Adobe ... why are you keeping my credit card number?

Started 11 months ago | Discussions
Jeff
Veteran MemberPosts: 4,470
Like?
Adobe ... why are you keeping my credit card number?
11 months ago

Just got the note from Adobe saying that my password was reset.  Fine.

But that note also says that my encrypted credit card number may also have been accessed. I have used my credit card in the past to purchase software from Adobe, but those were one-time transactions.  I've not joined any subscription service, in particular creative cloud.

So here's my question.  Why do you need to keep my credit card number in your database after the transaction has been completed?

This strikes me as the enormously irresponsible.  Am I off base?

IvanOlsen
New MemberPosts: 10
Like?
Re: Adobe ... why are you keeping my credit card number?
In reply to Jeff, 11 months ago

That is a good question - when will we get the answer

Reply   Reply with quote   Complain
Leon Wittwer
Forum ProPosts: 12,809
Like?
Re: Adobe ... why are you keeping my credit card number?
In reply to Jeff, 11 months ago

I don't remember about Adobe specifically, but many vendors ask when I purchase something whether they should keep the credit card information.  This presumably expedites future purposes.  I generally do not let vendors store my info.

Reply   Reply with quote   Complain
StrokerAce23
Regular MemberPosts: 219
Like?
Re: Adobe ... why are you keeping my credit card number?
In reply to Jeff, 11 months ago

This is super easy and solved with a little Google work.  Try some combination of:

PCI copliance

Merchant services

Dodd-Fank

Durbin amendment

Sarbanes-Oxley

Then consult with a couple of attorneys at large banks and accountants at one of the big four.

Get back to us.

In short, because they have to.

Reply   Reply with quote   Complain
Jeff
Veteran MemberPosts: 4,470
Like?
Re: Adobe ... why are you keeping my credit card number?
In reply to StrokerAce23, 11 months ago

StrokerAce23 wrote:

This is super easy and solved with a little Google work. Try some combination of:

PCI copliance

Merchant services

Dodd-Fank

Durbin amendment

Sarbanes-Oxley

Then consult with a couple of attorneys at large banks and accountants at one of the big four.

Get back to us.

In short, because they have to.

I'm asking a genuine question.  Seriously, do they have to keep a credit card number after the transaction has been completed?

Reply   Reply with quote   Complain
wchutt
Senior MemberPosts: 1,305Gear list
Like?
Re: Adobe ... why are you keeping my credit card number?
In reply to Jeff, 11 months ago

Jeff,

Yes, they do.

There's your answer.

 wchutt's gear list:wchutt's gear list
Fujifilm X-Pro1 Fujifilm X-T1 Fujifilm XF 18mm F2 R Fujifilm XF 35mm F1.4 R Fujifilm XF 14mm F2.8 R +20 more
Reply   Reply with quote   Complain
Jeff
Veteran MemberPosts: 4,470
Like?
Re: Adobe ... why are you keeping my credit card number?
In reply to wchutt, 11 months ago

wchutt wrote:

Jeff,

Yes, they do.

There's your answer.

Hmmm ... so with a little googling I find this

http://www.pcworld.com/article/2049320/5-tips-for-easy-pci-compliance.html

which advises merchants not to keep cardholder data.  Is there something you could point me to that indicates otherwise?

Reply   Reply with quote   Complain
MichaelKJ
Veteran MemberPosts: 3,100Gear list
Like?
Re: Adobe ... why are you keeping my credit card number?
In reply to Jeff, 11 months ago

Jeff wrote:

Just got the note from Adobe saying that my password was reset. Fine.

But that note also says that my encrypted credit card number may also have been accessed. I have used my credit card in the past to purchase software from Adobe, but those were one-time transactions. I've not joined any subscription service, in particular creative cloud.

So here's my question. Why do you need to keep my credit card number in your database after the transaction has been completed?

This strikes me as the enormously irresponsible. Am I off base?

I use Citi's virtual credit card numbers because they expire after one month. This feature is also useful for services, such as Netflix, that force you to agree to automatic renewals.

