Why Did Advance Auto Still Have Customer Credit Card Numbers On File From 7 Years Ago?

From the Richmond Times-Dispatch:

Advance Auto said a computer hacker may have gotten financial information of up to 56,000 customers at 14 stores in Virginia and seven other states. The Roanoke company said the customers shopped at the 14 stores from December 2001 to December 2004.

Why would a company have customer info on file for so long? I found one credit card processor’s FAQ which said that the max for chargebacks is 180 days, which is only in the case of when a merchant has violated merchant rules (otherwise it’s 120). So Advance Auto was about 2375 days overdue for a records wipe. It’s time to start tightening up the lax security standards on the retail level that have created a playground of plunder for identity thieves.

(Thanks to Volksaddict!)


Edit Your Comment

  1. Saboth says:

    Oh great, I shop at advance and live in VA.

  2. char says:

    I’ve worked on online stores, I’ve seen scary things.

    My parents had their CC number stolen last night too :(

  3. ARP says:

    As someone who works with this issue, I can tell you that the credit card companies are starting to notice and there have been changes to the PCI standards (security/processing standards for credit cards) and will likely be more.

    So the motivation for the retailer won’t be doing the right thing, customer service, etc. Its the fear of being decertified and not being able to take credit cards and having hefty fines for being non-compliant.

    My concern is that it will be just like polluters, banks, and others who violate the rules/laws. They often just get a slap on the wrist and its simply viewed as a cost of doing business. If that happens, there isn’t enough motivation for them to do anything. So like many other issues, if regulatory body actually enforces the rules, things get done.

  4. AlexJP says:

    A few years ago, I was speaking with a chargeback manager at First Data Merchant Services. He said that in certain conditions, a chargeback can be initiated 18 months after the purchase.

    He did not elaborate on the applicable circumstances (this is just one facet of a major problem that has vexed merchants for a while: credit card processors will not furnish the full rules and regulations, even though they often cite said rules and regulations in their chargeback responses). But he was candid enough that I believe a limit of 18 months is the truth.

  5. htrodblder says:

    You might be surprised how may accounting and/or retail programs have NO provision to automaticly delete credit card information at a certain time. I have worked with quite a few different systems and not one of them even had a setup to do that. I can’t blame the store for this one except for them being lack on security.

  6. MeOhMy says:

    Actually, this is becoming a hot-button topic pretty much across the Info Security industry. For a long time you worried about how long you needed to keep information but not so much about making sure that information was destroyed when no longer needed.

  7. ARP says:

    @Troy F.: My guess is we’ll face the tail end of this problem soon, destruction of records and files.

    If they delete it as well as they protected it when the had it, my guess is that a little dumpster diving or a basic recovery program will cause a lot of trouble.

    You’d be suprised (or maybe you won’t) how few companies have good shred/delete programs.

  8. snoop-blog says:

    my question is why would anyone keep the same credit card number for seven years? i change mine at least every other year.

  9. snoop-blog says:

    so they can tell us about virginia, but are keeping the other seven states secret? that’s bullsh*t! how do i find out what the seven other states are?

  10. mduser says:

    @snoop-blog: It’s in the article link at the top

    Advance Auto spokeswoman Shelly Whitaker said the affected stores are in Georgia, Ohio, Tennessee, Virginia, Louisiana, New York, Indiana and Mississippi. The only Virginia store is in Richmond.

    I’m surprised that this didn’t hit Maryland as well, there’s quite a few stores there.

  11. mduser says:

    @snoop-blog: Don’t most banks give you a new card every 2-3 years anyway?

  12. ARP says:

    @snoop-blog: Depends if those states have notification laws. Most do.

    Some state laws have it so that you only have to inform the state, the customers, and/or the general public depending on the circumstances.

    This is where a good Federal notice law would come in handy. The problem is that it will inevitably be watered down and will pre-empt state law, so it will be useless and potentially worse than what you already have (depending on where you live).

