Visa: Beware retail software that stockpiles PINs

A popular software that retailers use to control debit-card transactions may inadvertently store sensitive customer information, including PIN codes, according to Visa.

Two versions of cash-register software made by Fujitsu Transaction Solutions are under scrutiny, according to a warning Visa issued to the companies that process card transactions. A Visa representative confirmed that the warning was sent.

Some of Fujitsu's retail customers include large Best Buy, OfficeMax and Staples but it is not known which companies use the software Visa claims is flawed.

Visa's warning, which was first reported by The Wall Street Journal on Friday, has raised eyebrows in the financial and retail sectors. The software was flagged at a time when thousands of debit-card holders across the country have reported unauthorised withdrawals from their accounts.

Bank of America, Citibank and Washington Mutual are among the financial institutions which have replaced more than 200,000 debit cards in the past two months and told customers that thieves obtained vital debit-card information as a result of a security breach at a large merchant.

One commonality among the fraud victims, according to law enforcement and banking officials, is that most had shopped at one of Fujitsu's clients: OfficeMax.

The office-supply retailer has said it has found no indication that it suffered an illegal intrusion. Fujitsu, which did not return repeated phone calls requesting comment on Friday, denied that its software has had anything to do with any alleged security breach. A representative for the company told the WSJ that customer data, such as PIN codes, could not be stored using just its software. Other software tools would have to be added.

Major credit-card companies have banned the storing of customer data and can fine merchants who do store such data. The fear is that customer information may be a sitting duck for hackers should it be left in a company's computer system.

What may be more worrisome for consumers is that it's not uncommon for merchants to accidentally stockpile their customers' data, said Branden Williams, a principal consultant at computer-infrastructure company VeriSign.

One of VeriSign's offerings is that it will assess a company's computer systems to ensure they meet security standards required by the big credit-card companies.

During his white-glove inspections, Williams said, he has often found software that would trap customer data, including PIN information, without the retailer's knowledge. Big companies working with complex systems are more prone to such slip-ups he said.

He added: "You could totally understand how they could forget to turn off some switch."

But Williams said there's no reason for the problem to go unchecked. Not only are there companies such as VeriSign that will monitor system security but Visa also offers a list of software products proven not to store data.

Neither one of the Fujitsu products, Raft and GlobalStore, is among the products approved by the major credit card companies. This doesn't mean the software doesn't meet industry standards. It only means that the software hasn't undergone the review process needed for sanctioning by the group, according to a note on Visa's site.

Williams said: "It's really the responsibility of a company doing business to protect their customers. Especially when you consider what's at stake: identity theft, bad public relations and potential fines. Software vendors should also have their applications checked for any vulnerabilities that could lead to a security breach."

Greg Sandoval writes for CNET News.com