4

A company I used to work for is passing customer's personal details as well as card data (number, expiration date, name, CVV2 and the contents of the magstripe thanks to a reader) through Windows XP POS machines with Internet Explorer 8, Flash, Silverlight and Java with pretty much unrestricted internet access (used on a daily basis by the employees to lookup information on Google).

Note that payments are handled separately by card terminals provided by a bank (which I believe are secure enough), but nevertheless the procedure is to first swipe the customer's card through the POS machine first, possibly for analytics. When selling some specific products a credit check is required which also asks for the customer's details and more card info like the CVV2.

I believe this is pure madness but I would like to ask for expert's advice - am I overreacting or are there specific circumstances that I overlooked that would make this safe? And if I am correct, who should I report this to?

André Borie
  • 12,736
  • 3
  • 40
  • 76
  • It's a great question, but it's been asked before. Unfortunately, there is no good answer. – John Deters Mar 28 '16 at 01:29
  • @JohnDeters my question is a bit different though, I am also asking whether am I just overreacting since it honestly susprises me that one of the largest UK telecom companies would be doing this. – André Borie Mar 28 '16 at 01:33
  • I don't think you're overreacting at all. I also have some retailers who are obviously storing data they shouldn't be, and I would like to report them as well, but I haven't found a channel yet for doing so. – John Deters Mar 28 '16 at 01:43
  • Just an update for anyone curious, about two months after this question was posted they finally upgraded to Windows 7 PoSReady, so they're at least improving. Outdated Java, Silverlight and Flash are still there though. – André Borie Aug 13 '16 at 04:29

0 Answers0