Adobe ... why are you keeping my credit card number?

Started Oct 4, 2013 | Discussions
Shop cameras & lenses ▾
Jeff Veteran Member • Posts: 4,796
Adobe ... why are you keeping my credit card number?
12

Just got the note from Adobe saying that my password was reset.  Fine.

But that note also says that my encrypted credit card number may also have been accessed. I have used my credit card in the past to purchase software from Adobe, but those were one-time transactions.  I've not joined any subscription service, in particular creative cloud.

So here's my question.  Why do you need to keep my credit card number in your database after the transaction has been completed?

This strikes me as the enormously irresponsible.  Am I off base?

IvanOlsen New Member • Posts: 13
Re: Adobe ... why are you keeping my credit card number?

That is a good question - when will we get the answer

Leon Wittwer Forum Pro • Posts: 13,074
Re: Adobe ... why are you keeping my credit card number?

I don't remember about Adobe specifically, but many vendors ask when I purchase something whether they should keep the credit card information.  This presumably expedites future purposes.  I generally do not let vendors store my info.

StrokerAce23 Regular Member • Posts: 371
Re: Adobe ... why are you keeping my credit card number?
2

This is super easy and solved with a little Google work.  Try some combination of:

PCI copliance

Merchant services

Dodd-Fank

Durbin amendment

Sarbanes-Oxley

Then consult with a couple of attorneys at large banks and accountants at one of the big four.

Get back to us.

In short, because they have to.

 StrokerAce23's gear list:StrokerAce23's gear list
Sony RX100 Sony RX1 Nikon D7100 Sigma 10-20mm F4-5.6 EX DC HSM Tokina AT-X Pro 50-135mm f/2.8 DX +2 more
Jeff OP Veteran Member • Posts: 4,796
Re: Adobe ... why are you keeping my credit card number?

StrokerAce23 wrote:

This is super easy and solved with a little Google work. Try some combination of:

PCI copliance

Merchant services

Dodd-Fank

Durbin amendment

Sarbanes-Oxley

Then consult with a couple of attorneys at large banks and accountants at one of the big four.

Get back to us.

In short, because they have to.

I'm asking a genuine question.  Seriously, do they have to keep a credit card number after the transaction has been completed?

(unknown member) Senior Member • Posts: 1,321
Re: Adobe ... why are you keeping my credit card number?

Jeff,

Yes, they do.

There's your answer.

 wchutt's gear list:wchutt's gear list
Fujifilm X-Pro1 Fujifilm X-T1 Fujifilm XF 18mm F2 R Fujifilm XF 35mm F1.4 R Fujifilm XF 14mm F2.8 R +20 more
Jeff OP Veteran Member • Posts: 4,796
Re: Adobe ... why are you keeping my credit card number?

wchutt wrote:

Jeff,

Yes, they do.

There's your answer.

Hmmm ... so with a little googling I find this

http://www.pcworld.com/article/2049320/5-tips-for-easy-pci-compliance.html

which advises merchants not to keep cardholder data.  Is there something you could point me to that indicates otherwise?

MichaelKJ Veteran Member • Posts: 3,426
Re: Adobe ... why are you keeping my credit card number?

Jeff wrote:

Just got the note from Adobe saying that my password was reset. Fine.

But that note also says that my encrypted credit card number may also have been accessed. I have used my credit card in the past to purchase software from Adobe, but those were one-time transactions. I've not joined any subscription service, in particular creative cloud.

So here's my question. Why do you need to keep my credit card number in your database after the transaction has been completed?

This strikes me as the enormously irresponsible. Am I off base?

I use Citi's virtual credit card numbers because they expire after one month. This feature is also useful for services, such as Netflix, that force you to agree to automatic renewals.

Fortunately, US federal law limits your liability to $50, which is why banks frequently issue new credit cards to their customers when something like this happens.

 MichaelKJ's gear list:MichaelKJ's gear list
Sony Cyber-shot DSC-RX100 III Olympus PEN E-PL1 Olympus OM-D E-M5 +1 more
brianric Veteran Member • Posts: 6,094
Re: Adobe ... why are you keeping my credit card number?
2

wchutt wrote:

Jeff,

Yes, they do.

There's your answer.

No they don't.

 brianric's gear list:brianric's gear list
Sony RX100 Nikon D700 Panasonic Lumix DMC-G1 Nikon Df Fujifilm X-T1 +36 more
Erik Magnuson Forum Pro • Posts: 12,237
Re: Adobe ... why are you keeping my credit card number?
1

Jeff wrote:

which advises merchants not to keep cardholder data.

It only advises them to outsource that responsibility to a 3rd party processor.  If you are a small merchant, the higher fees you will pay for this type of service will be much less than the cost of compliance.  But if you are a large merchant, the opposite applies.

-- hide signature --

Erik

 Erik Magnuson's gear list:Erik Magnuson's gear list
Canon EOS 5D Mark II Canon EOS 450D Sigma SD10 Sony Alpha NEX-5 Nikon D3200 +28 more
Graham Meale
Graham Meale Senior Member • Posts: 1,383
Re: Adobe ... why are you keeping my credit card number?

