Many local businesses are putting South African credit card users at risk by recording their personal details along with their credit card number and CVV code.
A recent investigation by MyBroadband revealed that numerous companies in the travel and tourism industry demand this information from clients when they visit these businesses.
Certain companies which demanded both credit card numbers and CVV codes for bookings include hotels and car rental companies.
In one case, this information was written down on a printed form and stored in an area which was easily accessible to all staff.
The investigation involved six separate trips, and in two of these cases credit card details were stolen and fraudulent transactions were performed using this information.
This should never happen – Sabric
South African Banking Risk Information Centre (Sabric) CEO Kalyani Pillay said consumers should never be asked for their CVV code.
Professor Basie Von Solms, Director of the Centre for Cyber Security at the University of Johannesburg, has even advised consumers to scratch out the CVV number to avoid fraud.
Pillay told MyBroadband that a CVV number should only be provided on a secure website when you are transacting online.
She added that consumers should refuse to provide their credit card details along with their CVV number to businesses.
“SABRIC always warns bank customers to keep their personal and banking information confidential at all times. This is the golden rule,” said Pillay.
She added that most merchants have point of sale (POS) devices to enable a pre-authorisation – which would not require the CVV number to be provided.
Pillay said when a business insists on recording these details, a consumer will have to assess the risk themselves when deciding whether to provide this confidential information.
“It is definitely not a recommended practice,” Pillay said.
Why businesses insist on this information
Many of the businesses which asked for credit card and CVV details told MyBroadband it is not possible to use their service if you refuse to provide this information.
Two of these businesses – Europcar and Asara Wine Estate & Hotel – were asked why they require this information, but they did not answer questions regarding this issue.
These companies also did not comment on whether it is possible to use their services without providing this sensitive information.
The Queen Victoria Hotel, which also asked for this information, explained that there are certain instances in which it requests credit card information from guests.
“Card numbers are generally used along with ID to verify guests’ identity at check-in. The card number is input into a secure operating system which only displays the last few digits for verification purposes,” spokesperson Kathryn Jubber told MyBroadband.
“In most cases, CVV details are not required. Only in special circumstances would this information be requested and would then be obtained as per the guest’s consent.”
She added that guests are never obliged to provide these details.
“Should a guest prefer to make use of alternative payment methods to cover the cost of their accommodation or incidentals and extras, they are indeed able to do so and are required to make payment upfront,” Jubber said.
FNB and Capitec mum on this practice
Considering the risks which this practice holds for South African consumers, one would expect all banks to give strong guidance to their clients on this issue.
FNB would not answer questions on this issue, however, referring all questions to the Payments Association of South Africa and Sabric.
Capitec also did not provide feedback on questions regarding this issue.
Other banks respond
Standard Bank concurred with SABRIC, saying physical stores should not be asking for the CVV code.
It explained that the card chip and POS are secure payment channels, which removes the need for a CVV code.
Nedbank said it encourages all clients to keep their card details safe when making purchases and to use secure card processing facilities as far as possible.
“It is also the merchant’s responsibility to manage and deal with card data in a responsible and safe manner, aligned to card association guidelines and payment card industry requirements,” Nedbank said.
Absa acknowledged that while some merchants still follow this practice, the payments industry is driving towards a state where sensitive details are no longer recorded in this manner.
“The merchant business model drives the need for which card data must be on hand – i.e. to be used later for refunds or additional deductions,” it said.
It added that the prevalence of this business practice reduced sharply over the last few years with strict compliance measures put in place by industry bodies such as IATA.