Domain: pcicomplianceguide.org
Stories and comments across the archive that link to pcicomplianceguide.org.
Comments · 17
-
Per PCI Compliance, Panera could owe...
So, the card companies can asses a fine of up to $100,000 per month per violation. Per TFA, the number affected "exceed 37 million", and they knew about this for 8 months. Therefor, Panera / the processing bank/ "someone" should be hit with a $29,600,000,000,000. Well, the "whole PAN" wasn't exposed, only the last 4 out of 16. So, to be fair, the fine should be $7,400,000,000,000. I'm sure they have proper "errors and omissions insurance" to cover about 10% of GWP (global world production). I mean, that's what insurance is for, right? Ten percent, that's in The Bible!
Source -
Re: This isn't why they had a security breach
Online stores can store the credit card number, not the PIN. Typically they will ask for the CVV which shouldnt be stored. See PCI Compliance FAQ
-
Re:Nothing to worry about
If Adobe was not already a PCI level 1 (6 million transactions on a single card type), they will be escalated to it now.
Even if they were considered compliant (likely) at the time of the breach, it is never cheap. Keep in mind that fines are assessed independently from each issuer (Visa says what they will charge, MasterCard says what they will charge, etc.). But it is true the charge will not be assessed directly to Adobe, rather their acquirer will have to figure out how to collect it. It's a good thing Adobe has some $4B in liquid assets.
-
Re:Inaccuracies in the article!
I'm not trying to suggest that you would be subject to criminal penalties for not following Visa rules. I AM suggesting that Visa cares deeply about the rules it has in place and violating those rules will absolutely endanger your ability to accept Visa as a payment method. Visa is under no "contractual obligation" to transfer money from a customer, to you, just as you are under no obligation to follow the rules they made up.
The data google gives is considered "cardholder data".
From: http://www.pcicomplianceguide.org/pcifaqs.php#12
Q: What is defined as ‘cardholder data’?
A: Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.
Email address is personally indentifiable, ergo, it is cardholder data. The problem isn't as big a deal for individual merchants, but it is a big problem for Google. -
Re:Nah
you mean PCI compliance. it's not a law, though some states have laws that borrow heavily from this standard.
http://www.pcicomplianceguide.org/security-tips-20090227-pci-compliance-law.php -
Re:PCI security compliance with WiFi
The banks aren't where people get screwed on PCI compliance, it's the credit card companies. As part of your merchant agreement with them you agree to secure your network to PCI standards AND agree to potential audits by them. You're also supposed to get a quarterly PCI-compliance audit if you have an externally-facing IP address open.
Securing wireless connections is PART of compliance. Check out more detail here:
-
MOD PARENT UP
I have gone through this all as well. The grand parent either really sucks at their job, or is just lying out their ass. You are NOT supposed to store credit card numbers from mag stripe, and if you are ever audited for PCI compliance and they find out that you are storing them, you will be shut down.
"There is no need, nor is it allowed, to store data from the magnetic stripe on the back of a payment card."
http://www.pcicomplianceguide.org/pcifaqs.php#myth16
You can also take a look at page 15 in this document https://www.pcisecuritystandards.org/documents/pci_ssc_quick_guide.pdf which clearly states that you are NOT allowed to store magnetic data. Period.
Its industry "illegal" because you will not be able to take credit card numbers if you do this. So effectively, its like the bank is shutting you down and blacklisting you. You are playing a semantics game maybe but semantics are not going to save your sorry ass.
-
Re:What 30%?
Storing your credit card numbers when you use them via a magnetic swipe is actually illegal, see here for example. So, supermarkets actually cannot store your credit card information.
Not actually illegal - just difficult. And generally a bad idea. But totally legal.
Not according to the VISA Merchant Agreement:
Card association operating rules prohibit storage of the contents of the magnetic stripe as a unit. This includes discretionary card-read data, CVC2 or CVV2 data, PIN data, and address verification service (AVS) data. It is not acceptable for acquirers, merchants, or service providers to retain transaction, cardholder account, and magnetic-stripe data in point-of-sale (POS) software applications, support systems, or hardware subsequent to transaction authorization. This includes retaining transaction, cardholder account, and magnetic-stripe data in databases, spreadsheets, or other documentation. Failure to adhere to this standard can have significant consequences.
It is, at a minimum, a breach of contract.
-
Re:What 30%?
I didn't claim to be an authority on the topic. Instead I cited a source here. If you read my comment I think you will see that.
-
Re:What 30%?
Storing your credit card numbers when you use them via a magnetic swipe is actually illegal, see here for example. So, supermarkets actually cannot store your credit card information.
