your post asking a moderator for a revision purge. You don't want this institution coming after you for damages to their reputation.

    – corsiKa
    Dec 21 '18 at 22:13











  • Probably more than half of all merchants I interact with do this, and nearly all doctor and dentist offices (e.g. when receiving a bill). Similarly to the common practice of prohibiting certain symbols in password fields, I just write it off as inevitable overhead you have to pay to live in today's society.

    – MooseBoys
    Dec 21 '18 at 23:30






  • 1





    While the top-voted answers are accurate, they don't answer the obvious question: What can the customer do when faced with such a form? Can a customer report the merchant for doing this?

    – krubo
    Dec 22 '18 at 17:50
















38















A school wants my credit card data including a security code. They've sent me a form to fill in about my card. As I know security code is something that shouldn't be shared publicly. Should I provide it to them?



enter image description here










share|improve this question


















  • 30





    Are you paying them for something, and using a credit card to do so? Or was this an unexpected request for your information?

    – yoozer8
    Dec 20 '18 at 12:53








  • 5





    It seems to me you might be thinking they are asking for what we call in the UK "a PIN number" because you say it "is something that shouldn't be shared publicly". You definitely shouldn't share the security code you use to pay for items in a shop, or get money out of an ATM, with anyone, ever. But, that's not what they are asking for here. It is a badly worded form, imho, and should make clear that they are asking for the last three digits from the signature strip on the back of the card. If you comply, it'll mean the school can charge your card, but the charge will be recorded.

    – lukkea
    Dec 20 '18 at 17:35






  • 1





    Consider editing the institution's name out of the post, then flagging your post asking a moderator for a revision purge. You don't want this institution coming after you for damages to their reputation.

    – corsiKa
    Dec 21 '18 at 22:13











  • Probably more than half of all merchants I interact with do this, and nearly all doctor and dentist offices (e.g. when receiving a bill). Similarly to the common practice of prohibiting certain symbols in password fields, I just write it off as inevitable overhead you have to pay to live in today's society.

    – MooseBoys
    Dec 21 '18 at 23:30






  • 1





    While the top-voted answers are accurate, they don't answer the obvious question: What can the customer do when faced with such a form? Can a customer report the merchant for doing this?

    – krubo
    Dec 22 '18 at 17:50














38












38








38


6






A school wants my credit card data including a security code. They've sent me a form to fill in about my card. As I know security code is something that shouldn't be shared publicly. Should I provide it to them?



enter image description here










share|improve this question














A school wants my credit card data including a security code. They've sent me a form to fill in about my card. As I know security code is something that shouldn't be shared publicly. Should I provide it to them?



enter image description here







credit-card online-payment security electronic-payment






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 20 '18 at 11:51









GreenGreen

30436




30436








  • 30





    Are you paying them for something, and using a credit card to do so? Or was this an unexpected request for your information?

    – yoozer8
    Dec 20 '18 at 12:53








  • 5





    It seems to me you might be thinking they are asking for what we call in the UK "a PIN number" because you say it "is something that shouldn't be shared publicly". You definitely shouldn't share the security code you use to pay for items in a shop, or get money out of an ATM, with anyone, ever. But, that's not what they are asking for here. It is a badly worded form, imho, and should make clear that they are asking for the last three digits from the signature strip on the back of the card. If you comply, it'll mean the school can charge your card, but the charge will be recorded.

    – lukkea
    Dec 20 '18 at 17:35






  • 1





    Consider editing the institution's name out of the post, then flagging your post asking a moderator for a revision purge. You don't want this institution coming after you for damages to their reputation.

    – corsiKa
    Dec 21 '18 at 22:13











  • Probably more than half of all merchants I interact with do this, and nearly all doctor and dentist offices (e.g. when receiving a bill). Similarly to the common practice of prohibiting certain symbols in password fields, I just write it off as inevitable overhead you have to pay to live in today's society.

    – MooseBoys
    Dec 21 '18 at 23:30






  • 1





    While the top-voted answers are accurate, they don't answer the obvious question: What can the customer do when faced with such a form? Can a customer report the merchant for doing this?

    – krubo
    Dec 22 '18 at 17:50














  • 30





    Are you paying them for something, and using a credit card to do so? Or was this an unexpected request for your information?

    – yoozer8
    Dec 20 '18 at 12:53








  • 5





    It seems to me you might be thinking they are asking for what we call in the UK "a PIN number" because you say it "is something that shouldn't be shared publicly". You definitely shouldn't share the security code you use to pay for items in a shop, or get money out of an ATM, with anyone, ever. But, that's not what they are asking for here. It is a badly worded form, imho, and should make clear that they are asking for the last three digits from the signature strip on the back of the card. If you comply, it'll mean the school can charge your card, but the charge will be recorded.

    – lukkea
    Dec 20 '18 at 17:35






  • 1





    Consider editing the institution's name out of the post, then flagging your post asking a moderator for a revision purge. You don't want this institution coming after you for damages to their reputation.

    – corsiKa
    Dec 21 '18 at 22:13











  • Probably more than half of all merchants I interact with do this, and nearly all doctor and dentist offices (e.g. when receiving a bill). Similarly to the common practice of prohibiting certain symbols in password fields, I just write it off as inevitable overhead you have to pay to live in today's society.

    – MooseBoys
    Dec 21 '18 at 23:30






  • 1





    While the top-voted answers are accurate, they don't answer the obvious question: What can the customer do when faced with such a form? Can a customer report the merchant for doing this?

    – krubo
    Dec 22 '18 at 17:50








30




30





Are you paying them for something, and using a credit card to do so? Or was this an unexpected request for your information?

– yoozer8
Dec 20 '18 at 12:53







Are you paying them for something, and using a credit card to do so? Or was this an unexpected request for your information?

– yoozer8
Dec 20 '18 at 12:53






5




5





It seems to me you might be thinking they are asking for what we call in the UK "a PIN number" because you say it "is something that shouldn't be shared publicly". You definitely shouldn't share the security code you use to pay for items in a shop, or get money out of an ATM, with anyone, ever. But, that's not what they are asking for here. It is a badly worded form, imho, and should make clear that they are asking for the last three digits from the signature strip on the back of the card. If you comply, it'll mean the school can charge your card, but the charge will be recorded.

– lukkea
Dec 20 '18 at 17:35





It seems to me you might be thinking they are asking for what we call in the UK "a PIN number" because you say it "is something that shouldn't be shared publicly". You definitely shouldn't share the security code you use to pay for items in a shop, or get money out of an ATM, with anyone, ever. But, that's not what they are asking for here. It is a badly worded form, imho, and should make clear that they are asking for the last three digits from the signature strip on the back of the card. If you comply, it'll mean the school can charge your card, but the charge will be recorded.

– lukkea
Dec 20 '18 at 17:35




1




1





Consider editing the institution's name out of the post, then flagging your post asking a moderator for a revision purge. You don't want this institution coming after you for damages to their reputation.