Fortunately, US federal law limits your liability to $50, which is why banks frequently issue new credit cards to their customers when something like this happens.

 MichaelKJ's gear list:MichaelKJ's gear list
Fujifilm FinePix F31fd Olympus PEN E-PL1 Olympus OM-D E-M5 +1 more
Reply   Reply with quote   Complain
brianric
Veteran MemberPosts: 5,182Gear list
Like?
Re: Adobe ... why are you keeping my credit card number?
In reply to wchutt, 11 months ago

wchutt wrote:

Jeff,

Yes, they do.

There's your answer.

No they don't.

 brianric's gear list:brianric's gear list
Sony RX100 Nikon D700 Panasonic Lumix DMC-G1 Nikon Df Nikon D810 +10 more
Reply   Reply with quote   Complain
Erik Magnuson
Forum ProPosts: 12,058Gear list
Like?
Re: Adobe ... why are you keeping my credit card number?
In reply to Jeff, 11 months ago

Jeff wrote:

which advises merchants not to keep cardholder data.

It only advises them to outsource that responsibility to a 3rd party processor.  If you are a small merchant, the higher fees you will pay for this type of service will be much less than the cost of compliance.  But if you are a large merchant, the opposite applies.

-- hide signature --

Erik

 Erik Magnuson's gear list:Erik Magnuson's gear list
Canon EOS 5D Mark II Canon EOS 450D Sigma SD10 Sony Alpha NEX-5 Nikon D3200 +28 more
Reply   Reply with quote   Complain
Graham Meale
Senior MemberPosts: 1,030Gear list
Like?
Re: Adobe ... why are you keeping my credit card number?
In reply to StrokerAce23, 11 months ago

I have been told when placing an order with certain businesses that I've previously dealt with that they are legally forbidden to keep credit card details.

-- hide signature --
 Graham Meale's gear list:Graham Meale's gear list
Canon EOS 5D Mark II Canon EOS 5D Mark III Canon EF 50mm f/1.8 II Canon EF 100mm f/2.8 Macro USM Canon EF 70-300mm f/4-5.6L IS USM +5 more
Reply   Reply with quote   Complain
jfelbab
Senior MemberPosts: 1,784
Like?
Re: Adobe ... why are you keeping my credit card number?
In reply to StrokerAce23, 11 months ago

StrokerAce23 wrote:

This is super easy and solved with a little Google work. Try some combination of:

PCI copliance

Merchant services

Dodd-Fank

Durbin amendment

Sarbanes-Oxley

Then consult with a couple of attorneys at large banks and accountants at one of the big four.

Get back to us.

In short, because they have to.

No, they actually don't need to keep your credit card for discrete item purchases.

There are many, many companies that don't keep your card number unless you allow them to.  Just today, I ordered some items from LandEnd and they don't, Sears doesn't, Target doesn't and the list is countless. If you have any links that show a company is required to keep your CC number post them.  I'm sure all these companies would be happy to hear this news.

Also most CC companies allow temporary card numbers for on-line purchases.  These expire a short time after the transaction so fraud potential is minimized.

-- hide signature --

Jim
'There are no rules for good photographs, there are only good photographs.'
-- Ansel Adams

Reply   Reply with quote   Complain
Roy Sletcher
Contributing MemberPosts: 782
Like?
Re: Adobe ... why are you keeping my credit card number?
In reply to Graham Meale, 11 months ago

Graham Meale wrote:

I have been told when placing an order with certain businesses that I've previously dealt with that they are legally forbidden to keep credit card details.

-- hide signature --

I think this may vary depending upon the jurisdiction.

A couple of years back I was registering for a photographic workshop at University of Massachusetts in Amherst. When I called back a day or so later to change some details and asked them to bill it to the same credit card as the original charges I was told the were forbidden to keep credit card details on file, and I had to repeat all the details again over the telephone. I think they said "illegal", but can't honestly recall.

Just saying! There seems to be some variation in interpretation here, and I can see the argument for both sides. However, if somebody elects to keep my personal details on file, then the onus should be on him to protect that information, or accept the ensuing liability if he screws up. Else we are going to see more and more of these security breeches if there is no accountability or consequences.

