Jeffh.net

Well it has been a while since I have posted anything.  I have been really busy this past month.  I was promoted to the  IT security  manager  at my current employer.   I am now dealing with IT security almost full time, they still need to fill my vacant position.  So I am much happier now not having to deal with a lot of the boring mundane task, and now instead get to do what I love, security.

I was reading another blog security blog entry and it got me thinking.  Why do POS systems have to store credit card numbers?  There really is no rational reason that I can think of.  I have had quite a bit of experience with a POS POS system (note that isn’t a mistake only 1 POS means Point of Sales).   The way credit card transactions work is that the stores POS system calls a card processing system.  The stores computer then asks the card processors computer if this credit card has enough money to cover this purchase.  If it does then it “reserves” these funds for the store for some time period and gives the store a magic approval number, no actual money is taken at that time.  I don’t know exactly why they do this, my guess is that they reserve a slightly higher amount of money than is actually needed so that it can be adjusted down if the transaction needs to be modified, IE you give the waiter a tip or you decide you really don’t want to buy that Iphone.

The store will then within a day or two do a batch settlement transaction where the store goes back to the card processor and says yes all these transactions really did happen so send us money.

So the only point in that process where the store actually needs the credit card number is the first transaction to the card processor.  After that the store could just use the unique authorization number to identify the transaction.  So now a hacker could still get credit card numbers but only in real time sniffing all the transactions as they go instead of the cue de gra 18 months or more that they currently can get if they hack into a POS system.