– corsiKa
Dec 21 '18 at 22:13





Consider editing the institution's name out of the post, then flagging your post asking a moderator for a revision purge. You don't want this institution coming after you for damages to their reputation.

– corsiKa
Dec 21 '18 at 22:13













Probably more than half of all merchants I interact with do this, and nearly all doctor and dentist offices (e.g. when receiving a bill). Similarly to the common practice of prohibiting certain symbols in password fields, I just write it off as inevitable overhead you have to pay to live in today's society.

– MooseBoys
Dec 21 '18 at 23:30





Probably more than half of all merchants I interact with do this, and nearly all doctor and dentist offices (e.g. when receiving a bill). Similarly to the common practice of prohibiting certain symbols in password fields, I just write it off as inevitable overhead you have to pay to live in today's society.

– MooseBoys
Dec 21 '18 at 23:30




1




1





While the top-voted answers are accurate, they don't answer the obvious question: What can the customer do when faced with such a form? Can a customer report the merchant for doing this?

– krubo
Dec 22 '18 at 17:50





While the top-voted answers are accurate, they don't answer the obvious question: What can the customer do when faced with such a form? Can a customer report the merchant for doing this?

– krubo
Dec 22 '18 at 17:50










5 Answers
5






active

oldest

votes


















50














It means that the merchant (here, a university)'s process is to deceive their processor by falsely submitting the charge as a "CVV2 with Magnetic Stripe failure" transaction.



Having the card present during a transaction reduces fraud, so the card issuer and processing network are less likely to incur fraud investigation costs (or even eat the whole charge), and this savings is passed along to the merchant in the form of lower fees.



The merchant is trying to qualify for those lower fees when the card is not actually present at the time of authorization (it's a very high risk situation). In the process, they're putting you at increased risk of fraudulent future charges, and making it more difficult for you to contest those charges (because the thief will have the CVV code which serves as evidence, not incontrovertible, but still strong evidence, of your agreement to the charge).



In the process, they are violating the clear wording of the Visa rules:



enter image description here



enter image description here






share|improve this answer


























  • Comments are not for extended discussion; this conversation has been moved to chat.

    – JohnFx
    Dec 23 '18 at 3:40






  • 3





    To summarise my downvote, which I stand by despite other discussion: there are several reasons they might be asking for this information, and even if they are all morally or legally wrong, this answer provides no evidence for its assertion of one specific reason. The answer could be greatly improved by removing the overconfident "this means that..." summary, and listing some of the other possibilities (e.g. misuse of am e-commerce PDQ for convenience).

    – IMSoP
    Dec 24 '18 at 12:15



















35














This violates PCI-DSS



They are only allowed to use security code or fullstripe data momentarily during a transaction. They are not allowed to retain it, even for a minute.



Even worse, this form has the fivefecta of the 3 credit card fields, cardholder name and Billing ZIP. That's all you need to plug into most website order forms.



This document appears to be a carrier document for a bunch of things, and is then filed or forwarded on as a proof of payment or somesuch. It sits in their mailbox, sits in some clerk's inbox, gets stacked and piled, gets passed around the university departments, and you know they file it. Retaining this is the height of moronitude, and someone needs to explain it to them.



All it takes is for someone who knows their mechanism to grab a stack and run, then later sit somewhere on campus on their WiFi ordering Macbook Pros. For double laughs, from the Apple student webstore for that university, so it's hard to tell it from a bona-fide student purchase.



Due to the liability shift, the university would be on the hook for the subsequent audit, fines, and every fraudulent charge.



They need to make whatever arrangement they need to make with their bank such that they can run these charges without the security code.






share|improve this answer



















  • 9





    Incorrect. Words of PCI "PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized." They can collect the information on paper, as long as it is shredded after they obtain authorization.

    – user71659
    Dec 21 '18 at 19:51











  • @user71659 on second read of that, I see where that makes sense, but I find it difficult to believe the text imagines extended retention of that data, on paper, sent through mail, intercampus mail, handled in offices etc. for days. Maybe if it was handled in the same manner that they handle cash payments, but I really do not think that is the case.

    – Harper
    Dec 21 '18 at 20:33











  • Did OP ever indicate the intention is to print this form and fill it out on paper? We all seem to have assumed that. They could well expect it to be filled electronically and e-mailed to them; in which case it is basically impossible to actually destroy the information after use in a PCI compliant way. While it's possible this could be part of a technically compliant with regulation if not intent process (the form is printed and shredded properly immediately after use), the process would be burdensome and unlikely to actually be followed.

    – Affe
    Dec 21 '18 at 23:56



















26














The reason that they are asking for it is because they need it in order to process the credit card payment. They are required by their credit card processor to enter it. If you do not provide it, they will not be able to charge your credit card.



If you want to pay for this service with your credit card, then yes, you should provide them with this code.



An unscrupulous worker at the school could use the information on this form to make fraudulent charges on your card, but that can happen at any time for a whole host of reasons that are out of your control. You need to scrutinize your credit card transactions continuously to look for bad charges and contact the credit card company if they are discovered.



When you find fraudulent transactions, they may be a result of someone from the school, but they could instead be a result of a hacking or skimming event that has nothing to do with this school. You will not be held liable for those charges.






share|improve this answer





















  • 13





    Good answer, altough I wonder why this school is still using paper to process credit card payment. Online payments on secure page are safer than on paper. Where I live, you can pay college charges directly on the college's website (talking about cc payment).

    – Gainz
    Dec 20 '18 at 12:47






  • 13





    "If you do not provide it, they will not be able to charge your credit card." is flatly wrong. They may be unable to process it as a "Card Present" transaction, which may cause higher fees from their processor, but the only mandatory information is card number and expiration date -- even zip code mismatch is a warning not a fatal error. And the more information you provide, the stronger the bank's case that you authorized the use of your card (as opposed to initiating a single transaction). OP will be liable for transactions made by someone he authorized to use his card.

    – Ben Voigt
    Dec 20 '18 at 17:36






  • 5





    @BenVoigt I disagree, and I believe you are mistaken. The security code is not a secret PIN, it is not proof that you authorized a charge, and it will not make you liable for a fraudulent charge.

    – Ben Miller
    Dec 20 '18 at 17:45






  • 22





    @BenVoigt is correct, this answer is totally wrong and should be removed. Card verification numbers are not supposed to be stored. They are not secret (i.e. the customer can give them to a vendor), but recording them in non-volatile media (i.e. paper, database, etc.) would make this vendor non-PCI-compliant. The only reason they would need them would be to miscategorize their transaction. "Card-on-file" and "recurring" transactions don't require them.

    – SaSSafraS1232
    Dec 20 '18 at 21:30






  • 10





    @SaSSafraS1232 No, you're totally wrong about CVVs. CVVs may not be stored after authorization. Visa's exact words "Never retain full-track, magnetic-stripe, CVV2*, and chip data subsequent to transaction authorization." As long as they shred the form after authorization, they are in compliance. There is no requirement about "non-volatile media". And note their asterisk: "In certain markets, CVV2 is required to be present for all card-absent transactions."

