I checked all my emails with them over past year, and NONE have shown CVV or anything else I'm concerned over.

xpd:

 

I checked all my emails with them over past year, and NONE have shown CVV or anything else I'm concerned over.

 

 

 

Likewise, the one time I used a card because it was too much for zip, it just had first 6 and last 2 and expiry. If they have CVV on their system tho they need the book thrown at them.

xpd:

 

I checked all my emails with them over past year, and NONE have shown CVV or anything else I'm concerned over.

 

 

 

I thought this was explained already - perahps someone entered the number in the name field?

1024kb: I'm amazed that they even retain any credit card information at all - they don't need it. I mean, now that you've taken all this information & stored it in your state of the art plain-text database, what do you plan on doing with it? Are you going to use it for more purchases somewhere else? Or?

I've been the vendor in hundreds of commercial online transactions, selling digital products worldwide. My database does not even have a field for CC entry, I have not captured CC details of any customer ever. I wouldn't have a clue whether or not a returning customer used the same card as last time - because I don't care, it's none of my business.

All the vendor needs to record is that they got paid - & it's the bank that tells them that. Which card paid them is irrelevant, if the bank accepts the transaction then the vendor gets paid - end of story.

The vendor's website hosts a secure gateway that enables the client to talk direct to their bank (in private!) so that they can authorize a payment from that bank to the vendor. Bank checks that the customer is legit & funds are available then fires off a confirmation to the vendor that payment is approved & has been made.

Where does credit card detail capture / retention fit into that procedure? It doesn't.

What could possibly go wrong?

It's databases like these that provide outlaw employees or hackers with a steady income stream as they feed those high-quality details to resellers on carding sites.

Even if its not intentionally put in a database there is a good chance that one of the advertising or tracking scripts on their own payment page has done something with it, or else they have misconfigured logging and its been put in a plain text log somewhere that was turned on for debugging by someone once and forgotten about.

I really don't trust sites that host the payment form on their own site, or put an iframe from a payment provider onto their site.

Why iframes ever became acceptable for that sort of thing escapes me since it would be trivial for a compromised crap ecommerce website to just replace the iframe with a look alike and there is no signs of that as any source information for the user as to where the page came from or where it submits to. All the iframe protection crap in the browser means nothing if someone just changes the real gateway to a fake lookalike.

freitasm:

I thought this was explained already - perahps someone entered the number in the name field?

Name never seems to matter. I put all sorts of crap in the name field and payments happen.

Yea, been through all my warehouse emails and no addition of a CVV 

are you able to share a screenshot?

Detruire:

 

My TW confirmation emails show (partial) number/name/expiry, so I think it's more likely that the CVV was in both fields. While an incorrect CVV leads to a failed payment, an incorrect name doesn't seem to matter (in most cases) IME: I usually put my initials in the name field, and I've only had a few payments denied (seemingly) because of this.

 

It's worth noting that the CVV is not actually required to process a card (ever noticed that when you give your card over the phone, merchants don't always ask for the CVV?). The way it works is that the CVV is not required to be provided, but if it is provided it must be correct. It is not entirely impossible that the two fields were in fact flipped in the data entry process somehow, and the alpha characters failed to save into the CVV field - meaning that the charge would have been submitted without a CVV, something which TWL is likely to be permitted to do due to their size.

Can you make some sort of FOIA / credit report request with TWL asking them to provide you with all the details they have on record linked to your person? If they provide you with that data, search for your CC details?

ANglEAUT:

 

Can you make some sort of FOIA / credit report request with TWL asking them to provide you with all the details they have on record linked to your person? If they provide you with that data, search for your CC details?

 

Yes. Office of the Privacy Commissioner | Your privacy rights

Also Office of the Privacy Commissioner | AboutMe (Request My Info Tool)