I have been told when placing an order with certain businesses that I've previously dealt with that they are legally forbidden to keep credit card details.

-- hide signature --
 Graham Meale's gear list:Graham Meale's gear list
Canon EOS 5D Mark II Canon EOS 5D Mark III Canon EF 50mm f/1.8 II Canon EF 100mm f/2.8 Macro USM Canon EF 70-300mm f/4-5.6L IS USM +5 more
jfelbab Senior Member • Posts: 1,842
Re: Adobe ... why are you keeping my credit card number?
1

StrokerAce23 wrote:

This is super easy and solved with a little Google work. Try some combination of:

PCI copliance

Merchant services

Dodd-Fank

Durbin amendment

Sarbanes-Oxley

Then consult with a couple of attorneys at large banks and accountants at one of the big four.

Get back to us.

In short, because they have to.

No, they actually don't need to keep your credit card for discrete item purchases.

There are many, many companies that don't keep your card number unless you allow them to.  Just today, I ordered some items from LandEnd and they don't, Sears doesn't, Target doesn't and the list is countless. If you have any links that show a company is required to keep your CC number post them.  I'm sure all these companies would be happy to hear this news.

Also most CC companies allow temporary card numbers for on-line purchases.  These expire a short time after the transaction so fraud potential is minimized.

-- hide signature --

Jim
'There are no rules for good photographs, there are only good photographs.'
-- Ansel Adams

Roy Sletcher
Roy Sletcher Contributing Member • Posts: 929
Re: Adobe ... why are you keeping my credit card number?

Graham Meale wrote:

I have been told when placing an order with certain businesses that I've previously dealt with that they are legally forbidden to keep credit card details.

-- hide signature --

I think this may vary depending upon the jurisdiction.

A couple of years back I was registering for a photographic workshop at University of Massachusetts in Amherst. When I called back a day or so later to change some details and asked them to bill it to the same credit card as the original charges I was told the were forbidden to keep credit card details on file, and I had to repeat all the details again over the telephone. I think they said "illegal", but can't honestly recall.

Just saying! There seems to be some variation in interpretation here, and I can see the argument for both sides. However, if somebody elects to keep my personal details on file, then the onus should be on him to protect that information, or accept the ensuing liability if he screws up. Else we are going to see more and more of these security breeches if there is no accountability or consequences.

Roy Sletcher

PicOne
PicOne Veteran Member • Posts: 6,923
Re: Adobe ... why are you keeping my credit card number?

Graham Meale wrote:

I have been told when placing an order with certain businesses that I've previously dealt with that they are legally forbidden to keep credit card details.

-- hide signature --

I think this may vary depending upon the jurisdiction.

A couple of years back I was registering for a photographic workshop at University of Massachusetts in Amherst. When I called back a day or so later to change some details and asked them to bill it to the same credit card as the original charges I was told the were forbidden to keep credit card details on file, and I had to repeat all the details again over the telephone. I think they said "illegal", but can't honestly recall.

Just saying! There seems to be some variation in interpretation here, and I can see the argument for both sides. However, if somebody elects to keep my personal details on file, then the onus should be on him to protect that information, or accept the ensuing liability if he screws up. Else we are going to see more and more of these security breeches if there is no accountability or consequences.

Roy Sletcher

Generally what I'm thinking is that there is maybe a distinction between "keeping a card on file" and retaining records that may need to be kept to meet audit requirements. The former would relate to keeping card info accessible for future transactional needs, while the latter might be encrypted and "locked away" in the storage Vaults (so to speak).
--
'Everything in photography boils down to what's sharp and what's fuzzy.'
-Gaylord Herron

Promit Senior Member • Posts: 1,983
Re: Adobe ... why are you keeping my credit card number?

Jeff wrote:

Just got the note from Adobe saying that my password was reset. Fine.

But that note also says that my encrypted credit card number may also have been accessed. I have used my credit card in the past to purchase software from Adobe, but those were one-time transactions. I've not joined any subscription service, in particular creative cloud.

So here's my question. Why do you need to keep my credit card number in your database after the transaction has been completed?

Everyone else in this thread is missing the point.

Your credit card number may have been accessed. Everybody with an Adobe account got the exact same letter. Cloud users, non Cloud users, whatever. They may or may not actually have your card on file, they're not customizing this message specifically for your situation and account. I got the message for an account that has NO purchase history, and I got it for an account that is signed onto Cloud too.

What the message says is that they were compromised and sensitive financial details were leaked. Yours may be among them. It may not. They are unable or unwilling to say the extent of the damage, so the easy approach is just to tell everyone the same exact warning to watch their accounts etc.

Additionally note that transaction histories frequently include partial numbers (last 4 digits is very common) and that's often unencrypted plaintext. It's printed on practically every receipt you get with a credit card purchase, but there are situations in which that data can be exploited.