    – user71659
    Dec 21 '18 at 3:48





















7














This is completely insecure and personally, I wouldn't supply the info.



As you've reasoned, you will have no idea how your information is used once it's left your hands, and you'll never know if it's been disposed of properly (shredded/destroyed). Furthermore, the fact that they follow such insecure practices tells you that at the institution level they haven't a clue about the importance of protecting private and financial information. That means everyone from the janitor to the school president are going to be putting your information at risk.



If you must do this, some options:




  • see if you can pay in person.

  • create a temporary credit card number with a very low limit (some cc's offer this feature)

  • pay by cash.






share|improve this answer





















  • 1





    Do they really need your personal bank account number? ACH fraud is really dangerous.

    – trognanders
    Dec 21 '18 at 20:56






  • 1





    @trognanders, good info, removed the check comment!

    – James
    Dec 22 '18 at 16:10



















5














Placing all of the information required to authorize a card not present transaction on a paper form that will be subject to potential mail theft of skimming in the office is not a particularly good idea. Other answers mention things the school should do. This is not a helpful way to think about the problem... you are not the school and have no agency over their practices. Instead, protect yourself.



Consider alternative payment options:




  1. Money order/cashiers check. Do not give them a personal check, the numbers on the bottom are much more dangerous than the CVV2 code on a credit card

  2. Cash (get a receipt though!)

  3. Prepaid Visa card.


They may be less keen on accepting checks or cash because it is not the process, but a prepaid Visa limits your risk to the stored value and you can throw it in the bin afterwards.






share|improve this answer



















  • 2





    +1 for solving the real issue, since just saying "hey, your policy is bad, and you need to change it" is unlikely to have any effect, particularly since the people that the prospective student is likely to be able to speak to are unlikely to be people who have the authority to make a change.

    – Beska
    Dec 22 '18 at 18:17











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "93"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmoney.stackexchange.com%2fquestions%2f103121%2fdo-institutions-have-right-to-ask-for-your-credit-card-security-code-and-all-oth%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























5 Answers
5






active

oldest

votes








5 Answers
5






active

oldest

votes









active

oldest

votes






active

oldest

votes









50














It means that the merchant (here, a university)'s process is to deceive their processor by falsely submitting the charge as a "CVV2 with Magnetic Stripe failure" transaction.



Having the card present during a transaction reduces fraud, so the card issuer and processing network are less likely to incur fraud investigation costs (or even eat the whole charge), and this savings is passed along to the merchant in the form of lower fees.



The merchant is trying to qualify for those lower fees when the card is not actually present at the time of authorization (it's a very high risk situation). In the process, they're putting you at increased risk of fraudulent future charges, and making it more difficult for you to contest those charges (because the thief will have the CVV code which serves as evidence, not incontrovertible, but still strong evidence, of your agreement to the charge).



In the process, they are violating the clear wording of the Visa rules:



enter image description here



enter image description here






share|improve this answer


























  • Comments are not for extended discussion; this conversation has been moved to chat.

    – JohnFx
    Dec 23 '18 at 3:40






  • 3





    To summarise my downvote, which I stand by despite other discussion: there are several reasons they might be asking for this information, and even if they are all morally or legally wrong, this answer provides no evidence for its assertion of one specific reason. The answer could be greatly improved by removing the overconfident "this means that..." summary, and listing some of the other possibilities (e.g. misuse of am e-commerce PDQ for convenience).

    – IMSoP
    Dec 24 '18 at 12:15
















50














It means that the merchant (here, a university)'s process is to deceive their processor by falsely submitting the charge as a "CVV2 with Magnetic Stripe failure" transaction.



Having the card present during a transaction reduces fraud, so the card issuer and processing network are less likely to incur fraud investigation costs (or even eat the whole charge), and this savings is passed along to the merchant in the form of lower fees.



The merchant is trying to qualify for those lower fees when the card is not actually present at the time of authorization (it's a very high risk situation). In the process, they're putting you at increased risk of fraudulent future charges, and making it more difficult for you to contest those charges (because the thief will have the CVV code which serves as evidence, not incontrovertible, but still strong evidence, of your agreement to the charge).



In the process, they are violating the clear wording of the Visa rules:



enter image description here



enter image description here






share|improve this answer


























  • Comments are not for extended discussion; this conversation has been moved to chat.

    – JohnFx
    Dec 23 '18 at 3:40






  • 3





    To summarise my downvote, which I stand by despite other discussion: there are several reasons they might be asking for this information, and even if they are all morally or legally wrong, this answer provides no evidence for its assertion of one specific reason. The answer could be greatly improved by removing the overconfident "this means that..." summary, and listing some of the other possibilities (e.g. misuse of am e-commerce PDQ for convenience).

    – IMSoP
    Dec 24 '18 at 12:15














50












50








50







It means that the merchant (here, a university)'s process is to deceive their processor by falsely submitting the charge as a "CVV2 with Magnetic Stripe failure" transaction.



Having the card present during a transaction reduces fraud, so the card issuer and processing network are less likely to incur fraud investigation costs (or even eat the whole charge), and this savings is passed along to the merchant in the form of lower fees.



The merchant is trying to qualify for those lower fees when the card is not actually present at the time of authorization (it's a very high risk situation). In the process, they're putting you at increased risk of fraudulent future charges, and making it more difficult for you to contest those charges (because the thief will have the CVV code which serves as evidence, not incontrovertible, but still strong evidence, of your agreement to the charge).



In the process, they are violating the clear wording of the Visa rules:



enter image description here



enter image description here






share|improve this answer















It means that the merchant (here, a university)'s process is to deceive their processor by falsely submitting the charge as a "CVV2 with Magnetic Stripe failure" transaction.



Having the card present during a transaction reduces fraud, so the card issuer and processing network are less likely to incur fraud investigation costs (or even eat the whole charge), and this savings is passed along to the merchant in the form of lower fees.



The merchant is trying to qualify for those lower fees when the card is not actually present at the time of authorization (it's a very high risk situation). In the process, they're putting you at increased risk of fraudulent future charges, and making it more difficult for you to contest those charges (because the thief will have the CVV code which serves as evidence, not incontrovertible, but still strong evidence, of your agreement to the charge).



In the process, they are violating the clear wording of the Visa rules:



enter image description here



enter image description here







share|improve this answer














share|improve this answer



share|improve this answer








edited Dec 22 '18 at 17:44

























answered Dec 20 '18 at 17:42









Ben VoigtBen Voigt

1,6431115




1,6431115













  • Comments are not for extended discussion; this conversation has been moved to chat.

