Carriage Now Saves Knet Information *UPDATED*

Post by Mark

One thing that has always annoyed me with local online shopping services is that you couldn’t save your payment details like you do on Amazon for example. Looks like Knet are finally allowing your payment details to be saved because with the latest Carriage app update, you now have the option to save your payment information. This means when you place an order, all you need to do is enter your pin code instead of having to enter all your numbers and expiry date every time you place an order.

All I can say is finally! This is going to make online shopping in Kuwait a lot more convenient for everyone.

Update: So I got a phone call from Carriage awhile ago on this subject and they clarified to me one important point. Customer data related to bank details are saved on the user’s device, not on Carriage’s servers. The information is encrypted and then stored in your iOS or Android keychain, and you still need to input your pin on every transaction.

Share on Facebook Share on Twitter

19 comments, add your own...

  1. Matt says:

    Convenient = true, but safe = false.

    • Mark says:

      Can you elaborate on how it’s unsafe? You’re already allowing a lot of businesses store your card number when you use your knet in a store, how is this any different?

  2. moe says:

    and the all the sudden carriage will come out to apologize to their customers for customers information leakage. It happened with Facebook twitter playstation snapchat etc.
    how could you trust carriage?

    • Mark says:

      Well all they’re saving for you is your card number, not your pin code. So you still need to enter your pin code to make a purchase. It’s also optional, you can turn that off.

      If you’re worried about allowing online businesses to store your debit card number, did you know that everytime you pay with Knet at a store, and they then swipe your card into the POS system, they’re actually getting a copy of your card number? I think I’ve posted about this on the blog before. So your card number is already out there.

  3. aa says:

    Knet did not allow this! this is actually illegal and Carriage are breaching security and breaking the law and customer rights by doing this!!!

  4. Ahmed says:

    Chrome mobile does this.

  5. Security says:

    Financial institutions like Knet have to be compliant with industry standards such as PCI-DSS (Payment Card Industry Data Security Standard). I highly doubt they will be retaining full card numbers. If they do so they will be non compliant with certification. Usually the first 04 and the last 04 digits of the card are available and the rest of the numbers are masked.

    • Mark says:

      Amazon, Google, Adobe, Microsoft, PayPal, eBay etc… all retain full numbers. So doubt the industry standard that includes the likes of visa, mastercard and american express do not allow retaining full card numbers.

    • Aziz says:

      That is incorrect. PCI-DSS does allow you to retain full card numbers.

  6. Security says:

    No, once you input your card number, it is encrypted and stored in their database. The logic is even if someone is able to access this information they will not be able to do anything with it. However I cannot say the same thing with smaller organization which might be dealing with this type of data. The reason the first and the last digits are displayed so that they can be used for reconciliation and other financial settlements.

    For e.g. this is how Apple processes card information

    • Mark says:

      ok i think you’re confusing things.

      businesses like amazon, ebay, whatever, the retain your FULL card numbers.
      The card numbers are encrypted yes.

      back to carriage. your FULL card number is stored.
      The card numbers are stored in your phones keychain.. which is encrypted.

  7. Burhan says:

    Please, do not confuse point of sale with payment gateway. There are different requirements for each; and let us keep the discussion to Kuwait and not to Amazon, eBay etc. as these retailers don’t need to comply with Kuwait laws and deal in a large majority with credit cards, not debit cards.

    The fact that the card is scanned as at point of sale terminal, and that this is later the source of many card breaches, is something that is as a consequence of the Point of Sale systems which were designed for the days before chip cards were invented, and were sold mainly in places where the practice is to swipe and sign.

    So, the fact of the matter is in these systems you cannot close the transaction and print the receipt until you either swipe or enter the card number. That’s why they do it.

    What can you do with someone’s card information (the 16 digits)? Not much, really. Except try to sell it to someone who can try to brute force the PIN at some foreign country to withdraw cash.

    The problem with swiping at POS terminals is that they read the Track 2 data from the magnetic stripe (the black stripe behind your card).

    This stripe supports three tracks of data, but in reality data is only written on Track 1 and 2. Track 1 contains the same data as Track 2, but also includes the card holder name.

    In practice all devices only read the Track 2 data. This information contains your full card number, expiry and the CVV (also called CVC) code (the three digits from the back of your card).

    This is all that is required to conduct a transaction – BUT – your bank has to enable it for your card. Since here we are talking mainly about debit cards, most banks in Kuwait (with the exception of NBK) do not enable this for your cards.

    NBK allows you to use your normal ATM card online just as if it were a credit card, which increases the exposure if this card information is compromised.

    PCI compliance comes in various levels, and although everyone only talks about the fact that the first 6 and the last 4 numbers are shown – this is just one small part of PCI compliance.

    Storing card information in the secure enclave (the area of the phone protected by the independent security chip) does not mean you are PCI compliant, but this is a moot point since KNET specifically does not allow merchants using the payment gateway to store and forward card information on behalf of their customers.

    Now how is Carriage doing it? Who knows – maybe they got some special exception from their bank and KNET?

    Regarding Apple Pay, Samsung Pay, Google Pay, etc. these guys all use a different standard for payments that does not transmit your actual card number. That page linked by “Security” is just marketing fluff to explain what is happening for the consumer, the reality is that these applications all use the same standard for transmission – except the case for Samsung which has a unique feature of replicating the magnetic swipe (so it can be used on terminals that don’t support NFC).

Leave a Reply

Commenting is a privilege not a right. I allow comments on the site because I believe that you can make a valuable contribution but in return I expect that you comment responsibly.


If you have anything you think would be interesting to share on this blog
[Email Me]