Roy Sletcher

Reply   Reply with quote   Complain
PicOne
Veteran MemberPosts: 6,671
Like?
Re: Adobe ... why are you keeping my credit card number?
In reply to Roy Sletcher, 11 months ago

Graham Meale wrote:

I have been told when placing an order with certain businesses that I've previously dealt with that they are legally forbidden to keep credit card details.

-- hide signature --

I think this may vary depending upon the jurisdiction.

A couple of years back I was registering for a photographic workshop at University of Massachusetts in Amherst. When I called back a day or so later to change some details and asked them to bill it to the same credit card as the original charges I was told the were forbidden to keep credit card details on file, and I had to repeat all the details again over the telephone. I think they said "illegal", but can't honestly recall.

Just saying! There seems to be some variation in interpretation here, and I can see the argument for both sides. However, if somebody elects to keep my personal details on file, then the onus should be on him to protect that information, or accept the ensuing liability if he screws up. Else we are going to see more and more of these security breeches if there is no accountability or consequences.

Roy Sletcher

Generally what I'm thinking is that there is maybe a distinction between "keeping a card on file" and retaining records that may need to be kept to meet audit requirements. The former would relate to keeping card info accessible for future transactional needs, while the latter might be encrypted and "locked away" in the storage Vaults (so to speak).
--
'Everything in photography boils down to what's sharp and what's fuzzy.'
-Gaylord Herron

Reply   Reply with quote   Complain
Promit
Contributing MemberPosts: 970Gear list
Like?
Re: Adobe ... why are you keeping my credit card number?
In reply to Jeff, 11 months ago

Jeff wrote:

Just got the note from Adobe saying that my password was reset. Fine.

But that note also says that my encrypted credit card number may also have been accessed. I have used my credit card in the past to purchase software from Adobe, but those were one-time transactions. I've not joined any subscription service, in particular creative cloud.

So here's my question. Why do you need to keep my credit card number in your database after the transaction has been completed?

Everyone else in this thread is missing the point.

Your credit card number may have been accessed. Everybody with an Adobe account got the exact same letter. Cloud users, non Cloud users, whatever. They may or may not actually have your card on file, they're not customizing this message specifically for your situation and account. I got the message for an account that has NO purchase history, and I got it for an account that is signed onto Cloud too.

What the message says is that they were compromised and sensitive financial details were leaked. Yours may be among them. It may not. They are unable or unwilling to say the extent of the damage, so the easy approach is just to tell everyone the same exact warning to watch their accounts etc.

Additionally note that transaction histories frequently include partial numbers (last 4 digits is very common) and that's often unencrypted plaintext. It's printed on practically every receipt you get with a credit card purchase, but there are situations in which that data can be exploited.

 Promit's gear list:Promit's gear list
Sony SLT-A77 Olympus OM-D E-M5 Panasonic Lumix DMC-GH4 Sony a77 II Panasonic Lumix G 20mm F1.7 ASPH +12 more
Reply   Reply with quote   Complain
PicOne
Veteran MemberPosts: 6,671
Like?
Re: Adobe ... why are you keeping my credit card number?
In reply to jfelbab, 11 months ago

jfelbab wrote:

StrokerAce23 wrote:

This is super easy and solved with a little Google work. Try some combination of:

PCI copliance

Merchant services

Dodd-Fank

Durbin amendment

Sarbanes-Oxley

Then consult with a couple of attorneys at large banks and accountants at one of the big four.

Get back to us.

In short, because they have to.

No, they actually don't need to keep your credit card for discrete item purchases.

There are many, many companies that don't keep your card number unless you allow them to. Just today, I ordered some items from LandEnd and they don't, Sears doesn't, Target doesn't and the list is countless. If you have any links that show a company is required to keep your CC number post them. I'm sure all these companies would be happy to hear this news.

So if you return an item purchased from these establishments, you evidently get a check in the mail?

Also most CC companies allow temporary card numbers for on-line purchases. These expire a short time after the transaction so fraud potential is minimized.