    – JohnFx
    Dec 23 '18 at 3:40






  • 3





    To summarise my downvote, which I stand by despite other discussion: there are several reasons they might be asking for this information, and even if they are all morally or legally wrong, this answer provides no evidence for its assertion of one specific reason. The answer could be greatly improved by removing the overconfident "this means that..." summary, and listing some of the other possibilities (e.g. misuse of am e-commerce PDQ for convenience).

    – IMSoP
    Dec 24 '18 at 12:15



















  • Comments are not for extended discussion; this conversation has been moved to chat.

    – JohnFx
    Dec 23 '18 at 3:40






  • 3





    To summarise my downvote, which I stand by despite other discussion: there are several reasons they might be asking for this information, and even if they are all morally or legally wrong, this answer provides no evidence for its assertion of one specific reason. The answer could be greatly improved by removing the overconfident "this means that..." summary, and listing some of the other possibilities (e.g. misuse of am e-commerce PDQ for convenience).

    – IMSoP
    Dec 24 '18 at 12:15

















Comments are not for extended discussion; this conversation has been moved to chat.

– JohnFx
Dec 23 '18 at 3:40





Comments are not for extended discussion; this conversation has been moved to chat.

– JohnFx
Dec 23 '18 at 3:40




3




3





To summarise my downvote, which I stand by despite other discussion: there are several reasons they might be asking for this information, and even if they are all morally or legally wrong, this answer provides no evidence for its assertion of one specific reason. The answer could be greatly improved by removing the overconfident "this means that..." summary, and listing some of the other possibilities (e.g. misuse of am e-commerce PDQ for convenience).

– IMSoP
Dec 24 '18 at 12:15





To summarise my downvote, which I stand by despite other discussion: there are several reasons they might be asking for this information, and even if they are all morally or legally wrong, this answer provides no evidence for its assertion of one specific reason. The answer could be greatly improved by removing the overconfident "this means that..." summary, and listing some of the other possibilities (e.g. misuse of am e-commerce PDQ for convenience).

– IMSoP
Dec 24 '18 at 12:15













35














This violates PCI-DSS



They are only allowed to use security code or fullstripe data momentarily during a transaction. They are not allowed to retain it, even for a minute.



Even worse, this form has the fivefecta of the 3 credit card fields, cardholder name and Billing ZIP. That's all you need to plug into most website order forms.



This document appears to be a carrier document for a bunch of things, and is then filed or forwarded on as a proof of payment or somesuch. It sits in their mailbox, sits in some clerk's inbox, gets stacked and piled, gets passed around the university departments, and you know they file it. Retaining this is the height of moronitude, and someone needs to explain it to them.



All it takes is for someone who knows their mechanism to grab a stack and run, then later sit somewhere on campus on their WiFi ordering Macbook Pros. For double laughs, from the Apple student webstore for that university, so it's hard to tell it from a bona-fide student purchase.



Due to the liability shift, the university would be on the hook for the subsequent audit, fines, and every fraudulent charge.



They need to make whatever arrangement they need to make with their bank such that they can run these charges without the security code.






share|improve this answer



















  • 9





    Incorrect. Words of PCI "PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized." They can collect the information on paper, as long as it is shredded after they obtain authorization.

    – user71659
    Dec 21 '18 at 19:51











  • @user71659 on second read of that, I see where that makes sense, but I find it difficult to believe the text imagines extended retention of that data, on paper, sent through mail, intercampus mail, handled in offices etc. for days. Maybe if it was handled in the same manner that they handle cash payments, but I really do not think that is the case.

    – Harper
    Dec 21 '18 at 20:33











  • Did OP ever indicate the intention is to print this form and fill it out on paper? We all seem to have assumed that. They could well expect it to be filled electronically and e-mailed to them; in which case it is basically impossible to actually destroy the information after use in a PCI compliant way. While it's possible this could be part of a technically compliant with regulation if not intent process (the form is printed and shredded properly immediately after use), the process would be burdensome and unlikely to actually be followed.

    – Affe
    Dec 21 '18 at 23:56
















35














This violates PCI-DSS



They are only allowed to use security code or fullstripe data momentarily during a transaction. They are not allowed to retain it, even for a minute.



Even worse, this form has the fivefecta of the 3 credit card fields, cardholder name and Billing ZIP. That's all you need to plug into most website order forms.



This document appears to be a carrier document for a bunch of things, and is then filed or forwarded on as a proof of payment or somesuch. It sits in their mailbox, sits in some clerk's inbox, gets stacked and piled, gets passed around the university departments, and you know they file it. Retaining this is the height of moronitude, and someone needs to explain it to them.



All it takes is for someone who knows their mechanism to grab a stack and run, then later sit somewhere on campus on their WiFi ordering Macbook Pros. For double laughs, from the Apple student webstore for that university, so it's hard to tell it from a bona-fide student purchase.



Due to the liability shift, the university would be on the hook for the subsequent audit, fines, and every fraudulent charge.



They need to make whatever arrangement they need to make with their bank such that they can run these charges without the security code.






share|improve this answer



















  • 9





    Incorrect. Words of PCI "PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized." They can collect the information on paper, as long as it is shredded after they obtain authorization.

    – user71659
    Dec 21 '18 at 19:51











  • @user71659 on second read of that, I see where that makes sense, but I find it difficult to believe the text imagines extended retention of that data, on paper, sent through mail, intercampus mail, handled in offices etc. for days. Maybe if it was handled in the same manner that they handle cash payments, but I really do not think that is the case.

    – Harper
    Dec 21 '18 at 20:33











  • Did OP ever indicate the intention is to print this form and fill it out on paper? We all seem to have assumed that. They could well expect it to be filled electronically and e-mailed to them; in which case it is basically impossible to actually destroy the information after use in a PCI compliant way. While it's possible this could be part of a technically compliant with regulation if not intent process (the form is printed and shredded properly immediately after use), the process would be burdensome and unlikely to actually be followed.

    – Affe
    Dec 21 '18 at 23:56














35












35








35







This violates PCI-DSS



They are only allowed to use security code or fullstripe data momentarily during a transaction. They are not allowed to retain it, even for a minute.



Even worse, this form has the fivefecta of the 3 credit card fields, cardholder name and Billing ZIP. That's all you need to plug into most website order forms.



This document appears to be a carrier document for a bunch of things, and is then filed or forwarded on as a proof of payment or somesuch. It sits in their mailbox, sits in some clerk's inbox, gets stacked and piled, gets passed around the university departments, and you know they file it. Retaining this is the height of moronitude, and someone needs to explain it to them.



All it takes is for someone who knows their mechanism to grab a stack and run, then later sit somewhere on campus on their WiFi ordering Macbook Pros. For double laughs, from the Apple student webstore for that university, so it's hard to tell it from a bona-fide student purchase.



Due to the liability shift, the university would be on the hook for the subsequent audit, fines, and every fraudulent charge.



They need to make whatever arrangement they need to make with their bank such that they can run these charges without the security code.






share|improve this answer













This violates PCI-DSS



They are only allowed to use security code or fullstripe data momentarily during a transaction. They are not allowed to retain it, even for a minute.



