Just to add another thread on credit card security, I wondered what thoughts
there might be about this.

I went to PC World (yeah, I know) to pick up an item I'd reserved on their
website.

There was a chip'n'pin keypad there, but when I tried to stick the card in
the assistant wanted to take the card from me with with the intention of
swiping it through a separate device which was also sitting on the counter.

I said that if they put the entire magstripe through that or any device,
then I wouldn't be prepared to input the PIN and they'd have to take a
signature. This offer was refused. I explained about the risk (from my
P.O.V.) of card cloning, but this was met with bemused indifference.

Interestingly, he said that all the chip readers in the keypads had been
disabled and replaced by these additional devices, throughout all PC
World stores, at head office behest, and that this was due to instances of
fraud, which I presume must have involved the keypads.

A supervisor (or manager) was called, and I explained the problem again,
perhaps not very well, as they seemed to think I would be reassured by the
prospect that I *would* have to enter my PIN (on the keypad device into
which I wasn't allowed to insert my card), and that the swipe device also
had a chip reader in it (which I did not really doubt, but it wasn't the
point).

They did let me stick the chip into the keypad, and it had no effect on the
LCD display, so I have little doubt the chip reader had been disabled.

They tried to allay my concerns about fraud by saying that that would
require someone working in the store to be complicit. I said that, whether
or not that was true, it didn't cut any ice because they had already
explained that the whole reason for disabling the chip reader in the keypads
was due to fraud -- why wouldn't the same argument apply?

Anyway, they refused to take a signature in lieu of PIN, and I refused to
let them take the card for swiping.

So, was I being churlish in not letting them swipe the card?

I'd like to get Barclaycard's opinion, but it's an 0844 number to call, and
the 'secure message' facility on the website simply doesn't work. (Perhaps
the latter is something to do with the former!)

"Clifford Frisby" wrote in message
...

(snip)

I'd like to get Barclaycard's opinion, but it's an 0844 number to call,
and
the 'secure message' facility on the website simply doesn't work. (Perhaps
the latter is something to do with the former!)

http://www.barclaycard.co.uk/persona...-us/index.html

In message , Up Yours!
writes

"Clifford Frisby" wrote in message
...

(snip)

I'd like to get Barclaycard's opinion, but it's an 0844 number to
call, and
the 'secure message' facility on the website simply doesn't work. (Perhaps
the latter is something to do with the former!)

http://www.barclaycard.co.uk/persona...e/email-us/ind
ex.html

"Sorry the page you requested is no longer available"

It's all a conspiracy!
--
Gordon H
Remove "invalid" to reply

Up Yours! wrote:


"Clifford Frisby" wrote in message
...

(snip)

I'd like to get Barclaycard's opinion, but it's an 0844 number to call,
and
the 'secure message' facility on the website simply doesn't work.
(Perhaps the latter is something to do with the former!)


http://www.barclaycard.co.uk/persona...-us/index.html

Aha! You've found the 'insecure' message facility. Didn't know about that
one. At least that means there might be a cost-free method of telling them
that the 'secure' message facility is broken (assuming this one works any
better of course)!

Mind you, it gets on my goat the way these organisations won't provide an
email address, expect me to use their form (which leaves me no automatic
record of what I wrote, and invariably has a daft ceiling on message
length) and yet force me to supply *my* email address in order to stand any
chance of getting a reply.

Clifford Frisby wrote:
Anyway, they refused to take a signature in lieu of PIN, and I refused to
let them take the card for swiping.

So, was I being churlish in not letting them swipe the card?

No, I don't think so. The only thing the PIN gets used for in connection
with magstripe is an ATM transaction, which you very plainly weren't doing.

I'm surprised the terminal would even ask for a PIN, if it has no chip to
send it to.

Theo

"Clifford Frisby" wrote in message
...
Anyway, they refused to take a signature in lieu of PIN, and I refused to
let them take the card for swiping.

