I noticed the response below from Curve on the Apple AppStore and it got me wondering, if Curve don’t store card details on their database, then how do they charge my cards? Is there any information available on how Curve actually works? They have a lot of FAQs on their site but they’re very superficial when it comes to actual details.
Under section “Personal data we collect about you”:
Financial data - Details of the funding card(s) added to your Curve account, including:
16-digit card number;
card’s expiry date;
card’s CVV number;
card’s billing address.
So it sums it up. They store ALL the card data as far as I can see. I am too lazy to read all the stuff though
Found some articles that state something like this:
“CVV is prohibited by PCI Standards from being stored. For merchants who charge customers on a recurring basis, the CVV code can be used with the initial transaction but cannot be stored for future transactions.”
I have no idea if this is the case with Curve…but kinda scary right
Might be the reasoning behind Amex issues…dunno.
I am not sure if they are using tokenization. I think they are using plain encryption. Otherwise why would they state that they are storing (“Personal data we collect about you”) CVV number
I would guess that means storing the damn thing.
Maybe because just above the table where you pasted the data (including the CVV) from, it says:
“6. We also sometimes refer to “processing”. This means any operation we perform on your personal data, such as collection, organising, storing, updating, using, disclosing and deleting. When you become a Curve customer, we may process different kinds of personal data, which we have grouped together as follows:”
So I think processing the CVV once in order to get a auth token does make sense.
Seems like people always assume the worst here
I’m a merchant myself and I can tell you, even thou I process the CVC / CVV, it does not get stored in my system, therefore, I’m PCI compliance.
Still, I collect the CVC but it gets processed with my payment processor.
Every merchant who asks for the CVC passes that data along to the payment processor, so its possible that Curve does not store the CVC, but WireCard does.
So that all makes logical sense. They collect the full card details, process them to authorise future recurring transactions and then delete the CVV, leaving them PCI compliant and meaning they don’t store the ‘full card details’ as stated.
It does raise another question for me - if a transaction authorisation can be used repeatedly, what stops widespread fraud from companies you’ve previously bought from reusing old authorisations? All it would take is for some bankrupt small business owner to decide they’d rather be a rich criminal than broke and honest.
I can only talk from my POI as a merchant. If I charged a card from a customer, I’ll always be able to charge the card again even thou I haven’t saved any data but my payment processor has.
But it is strongly forbidden and illegal to charge a card without the approval of the card owner!
In your example, a corrupt small business owner:
He can charge any card at any time again. But he won’t get much out of it. First, the card owner can file a chargeback. If you receive a chargeback as a merchant and you fail to provide details that it was a legitimate charge, the merchant’s payment processor will return the funds and you as a merchant will have to pay a heavy chargeback fee.
Now lets go 1 step further with your example, the business owner is bankcrupt and there is nothing to “take back” from him.
First, as a merchant, you never (AFAIK) receive the funds the same day. Its not like PayPal, where you instantly receive the money and can spend it again.
With most payment processors your transactions are paid out after 3-4 weeks.
So this way, a payment processor has more than enough time to cut you off the payment network.
Furthermore, almost all payment processors require something called a “rolling reserve”, pretty much a deposit. Usually its 10% of the transaction which stays with the merchant’s payment processor for 180 days. This way the payment processor protects himself from chargebacks in case the merchant goes bankcrupt or flees the country or …
Additonally, keep in mind any payment processor will raise an eyebrow when you suddenly start charging more transactions than usually and they will pull the plug as soon as they receive several chargebacks.
So the entire system is “pretty safe”, but yes, you can charge any card at any time again. You don’t even need to swipe the card, you don’t even need the CVC or card owner name, I can charge any card I wish with just the card number and exp. date.
But its the same with direct debit, as a merchant all you need is the IBAN, then you can already charge that account via direct debit, but the account holder has a min. of 60days to have the money charged back.