Depending on how much faith you have in Walmart's various anti-hacking security standards, the store's new credit card policy will either grant it greater protection from thieves who try using fraudulent credit cards, or make legitimate Walmart customers suffer even worse the next time someone hacks into the right (wrong?) Walmart database.
If you buy things online you almost certainly use a credit card, and when making purchases you don't simply type in your card's account number, expiration date and other front-of-card information; you also type in the three-digit security code on the back.
That number is supposed to be kept super-secret, even more secret than your credit card number, and its purpose is to ensure that someone who does get hold of your credit card number won't be able to use it for anonymous online purchases, since they don't have the three-digit security code as well.
Now, as Texas news station KPRC (Houston) reports, Walmart's rolling out new in-store “security guidelines” which would require customers physically in the store with their physical cards to not merely swipe them, but also type in the three-digit security code that usually confirms the authenticity of purchases made online as opposed to in person.
How is the security of in-person in-store purchases supposed to be enhanced by demanding the number available to anybody with the actual card in hand? As KPRC reports:
But Walmart argues that the most common types of credit card fraud come out of data breaches. When it happened at Target and Neiman Marcus in recent months, thieves stole the credit card information for millions of consumers. Authorities say they planned on selling the data. Other scammers could create phony cards with legitimate account numbers printed on them. Walmart says the one thing thieves don't get in those breaches is the 3-digit code on the back of your card.
"Walmart's doing the right thing on this one," said Chris Bronk, a Rice University Baker Institute Fellow in IT Policy.
Bronk says ideally the account number and the codes will be stored separately, so would-be data thieves can't get all of your information in one place.
Of course, even in this ideal world, hackers patient enough to get information from two places rather than one will have all the information they need to buy things online with your credit card, and easily circumvent the three-digit security code that's supposed to prevent them from using your card to make online purchases.
Never surrender
Other security advisers say you should never surrender your three-digit code for in-person transactions. When WiseGeek, for example, asked the question “When is it safe to give out the security code on the back of my credit card?”, it discussed the code's role in online security and advised shoppers to avoid both online stores that don't remand it and in-person stores that do:
… you should never release the security code when you are present for a sales transaction. It doesn't show up when the card is scanned, or when a copy of the card is imprinted on a sales slip. People who steal this information, including some people who work at point-of-purchase businesses, don't have all the information needed to make most Internet purchases. Of course, not all companies online ask for your CVV, and it might be a good idea to only use vendors that will require this information when you shop on the Internet to support those vendors that are attempting to stop fraudulent use of your card.
In other news, this website has frequently reported receiving complaints from customers who said their Walmart Money Cards (an Authorized Partner) were hacked. However, a Walmart MoneyCard is entirely different from, say, a Walmart.com online account, like the one held by a woman in Darien, Connecticut whose account was hacked last January.
Hopefully Walmart's three-digit security code database will prove more hacker-proof than other Walmart-secured accounts have been.