-- hide signature --

Jim
'There are no rules for good photographs, there are only good photographs.'
-- Ansel Adams

-- hide signature --

'Everything in photography boils down to what's sharp and what's fuzzy.'
-Gaylord Herron

Reply   Reply with quote   Complain
Chris Dubea
Senior MemberPosts: 1,682
Like?
Re: Adobe ... why are you keeping my credit card number?
In reply to Promit, 11 months ago

Promit wrote:

Everyone else in this thread is missing the point.

Your credit card number may have been accessed. Everybody with an Adobe account got the exact same letter. Cloud users, non Cloud users, whatever. They may or may not actually have your card on file, they're not customizing this message specifically for your situation and account. I got the message for an account that has NO purchase history, and I got it for an account that is signed onto Cloud too.

What the message says is that they were compromised and sensitive financial details were leaked. Yours may be among them. It may not. They are unable or unwilling to say the extent of the damage, so the easy approach is just to tell everyone the same exact warning to watch their accounts etc.

Additionally note that transaction histories frequently include partial numbers (last 4 digits is very common) and that's often unencrypted plaintext. It's printed on practically every receipt you get with a credit card purchase, but there are situations in which that data can be exploited.

I called my credit card provider about this yesterday. They checked and said they had not been notified about the breach. The operator said the vendor is legally required to alert credit card companies in the event of a breach.

I'm not certain what this does or doesn't tell us.

Interesting,

-- hide signature --

Chris

Reply   Reply with quote   Complain
Leon Wittwer
Forum ProPosts: 12,809
Like?
Re: Adobe ... why are you keeping my credit card number?
In reply to PicOne, 11 months ago

PicOne wrote:

So if you return an item purchased from these establishments, you evidently get a check in the mail?

No, you would most likely have to give them the card details again to get the refund to the card.

Reply   Reply with quote   Complain
Jeff
Veteran MemberPosts: 4,470
Like?
Re: Adobe ... why are you keeping my credit card number?
In reply to Promit, 11 months ago

Promit wrote:

Jeff wrote:

Just got the note from Adobe saying that my password was reset. Fine.

But that note also says that my encrypted credit card number may also have been accessed. I have used my credit card in the past to purchase software from Adobe, but those were one-time transactions. I've not joined any subscription service, in particular creative cloud.

So here's my question. Why do you need to keep my credit card number in your database after the transaction has been completed?

Everyone else in this thread is missing the point.

Your credit card number may have been accessed. Everybody with an Adobe account got the exact same letter. Cloud users, non Cloud users, whatever. They may or may not actually have your card on file, they're not customizing this message specifically for your situation and account. I got the message for an account that has NO purchase history, and I got it for an account that is signed onto Cloud too.

What the message says is that they were compromised and sensitive financial details were leaked. Yours may be among them. It may not. They are unable or unwilling to say the extent of the damage, so the easy approach is just to tell everyone the same exact warning to watch their accounts etc.

Yea, that's probably true. And disappointing. It would be a simple database check to say whether or not they have my credit card number on file.  They're holding themselves to a pretty minimal standard of service to their customers, which seems consistent with many of their other actions in last few years.

Additionally note that transaction histories frequently include partial numbers (last 4 digits is very common) and that's often unencrypted plaintext. It's printed on practically every receipt you get with a credit card purchase, but there are situations in which that data can be exploited.

Reply   Reply with quote   Complain
PicOne
Veteran MemberPosts: 6,671
Like?
Re: Adobe ... why are you keeping my credit card number?
In reply to Leon Wittwer, 11 months ago

Leon Wittwer wrote:

PicOne wrote:

So if you return an item purchased from these establishments, you evidently get a check in the mail?

No, you would most likely have to give them the card details again to get the refund to the card.

Hmmm, most online sellers generally include those "easy return" forms where you simply state the reason, use the label they supply you in the shipment and you're done.   I don't recall filling in CC info on these return forms.

-- hide signature --

'Everything in photography boils down to what's sharp and what's fuzzy.'
-Gaylord Herron

Reply   Reply with quote   Complain
Keyboard shortcuts:
FForum MMy threads