  13. Ivy1 says:

    Lots of sellers keep credit card records, usually for tax purposes. Most states have out-of-date rules requirements for issues like tax-exempt sales that require the vendor (here, the store) to keep on file (usually for 4-7 years) proof that the tax-exempt organization held the card that paid for the item. Therefore, as a vendor you either have to a)keep the credit card copies for years in case you get audited; or b)Deny legitimate tax-exempt customers their tax savings. It’s really a mess. There are other state laws on the books that require sellers to keep detailed customer records and when a company tries to raise PCI or federal privacy laws as a “defense” to an expensive state or local tax audit the response is basically “suck it.” The City of Denver recently decided that Federal Government employees no longer got to make many tax-free purchases becuase the City didn’t want to be responsible for sellers keeping Fed purchasing cards’ photocopies.

  14. ninjadawg says:

    Chargebacks vary per card company. The highest I am aware of is 18 months for American Express. Visa and Mastercard are 12 months.

  15. Darren W. says:

    One potential reason to keep them on file is to use customers’ CC info to look up warranty information for purchased parts.

  16. snoop-blog says:

    damn!!!!!! i was just in autozone in indiana last weekend! better call the bank. so are they going to pay for a year of credit monitoring service or just screw us.

  17. AlexJP says:

    @snoop-blog: Autozone is not Advance Auto Parts.

  18. snoop-blog says:

    @AlexJP: yeah i totally meant advance, actually i was at both places sunday, and wouldn’t you figure, i used my card at advance, and paid cash at autozone. just my luck.

  19. Asmordean says:

    I recently ran a few years of old credit card slips though the shredder at work thanks to seeing the nasty stories pop up here about stolen data.

    I contacted Visa and Mastercard about how long I have to keep data. Visa said 18 months. Mastercard said 2 years.

  20. MyCokesBiggerThanYours says:

    Sometimes I think the people who write these posts are psycho. Everything is a conspiracy. With databases everything stays in the database unless you consciously go in and delete it. You literally have to write a function – a program – to delete it. Plus, for tax purposes business keep at least 7 years of records.

    Try this. For many of us our parents have lived in the same house for decades. Go look in their drawers and garage. They don’t throw stuff out either.

    7 years is not that long. Just wait until your our of your teens and 20s. Years go by like in the blink of an eye.

  21. Pro-Pain says:

    If this whole identity theft thing keeps up the industry is going to have to be innovative and do something. What a concept!

  22. Red_Eye says:

    I recently got a call from my credit union and was told they were sending a replacement card because someone had reported they had “possibly lost my card number”. When I asked who the credit union said they were not able to say. Maybe it was these idiots. Regardless, there needs to be criminal penalties for breaking regulations surrounding credit cards like this. I’d managed to keep the same card number secure for 12 years!

    I keep hearing lip service about penalties and I say bullshit. If credit card companies ever really imposed penalties against retailers we wouldn’t ever have this happen again if they enforced their own rules you would walk into mom and pop gas stations across the country and see minimum purchase required signs. The credit card companies see the policing of this stuff as more costly than the minor frauds that get committed when some jackass at AutoParts Idiots incorporated doesn’t perform his job so they don’t CARE. They dont care about the hassles they cause the heartache they cause you they are not about to bite the hand of the retailers who they already have a strained relationship with because of how much of a cut they take from the retailers on top of the interest they charge you.

  23. oldgraygeek says:

    My in-home PC repair business accepts credit cards. I use paper slips at the customer’s home, and punch the card numbers into my terminal in the office. I have no employees, so I am the only person handling the customer’s card information.
    You’d better believe that there is NO data retention beyond 7 days: we cross-cut shred the slips every Sunday, and mix the scraps with used cat litter before discarding them.

  24. sventurata says:

    @snoop-blog: Then your card won’t be affected as all, seeing as the compromised data timeframe ended four years ago.