Even worse, this form has the fivefecta of the 3 credit card fields, cardholder name and Billing ZIP. That's all you need to plug into most website order forms.



This document appears to be a carrier document for a bunch of things, and is then filed or forwarded on as a proof of payment or somesuch. It sits in their mailbox, sits in some clerk's inbox, gets stacked and piled, gets passed around the university departments, and you know they file it. Retaining this is the height of moronitude, and someone needs to explain it to them.



All it takes is for someone who knows their mechanism to grab a stack and run, then later sit somewhere on campus on their WiFi ordering Macbook Pros. For double laughs, from the Apple student webstore for that university, so it's hard to tell it from a bona-fide student purchase.



Due to the liability shift, the university would be on the hook for the subsequent audit, fines, and every fraudulent charge.



They need to make whatever arrangement they need to make with their bank such that they can run these charges without the security code.







share|improve this answer












share|improve this answer



share|improve this answer










answered Dec 20 '18 at 21:41









HarperHarper

20.8k43168




20.8k43168








  • 9





    Incorrect. Words of PCI "PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized." They can collect the information on paper, as long as it is shredded after they obtain authorization.

    – user71659
    Dec 21 '18 at 19:51











  • @user71659 on second read of that, I see where that makes sense, but I find it difficult to believe the text imagines extended retention of that data, on paper, sent through mail, intercampus mail, handled in offices etc. for days. Maybe if it was handled in the same manner that they handle cash payments, but I really do not think that is the case.

    – Harper
    Dec 21 '18 at 20:33











  • Did OP ever indicate the intention is to print this form and fill it out on paper? We all seem to have assumed that. They could well expect it to be filled electronically and e-mailed to them; in which case it is basically impossible to actually destroy the information after use in a PCI compliant way. While it's possible this could be part of a technically compliant with regulation if not intent process (the form is printed and shredded properly immediately after use), the process would be burdensome and unlikely to actually be followed.

    – Affe
    Dec 21 '18 at 23:56














  • 9





    Incorrect. Words of PCI "PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized." They can collect the information on paper, as long as it is shredded after they obtain authorization.

    – user71659
    Dec 21 '18 at 19:51











  • @user71659 on second read of that, I see where that makes sense, but I find it difficult to believe the text imagines extended retention of that data, on paper, sent through mail, intercampus mail, handled in offices etc. for days. Maybe if it was handled in the same manner that they handle cash payments, but I really do not think that is the case.

    – Harper
    Dec 21 '18 at 20:33











  • Did OP ever indicate the intention is to print this form and fill it out on paper? We all seem to have assumed that. They could well expect it to be filled electronically and e-mailed to them; in which case it is basically impossible to actually destroy the information after use in a PCI compliant way. While it's possible this could be part of a technically compliant with regulation if not intent process (the form is printed and shredded properly immediately after use), the process would be burdensome and unlikely to actually be followed.

    – Affe
    Dec 21 '18 at 23:56








9




9





Incorrect. Words of PCI "PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized." They can collect the information on paper, as long as it is shredded after they obtain authorization.

– user71659
Dec 21 '18 at 19:51





Incorrect. Words of PCI "PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized." They can collect the information on paper, as long as it is shredded after they obtain authorization.

– user71659
Dec 21 '18 at 19:51













@user71659 on second read of that, I see where that makes sense, but I find it difficult to believe the text imagines extended retention of that data, on paper, sent through mail, intercampus mail, handled in offices etc. for days. Maybe if it was handled in the same manner that they handle cash payments, but I really do not think that is the case.

– Harper
Dec 21 '18 at 20:33





@user71659 on second read of that, I see where that makes sense, but I find it difficult to believe the text imagines extended retention of that data, on paper, sent through mail, intercampus mail, handled in offices etc. for days. Maybe if it was handled in the same manner that they handle cash payments, but I really do not think that is the case.

– Harper
Dec 21 '18 at 20:33













Did OP ever indicate the intention is to print this form and fill it out on paper? We all seem to have assumed that. They could well expect it to be filled electronically and e-mailed to them; in which case it is basically impossible to actually destroy the information after use in a PCI compliant way. While it's possible this could be part of a technically compliant with regulation if not intent process (the form is printed and shredded properly immediately after use), the process would be burdensome and unlikely to actually be followed.

– Affe
Dec 21 '18 at 23:56





Did OP ever indicate the intention is to print this form and fill it out on paper? We all seem to have assumed that. They could well expect it to be filled electronically and e-mailed to them; in which case it is basically impossible to actually destroy the information after use in a PCI compliant way. While it's possible this could be part of a technically compliant with regulation if not intent process (the form is printed and shredded properly immediately after use), the process would be burdensome and unlikely to actually be followed.

– Affe
Dec 21 '18 at 23:56











26














The reason that they are asking for it is because they need it in order to process the credit card payment. They are required by their credit card processor to enter it. If you do not provide it, they will not be able to charge your credit card.



If you want to pay for this service with your credit card, then yes, you should provide them with this code.



An unscrupulous worker at the school could use the information on this form to make fraudulent charges on your card, but that can happen at any time for a whole host of reasons that are out of your control. You need to scrutinize your credit card transactions continuously to look for bad charges and contact the credit card company if they are discovered.



When you find fraudulent transactions, they may be a result of someone from the school, but they could instead be a result of a hacking or skimming event that has nothing to do with this school. You will not be held liable for those charges.






share|improve this answer





















  • 13





    Good answer, altough I wonder why this school is still using paper to process credit card payment. Online payments on secure page are safer than on paper. Where I live, you can pay college charges directly on the college's website (talking about cc payment).

    – Gainz
    Dec 20 '18 at 12:47






  • 13





    "If you do not provide it, they will not be able to charge your credit card." is flatly wrong. They may be unable to process it as a "Card Present" transaction, which may cause higher fees from their processor, but the only mandatory information is card number and expiration date -- even zip code mismatch is a warning not a fatal error. And the more information you provide, the stronger the bank's case that you authorized the use of your card (as opposed to initiating a single transaction). OP will be liable for transactions made by someone he authorized to use his card.

    – Ben Voigt
    Dec 20 '18 at 17:36






  • 5





    @BenVoigt I disagree, and I believe you are mistaken. The security code is not a secret PIN, it is not proof that you authorized a charge, and it will not make you liable for a fraudulent charge.

    – Ben Miller
    Dec 20 '18 at 17:45






  • 22





    @BenVoigt is correct, this answer is totally wrong and should be removed. Card verification numbers are not supposed to be stored. They are not secret (i.e. the customer can give them to a vendor), but recording them in non-volatile media (i.e. paper, database, etc.) would make this vendor non-PCI-compliant. The only reason they would need them would be to miscategorize their transaction. "Card-on-file" and "recurring" transactions don't require them.

