If you are looking for SYNC BANK regarding a charge please visit their site here.icon-close-round-128

Lesson from the Schnucks Breach

Ever wonder why Sync Payments terminal programs, by default, prompt the merchant to enter in the last four digits of the card number?

 If the merchant does NOT enter the last four, and a fake card is used to make a purchase, they are likely to absorb the loss (versus the merchant from whom the card was stolen.)

 In the recent Schnucks breach, it seems that the perpetrators stole card numbers by creating code to capture the mag-stripe data.  This data is then sold to other perps who “re-create” a mag-stripe on a different card.  Sometimes, the card they use is a legitimate bank-issued card that might have expired.  But, the point is, the card that the perps use looks and feels real – because IT IS!   They simply re-encode the mag-stripe with the stolen card data without the cardholder ever being the wiser.  The perps then go purchase goods using the card they encoded with the stolen data.  Meanwhile, the real owner of the card has no idea that the card number has been stolen because it is still safely tucked in their wallet.

This just happened to me.  And I shop at the Schnucks in Des Peres.  My card issuer recently called me and asked if I used the my card at Wal-Mart in Michigan.  I said no and I asked if the card was swiped there and they said yes.  Wal-Mart didn’t ask the cardholder to see the card.  If they had, they would have entered in the last four digits embossed on the card and the system would decline the transaction on the grounds that the card number embossed on the card did not match the card number encoded on the mag-stripe.  As a result, Wal-Mart will get the fraudulent purchases charged back to them versus the charges being charged back to Schnucks.

Merchants may ask to remove the last four-digit verification to make the transaction more convenient for the cardholder and to make the checkout process quicker.  When they make this request they are accepting the risk that the cards they are accepting are legitimate.

Do not under-estimate the value of PCI and PCI-DSS compliance!

No comments yet.

Post Comment