This has been the situation in PC World, and a number of other shops, for
quite some time. It`s never bothered me because I use a chip&signature
card.

On 2 Feb, 18:10, "Simon Finnigan" wrote:
"Clifford Frisby" wrote in message

...

Anyway, they refused to take a signature in lieu of PIN, and I refused to
let them take the card for swiping.

This has been the situation in PC World, and a number of other shops, for
quite some time. *It`s never bothered me because I use a chip&signature
card.

When Chip-and-PIN first appeared, Sainsbury's used to do something
behind the scenes with the card and you entered the PIN on the pad. I
never saw whether they swiped the card or had a slave reader. It was
all too new to be suspicious of what was going on. Nowadays you insert
the card in the reader yourself. I think there was an intermediate
period where it was done either way according to the whim of the
cashier, phase of the moon, ...?

ISTR that there was a batch of card readers that had been got at at
the factory in China and sent off your details to cloners. Perhaps PC
World et al got hit by them and the two-part reader makes it more
difficult for the crooks.

Chris

Theo Markettos wrote:

Clifford Frisby wrote:
Anyway, they refused to take a signature in lieu of PIN, and I refused to
let them take the card for swiping.

So, was I being churlish in not letting them swipe the card?

No, I don't think so. The only thing the PIN gets used for in connection
with magstripe is an ATM transaction, which you very plainly weren't
doing.

I'm surprised the terminal would even ask for a PIN, if it has no chip to
send it to.


I've seen it before, so I wasn't surprised in that sense. On the other hand,
I'm surprised that it's so easy to construct, legitimately, these Heath
Robinson arrangements, given that we are all supposed to be alert to such
fishiness. (There must be a joke about fish and chips in there somewhere.)

Theo

wrote:

On 2 Feb, 18:10, "Simon Finnigan" wrote:
"Clifford Frisby" wrote in message

...

Anyway, they refused to take a signature in lieu of PIN, and I refused
to let them take the card for swiping.

This has been the situation in PC World, and a number of other shops, for
quite some time. Â*It`s never bothered me because I use a chip&signature
card.

When Chip-and-PIN first appeared, Sainsbury's used to do something
behind the scenes with the card and you entered the PIN on the pad. I
never saw whether they swiped the card or had a slave reader. It was
all too new to be suspicious of what was going on. Nowadays you insert
the card in the reader yourself. I think there was an intermediate
period where it was done either way according to the whim of the
cashier, phase of the moon, ...?


I recall that Tesco, up until a few years ago, insisted on you letting the
cashier swipe the card through a magstripe slot (presumably with a chip
reader at the bottom end) built into the cashier's console. You then were
expected to enter your PIN on a typical chip'n'pin keypad.

The difference in contrast to PC World, was that if you complained, Tesco
always accepted a signature instead. Also, in PC World, the device they put
the card into was just some free-standing monolith on the desk.

ISTR that there was a batch of card readers that had been got at at
the factory in China and sent off your details to cloners. Perhaps PC
World et al got hit by them and the two-part reader makes it more
difficult for the crooks.

Maybe, and that might be just hunky-dory from PC Worlds POV. From the
cardholders perspective, having to insert only about one-third of the card
into a device provides confidence that the magstripe won't have been read,
whereas watching it being swiped through a magstripe reader doesn't.


Chris

Up Yours! wrote:


"Clifford Frisby" wrote in message
...

(snip)

I'd like to get Barclaycard's opinion, but it's an 0844 number to call,
and
the 'secure message' facility on the website simply doesn't work.
(Perhaps the latter is something to do with the former!)


http://www.barclaycard.co.uk/persona...-us/index.html

Well, I got a reply after a couple of days from that 'non-secure' messaging
form

Basically, it says I need to resubmit the question through the 'secure'
message form (yep -- the one which doesn't work), in order to keep my
account details secure (oh!, the irony). Or phone the 0844 number (is
*this* secure?). Or send a letter (ditto).

I don't see my account details are irrelevant to the question or its answer.