    – SaSSafraS1232
    Dec 20 '18 at 21:30






  • 10





    @SaSSafraS1232 No, you're totally wrong about CVVs. CVVs may not be stored after authorization. Visa's exact words "Never retain full-track, magnetic-stripe, CVV2*, and chip data subsequent to transaction authorization." As long as they shred the form after authorization, they are in compliance. There is no requirement about "non-volatile media". And note their asterisk: "In certain markets, CVV2 is required to be present for all card-absent transactions."

    – user71659
    Dec 21 '18 at 3:48


















26














The reason that they are asking for it is because they need it in order to process the credit card payment. They are required by their credit card processor to enter it. If you do not provide it, they will not be able to charge your credit card.



If you want to pay for this service with your credit card, then yes, you should provide them with this code.



An unscrupulous worker at the school could use the information on this form to make fraudulent charges on your card, but that can happen at any time for a whole host of reasons that are out of your control. You need to scrutinize your credit card transactions continuously to look for bad charges and contact the credit card company if they are discovered.



When you find fraudulent transactions, they may be a result of someone from the school, but they could instead be a result of a hacking or skimming event that has nothing to do with this school. You will not be held liable for those charges.






share|improve this answer





















  • 13





    Good answer, altough I wonder why this school is still using paper to process credit card payment. Online payments on secure page are safer than on paper. Where I live, you can pay college charges directly on the college's website (talking about cc payment).

    – Gainz
    Dec 20 '18 at 12:47






  • 13





    "If you do not provide it, they will not be able to charge your credit card." is flatly wrong. They may be unable to process it as a "Card Present" transaction, which may cause higher fees from their processor, but the only mandatory information is card number and expiration date -- even zip code mismatch is a warning not a fatal error. And the more information you provide, the stronger the bank's case that you authorized the use of your card (as opposed to initiating a single transaction). OP will be liable for transactions made by someone he authorized to use his card.

    – Ben Voigt
    Dec 20 '18 at 17:36






  • 5





    @BenVoigt I disagree, and I believe you are mistaken. The security code is not a secret PIN, it is not proof that you authorized a charge, and it will not make you liable for a fraudulent charge.

    – Ben Miller
    Dec 20 '18 at 17:45






  • 22





    @BenVoigt is correct, this answer is totally wrong and should be removed. Card verification numbers are not supposed to be stored. They are not secret (i.e. the customer can give them to a vendor), but recording them in non-volatile media (i.e. paper, database, etc.) would make this vendor non-PCI-compliant. The only reason they would need them would be to miscategorize their transaction. "Card-on-file" and "recurring" transactions don't require them.

    – SaSSafraS1232
    Dec 20 '18 at 21:30






  • 10





    @SaSSafraS1232 No, you're totally wrong about CVVs. CVVs may not be stored after authorization. Visa's exact words "Never retain full-track, magnetic-stripe, CVV2*, and chip data subsequent to transaction authorization." As long as they shred the form after authorization, they are in compliance. There is no requirement about "non-volatile media". And note their asterisk: "In certain markets, CVV2 is required to be present for all card-absent transactions."

    – user71659
    Dec 21 '18 at 3:48
















26












26








26







The reason that they are asking for it is because they need it in order to process the credit card payment. They are required by their credit card processor to enter it. If you do not provide it, they will not be able to charge your credit card.



If you want to pay for this service with your credit card, then yes, you should provide them with this code.



An unscrupulous worker at the school could use the information on this form to make fraudulent charges on your card, but that can happen at any time for a whole host of reasons that are out of your control. You need to scrutinize your credit card transactions continuously to look for bad charges and contact the credit card company if they are discovered.



When you find fraudulent transactions, they may be a result of someone from the school, but they could instead be a result of a hacking or skimming event that has nothing to do with this school. You will not be held liable for those charges.






share|improve this answer















The reason that they are asking for it is because they need it in order to process the credit card payment. They are required by their credit card processor to enter it. If you do not provide it, they will not be able to charge your credit card.



If you want to pay for this service with your credit card, then yes, you should provide them with this code.



An unscrupulous worker at the school could use the information on this form to make fraudulent charges on your card, but that can happen at any time for a whole host of reasons that are out of your control. You need to scrutinize your credit card transactions continuously to look for bad charges and contact the credit card company if they are discovered.



When you find fraudulent transactions, they may be a result of someone from the school, but they could instead be a result of a hacking or skimming event that has nothing to do with this school. You will not be held liable for those charges.







share|improve this answer














share|improve this answer



share|improve this answer








edited Dec 20 '18 at 12:47

























answered Dec 20 '18 at 12:09









Ben MillerBen Miller

77.3k19210277




77.3k19210277








  • 13





    Good answer, altough I wonder why this school is still using paper to process credit card payment. Online payments on secure page are safer than on paper. Where I live, you can pay college charges directly on the college's website (talking about cc payment).

    – Gainz
    Dec 20 '18 at 12:47






  • 13





    "If you do not provide it, they will not be able to charge your credit card." is flatly wrong. They may be unable to process it as a "Card Present" transaction, which may cause higher fees from their processor, but the only mandatory information is card number and expiration date -- even zip code mismatch is a warning not a fatal error. And the more information you provide, the stronger the bank's case that you authorized the use of your card (as opposed to initiating a single transaction). OP will be liable for transactions made by someone he authorized to use his card.

    – Ben Voigt
    Dec 20 '18 at 17:36






  • 5





    @BenVoigt I disagree, and I believe you are mistaken. The security code is not a secret PIN, it is not proof that you authorized a charge, and it will not make you liable for a fraudulent charge.

    – Ben Miller
    Dec 20 '18 at 17:45






  • 22





    @BenVoigt is correct, this answer is totally wrong and should be removed. Card verification numbers are not supposed to be stored. They are not secret (i.e. the customer can give them to a vendor), but recording them in non-volatile media (i.e. paper, database, etc.) would make this vendor non-PCI-compliant. The only reason they would need them would be to miscategorize their transaction. "Card-on-file" and "recurring" transactions don't require them.

    – SaSSafraS1232
    Dec 20 '18 at 21:30






  • 10





    @SaSSafraS1232 No, you're totally wrong about CVVs. CVVs may not be stored after authorization. Visa's exact words "Never retain full-track, magnetic-stripe, CVV2*, and chip data subsequent to transaction authorization." As long as they shred the form after authorization, they are in compliance. There is no requirement about "non-volatile media". And note their asterisk: "In certain markets, CVV2 is required to be present for all card-absent transactions."

    – user71659
    Dec 21 '18 at 3:48
















  • 13





    Good answer, altough I wonder why this school is still using paper to process credit card payment. Online payments on secure page are safer than on paper. Where I live, you can pay college charges directly on the college's website (talking about cc payment).