 Promit's gear list:Promit's gear list
Sony a77 II Sony Alpha 7R II Panasonic Lumix G 20mm F1.7 ASPH Sony 24-70mm F2.8 ZA SSM Carl Zeiss Vario-Sonnar T* Tokina AT-X Pro 11-16mm f/2.8 DX +11 more
PicOne
PicOne Veteran Member • Posts: 6,923
Re: Adobe ... why are you keeping my credit card number?

jfelbab wrote:

StrokerAce23 wrote:

This is super easy and solved with a little Google work. Try some combination of:

PCI copliance

Merchant services

Dodd-Fank

Durbin amendment

Sarbanes-Oxley

Then consult with a couple of attorneys at large banks and accountants at one of the big four.

Get back to us.

In short, because they have to.

No, they actually don't need to keep your credit card for discrete item purchases.

There are many, many companies that don't keep your card number unless you allow them to. Just today, I ordered some items from LandEnd and they don't, Sears doesn't, Target doesn't and the list is countless. If you have any links that show a company is required to keep your CC number post them. I'm sure all these companies would be happy to hear this news.

So if you return an item purchased from these establishments, you evidently get a check in the mail?

Also most CC companies allow temporary card numbers for on-line purchases. These expire a short time after the transaction so fraud potential is minimized.

-- hide signature --

Jim
'There are no rules for good photographs, there are only good photographs.'
-- Ansel Adams

-- hide signature --

'Everything in photography boils down to what's sharp and what's fuzzy.'
-Gaylord Herron

Chris Dubea Senior Member • Posts: 1,718
Re: Adobe ... why are you keeping my credit card number?
1

Promit wrote:

Everyone else in this thread is missing the point.

Your credit card number may have been accessed. Everybody with an Adobe account got the exact same letter. Cloud users, non Cloud users, whatever. They may or may not actually have your card on file, they're not customizing this message specifically for your situation and account. I got the message for an account that has NO purchase history, and I got it for an account that is signed onto Cloud too.

What the message says is that they were compromised and sensitive financial details were leaked. Yours may be among them. It may not. They are unable or unwilling to say the extent of the damage, so the easy approach is just to tell everyone the same exact warning to watch their accounts etc.

Additionally note that transaction histories frequently include partial numbers (last 4 digits is very common) and that's often unencrypted plaintext. It's printed on practically every receipt you get with a credit card purchase, but there are situations in which that data can be exploited.

I called my credit card provider about this yesterday. They checked and said they had not been notified about the breach. The operator said the vendor is legally required to alert credit card companies in the event of a breach.

I'm not certain what this does or doesn't tell us.

Interesting,

-- hide signature --

Chris

Leon Wittwer Forum Pro • Posts: 13,074
Re: Adobe ... why are you keeping my credit card number?

PicOne wrote:

So if you return an item purchased from these establishments, you evidently get a check in the mail?

No, you would most likely have to give them the card details again to get the refund to the card.

Jeff OP Veteran Member • Posts: 4,796
Re: Adobe ... why are you keeping my credit card number?

Promit wrote:

Jeff wrote:

Just got the note from Adobe saying that my password was reset. Fine.

But that note also says that my encrypted credit card number may also have been accessed. I have used my credit card in the past to purchase software from Adobe, but those were one-time transactions. I've not joined any subscription service, in particular creative cloud.

So here's my question. Why do you need to keep my credit card number in your database after the transaction has been completed?

Everyone else in this thread is missing the point.

Your credit card number may have been accessed. Everybody with an Adobe account got the exact same letter. Cloud users, non Cloud users, whatever. They may or may not actually have your card on file, they're not customizing this message specifically for your situation and account. I got the message for an account that has NO purchase history, and I got it for an account that is signed onto Cloud too.

What the message says is that they were compromised and sensitive financial details were leaked. Yours may be among them. It may not. They are unable or unwilling to say the extent of the damage, so the easy approach is just to tell everyone the same exact warning to watch their accounts etc.

Yea, that's probably true. And disappointing. It would be a simple database check to say whether or not they have my credit card number on file.  They're holding themselves to a pretty minimal standard of service to their customers, which seems consistent with many of their other actions in last few years.

Additionally note that transaction histories frequently include partial numbers (last 4 digits is very common) and that's often unencrypted plaintext. It's printed on practically every receipt you get with a credit card purchase, but there are situations in which that data can be exploited.

PicOne
PicOne Veteran Member • Posts: 6,923
Re: Adobe ... why are you keeping my credit card number?

Leon Wittwer wrote:

PicOne wrote:

So if you return an item purchased from these establishments, you evidently get a check in the mail?

No, you would most likely have to give them the card details again to get the refund to the card.

Hmmm, most online sellers generally include those "easy return" forms where you simply state the reason, use the label they supply you in the shipment and you're done.   I don't recall filling in CC info on these return forms.

-- hide signature --

'Everything in photography boils down to what's sharp and what's fuzzy.'
-Gaylord Herron

Keyboard shortcuts:
FForum MMy threads