    – Gainz
    Dec 20 '18 at 12:47






  • 13





    "If you do not provide it, they will not be able to charge your credit card." is flatly wrong. They may be unable to process it as a "Card Present" transaction, which may cause higher fees from their processor, but the only mandatory information is card number and expiration date -- even zip code mismatch is a warning not a fatal error. And the more information you provide, the stronger the bank's case that you authorized the use of your card (as opposed to initiating a single transaction). OP will be liable for transactions made by someone he authorized to use his card.

    – Ben Voigt
    Dec 20 '18 at 17:36






  • 5





    @BenVoigt I disagree, and I believe you are mistaken. The security code is not a secret PIN, it is not proof that you authorized a charge, and it will not make you liable for a fraudulent charge.

    – Ben Miller
    Dec 20 '18 at 17:45






  • 22





    @BenVoigt is correct, this answer is totally wrong and should be removed. Card verification numbers are not supposed to be stored. They are not secret (i.e. the customer can give them to a vendor), but recording them in non-volatile media (i.e. paper, database, etc.) would make this vendor non-PCI-compliant. The only reason they would need them would be to miscategorize their transaction. "Card-on-file" and "recurring" transactions don't require them.

    – SaSSafraS1232
    Dec 20 '18 at 21:30






  • 10





    @SaSSafraS1232 No, you're totally wrong about CVVs. CVVs may not be stored after authorization. Visa's exact words "Never retain full-track, magnetic-stripe, CVV2*, and chip data subsequent to transaction authorization." As long as they shred the form after authorization, they are in compliance. There is no requirement about "non-volatile media". And note their asterisk: "In certain markets, CVV2 is required to be present for all card-absent transactions."

    – user71659
    Dec 21 '18 at 3:48










13




13





Good answer, altough I wonder why this school is still using paper to process credit card payment. Online payments on secure page are safer than on paper. Where I live, you can pay college charges directly on the college's website (talking about cc payment).

– Gainz
Dec 20 '18 at 12:47





Good answer, altough I wonder why this school is still using paper to process credit card payment. Online payments on secure page are safer than on paper. Where I live, you can pay college charges directly on the college's website (talking about cc payment).

– Gainz
Dec 20 '18 at 12:47




13




13





"If you do not provide it, they will not be able to charge your credit card." is flatly wrong. They may be unable to process it as a "Card Present" transaction, which may cause higher fees from their processor, but the only mandatory information is card number and expiration date -- even zip code mismatch is a warning not a fatal error. And the more information you provide, the stronger the bank's case that you authorized the use of your card (as opposed to initiating a single transaction). OP will be liable for transactions made by someone he authorized to use his card.

– Ben Voigt
Dec 20 '18 at 17:36





"If you do not provide it, they will not be able to charge your credit card." is flatly wrong. They may be unable to process it as a "Card Present" transaction, which may cause higher fees from their processor, but the only mandatory information is card number and expiration date -- even zip code mismatch is a warning not a fatal error. And the more information you provide, the stronger the bank's case that you authorized the use of your card (as opposed to initiating a single transaction). OP will be liable for transactions made by someone he authorized to use his card.

– Ben Voigt
Dec 20 '18 at 17:36




5




5





@BenVoigt I disagree, and I believe you are mistaken. The security code is not a secret PIN, it is not proof that you authorized a charge, and it will not make you liable for a fraudulent charge.

– Ben Miller
Dec 20 '18 at 17:45





@BenVoigt I disagree, and I believe you are mistaken. The security code is not a secret PIN, it is not proof that you authorized a charge, and it will not make you liable for a fraudulent charge.

– Ben Miller
Dec 20 '18 at 17:45




22




22





@BenVoigt is correct, this answer is totally wrong and should be removed. Card verification numbers are not supposed to be stored. They are not secret (i.e. the customer can give them to a vendor), but recording them in non-volatile media (i.e. paper, database, etc.) would make this vendor non-PCI-compliant. The only reason they would need them would be to miscategorize their transaction. "Card-on-file" and "recurring" transactions don't require them.

– SaSSafraS1232
Dec 20 '18 at 21:30





@BenVoigt is correct, this answer is totally wrong and should be removed. Card verification numbers are not supposed to be stored. They are not secret (i.e. the customer can give them to a vendor), but recording them in non-volatile media (i.e. paper, database, etc.) would make this vendor non-PCI-compliant. The only reason they would need them would be to miscategorize their transaction. "Card-on-file" and "recurring" transactions don't require them.

– SaSSafraS1232
Dec 20 '18 at 21:30




10




10





@SaSSafraS1232 No, you're totally wrong about CVVs. CVVs may not be stored after authorization. Visa's exact words "Never retain full-track, magnetic-stripe, CVV2*, and chip data subsequent to transaction authorization." As long as they shred the form after authorization, they are in compliance. There is no requirement about "non-volatile media". And note their asterisk: "In certain markets, CVV2 is required to be present for all card-absent transactions."

– user71659
Dec 21 '18 at 3:48







@SaSSafraS1232 No, you're totally wrong about CVVs. CVVs may not be stored after authorization. Visa's exact words "Never retain full-track, magnetic-stripe, CVV2*, and chip data subsequent to transaction authorization." As long as they shred the form after authorization, they are in compliance. There is no requirement about "non-volatile media". And note their asterisk: "In certain markets, CVV2 is required to be present for all card-absent transactions."

– user71659
Dec 21 '18 at 3:48













7














This is completely insecure and personally, I wouldn't supply the info.



As you've reasoned, you will have no idea how your information is used once it's left your hands, and you'll never know if it's been disposed of properly (shredded/destroyed). Furthermore, the fact that they follow such insecure practices tells you that at the institution level they haven't a clue about the importance of protecting private and financial information. That means everyone from the janitor to the school president are going to be putting your information at risk.



If you must do this, some options:




  • see if you can pay in person.

  • create a temporary credit card number with a very low limit (some cc's offer this feature)

  • pay by cash.






share|improve this answer





















  • 1





    Do they really need your personal bank account number? ACH fraud is really dangerous.

    – trognanders
    Dec 21 '18 at 20:56






  • 1





    @trognanders, good info, removed the check comment!

    – James
    Dec 22 '18 at 16:10
















7














This is completely insecure and personally, I wouldn't supply the info.



As you've reasoned, you will have no idea how your information is used once it's left your hands, and you'll never know if it's been disposed of properly (shredded/destroyed). Furthermore, the fact that they follow such insecure practices tells you that at the institution level they haven't a clue about the importance of protecting private and financial information. That means everyone from the janitor to the school president are going to be putting your information at risk.



If you must do this, some options:




  • see if you can pay in person.

  • create a temporary credit card number with a very low limit (some cc's offer this feature)

  • pay by cash.






share|improve this answer





















  • 1





    Do they really need your personal bank account number? ACH fraud is really dangerous.

    – trognanders
    Dec 21 '18 at 20:56






  • 1





    @trognanders, good info, removed the check comment!

    – James
    Dec 22 '18 at 16:10














7












7








7







This is completely insecure and personally, I wouldn't supply the info.



As you've reasoned, you will have no idea how your information is used once it's left your hands, and you'll never know if it's been disposed of properly (shredded/destroyed). Furthermore, the fact that they follow such insecure practices tells you that at the institution level they haven't a clue about the importance of protecting private and financial information. That means everyone from the janitor to the school president are going to be putting your information at risk.



If you must do this, some options:




  • see if you can pay in person.

  • create a temporary credit card number with a very low limit (some cc's offer this feature)

  • pay by cash.






share|improve this answer















This is completely insecure and personally, I wouldn't supply the info.



As you've reasoned, you will have no idea how your information is used once it's left your hands, and you'll never know if it's been disposed of properly (shredded/destroyed). Furthermore, the fact that they follow such insecure practices tells you that at the institution level they haven't a clue about the importance of protecting private and financial information. That means everyone from the janitor to the school president are going to be putting your information at risk.



If you must do this, some options:




  • see if you can pay in person.

  • create a temporary credit card number with a very low limit (some cc's offer this feature)

  • pay by cash.







share|improve this answer














share|improve this answer



share|improve this answer








edited Dec 22 '18 at 16:10

























answered Dec 21 '18 at 15:14









JamesJames

32016




32016








  • 1





    Do they really need your personal bank account number? ACH fraud is really dangerous.

    – trognanders
    Dec 21 '18 at 20:56






  • 1





    @trognanders, good info, removed the check comment!

    – James
    Dec 22 '18 at 16:10














  • 1





    Do they really need your personal bank account number? ACH fraud is really dangerous.

    – trognanders
    Dec 21 '18 at 20:56






  • 1





    @trognanders, good info, removed the check comment!

    – James
    Dec 22 '18 at 16:10








1




1





Do they really need your personal bank account number? ACH fraud is really dangerous.

– trognanders
Dec 21 '18 at 20:56





Do they really need your personal bank account number? ACH fraud is really dangerous.

– trognanders
Dec 21 '18 at 20:56




1




1





@trognanders, good info, removed the check comment!

– James
Dec 22 '18 at 16:10





@trognanders, good info, removed the check comment!

– James
Dec 22 '18 at 16:10











5














Placing all of the information required to authorize a card not present transaction on a paper form that will be subject to potential mail theft of skimming in the office is not a particularly good idea. Other answers mention things the school should do. This is not a helpful way to think about the problem... you are not the school and have no agency over their practices. Instead, protect yourself.



Consider alternative payment options:




  1. Money order/cashiers check. Do not give them a personal check, the numbers on the bottom are much more dangerous than the CVV2 code on a credit card

  2. Cash (get a receipt though!)

  3. Prepaid Visa card.


They may be less keen on accepting checks or cash because it is not the process, but a prepaid Visa limits your risk to the stored value and you can throw it in the bin afterwards.






share|improve this answer



















  • 2





    +1 for solving the real issue, since just saying "hey, your policy is bad, and you need to change it" is unlikely to have any effect, particularly since the people that the prospective student is likely to be able to speak to are unlikely to be people who have the authority to make a change.

    – Beska
    Dec 22 '18 at 18:17
















5














Placing all of the information required to authorize a card not present transaction on a paper form that will be subject to potential mail theft of skimming in the office is not a particularly good idea. Other answers mention things the school should do. This is not a helpful way to think about the problem... you are not the school and have no agency over their practices. Instead, protect yourself.



Consider alternative payment options:




  1. Money order/cashiers check. Do not give them a personal check, the numbers on the bottom are much more dangerous than the CVV2 code on a credit card

  2. Cash (get a receipt though!)

  3. Prepaid Visa card.


They may be less keen on accepting checks or cash because it is not the process, but a prepaid Visa limits your risk to the stored value and you can throw it in the bin afterwards.






share|improve this answer



















  • 2





    +1 for solving the real issue, since just saying "hey, your policy is bad, and you need to change it" is unlikely to have any effect, particularly since the people that the prospective student is likely to be able to speak to are unlikely to be people who have the authority to make a change.

    – Beska
    Dec 22 '18 at 18:17














5












5








5







Placing all of the information required to authorize a card not present transaction on a paper form that will be subject to potential mail theft of skimming in the office is not a particularly good idea. Other answers mention things the school should do. This is not a helpful way to think about the problem... you are not the school and have no agency over their practices. Instead, protect yourself.



Consider alternative payment options:




  1. Money order/cashiers check. Do not give them a personal check, the numbers on the bottom are much more dangerous than the CVV2 code on a credit card

  2. Cash (get a receipt though!)

  3. Prepaid Visa card.


They may be less keen on accepting checks or cash because it is not the process, but a prepaid Visa limits your risk to the stored value and you can throw it in the bin afterwards.






share|improve this answer













Placing all of the information required to authorize a card not present transaction on a paper form that will be subject to potential mail theft of skimming in the office is not a particularly good idea. Other answers mention things the school should do. This is not a helpful way to think about the problem... you are not the school and have no agency over their practices. Instead, protect yourself.



Consider alternative payment options:




  1. Money order/cashiers check. Do not give them a personal check, the numbers on the bottom are much more dangerous than the CVV2 code on a credit card

  2. Cash (get a receipt though!)

  3. Prepaid Visa card.


They may be less keen on accepting checks or cash because it is not the process, but a prepaid Visa limits your risk to the stored value and you can throw it in the bin afterwards.







share|improve this answer












share|improve this answer



share|improve this answer










answered Dec 21 '18 at 20:52









trognanderstrognanders

54336




54336








  • 2





    +1 for solving the real issue, since just saying "hey, your policy is bad, and you need to change it" is unlikely to have any effect, particularly since the people that the prospective student is likely to be able to speak to are unlikely to be people who have the authority to make a change.

    – Beska
    Dec 22 '18 at 18:17














  • 2





    +1 for solving the real issue, since just saying "hey, your policy is bad, and you need to change it" is unlikely to have any effect, particularly since the people that the prospective student is likely to be able to speak to are unlikely to be people who have the authority to make a change.

    – Beska
    Dec 22 '18 at 18:17








2




2





+1 for solving the real issue, since just saying "hey, your policy is bad, and you need to change it" is unlikely to have any effect, particularly since the people that the prospective student is likely to be able to speak to are unlikely to be people who have the authority to make a change.

– Beska
Dec 22 '18 at 18:17





+1 for solving the real issue, since just saying "hey, your policy is bad, and you need to change it" is unlikely to have any effect, particularly since the people that the prospective student is likely to be able to speak to are unlikely to be people who have the authority to make a change.

– Beska
Dec 22 '18 at 18:17


















draft saved

draft discarded




















































Thanks for contributing an answer to Personal Finance & Money Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmoney.stackexchange.com%2fquestions%2f103121%2fdo-institutions-have-right-to-ask-for-your-credit-card-security-code-and-all-oth%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

"Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

Alcedinidae

RAC Tourist Trophy