(rolls eyes) Oh spare me. Ram the card data thru MD5 or SHA1, it and store the hash. We were storing the hash not card data. Salting is complicated for reasons which will appear obvious later on. When a new unique appears in a customers transaction record, put that account in the scrutiny list, apparently they have a new credit card account. When someones hash shows up in someone elses account add them to the scrutiny list, either they got married or they're a really stupid thief.
The scrutiny list need not contain the hash of the card data, in fact it probably should not, nor even list why an account was added. In fact there is no need to explain why they appeared on the scrutiny list at all. There are other reasons why accounts appear on the list, such as bouncing a check. At the start of every business working day for the credit risk evaluation auditors or whatever the heck their job title was, if the scrutiny table contains less than X rows where X equals the number of auditors times how many accounts they should handle per day, add randomly selected accounts to the scrutiny table to bring the total up to X so the auditors can be kept sufficiently busy.
People with accounts on the list get treatment much like the initial application phase, but maybe a little more intensive, maybe a little more attention paid. Maybe rerun their credit report to see if their check cashing is still an acceptable risk. Examine that customer accounts recent purchasing history, are typical thief products being purchased? Maybe they got married so start sending them married people coupons (anniversary cards?). Frankly 99% of them got blindly stamped approved, it was a buck passing operation to push the blame for any fraud onto the auditors, whom were basically required to permit the fraud while taking heat for it. Not a terribly pleasant job, usually used as punishment.
The same thing is done with checking account data. Hash the account portion of the check number and store it, look for weird patterns.
This was all circa 1994 and I was closely although not directly involved. I suspect nothing has really changed since then other than what took exotic hardware and software is now done with commodity gear.
-
Re:What 30%?
Storing your credit card numbers when you use them via a magnetic swipe is actually illegal, see here for example. So, supermarkets actually cannot store your credit card information.
Not actually illegal - just difficult. And generally a bad idea. But totally legal. Giving that information out again can get you in big trouble, of course, and storing it for longer than it takes to hand it off to the next level can be quite painful.
Additionally, its generally not needed. In this case, doing something like a one-way hash of the card as it passes through the system would be enough - you don't actually care about the card numbers themselves, just if and when a particular known card is associated with a known shopper. As long as you don't need to get the card tracks back, a hash is more than enough to give you that data.
Disclosure : I am the chief architect for a PCI-DSS Level 1 provider
-
Re:What 30%?
You are being a little silly here. When you sign up for the card, they get your address so they can sell it to junk mailers. They do not, however, know your current address if you have moved since getting the card (and I'm sure many people have).
Storing your credit card numbers when you use them via a magnetic swipe is actually illegal, see here for example. So, supermarkets actually cannot store your credit card information.
And finally, the reason the supermarket wants your purchase information is to do analysis of demographics and to better optimize their business. They are not doing the sort of data mining that would allow them to sell you lipitor based on how much beef you eat. You have absolutely no evidence to back up that assertion. -
Re:Don't test with customer data
This is, quite simply, not true. If you doubt me, please check http://www.pcicomplianceguide.org/pcifaqs.php#19. Retention of the full credit card number is allowed so long as certain safeguards are in place. The rule about last four is primarily guidance about what should be printed on a receipt.
-
Re:major loss for privacy, dissent
credit card transactions
There are. PCI Compliance. http://www.pcicomplianceguide.org/pcifaqs.php
-
You must be in management
What a complete non-answer. Your reliance on flimsy "necessary steps" is exactly why the industry is dealing with these problems right now. What is necessary? If I'm transporting disks with your data on it, does it have to be a secured armored vehicle, or is a lock box enough? Can the guy carrying it be a convicted felon, or a minimum wage security guard? If I have your data on my laptop, does it have to be encrypted. Is an 56 bit DES algo enough or does it have to be the most modern encryption scheme available? Who sets these rules and are they enforced only after data loss ( or are there periodic audits?
The credit card industry has identified similar problems of responsibility in its business process and implemented a standard that companies have to comply with if they want to avoid being responsible for major losses (PCI). A good example of private industry trying to solve a problem without government regulation (albeit setup mostly so the few credit card companies can push financial losses back down to the merchants and vendors).
-
Re:Subscriptions
You should never be storing credit card info unless you are PCI compliant. see: http://www.pcicomplianceguide.org/
If you need to rebill credit cards you merchant processing gateway should have a rebill module so they can store the info and send you a report of what what cleared and didn't.
It doesn't matter what the law says...it matters what Visa and MasterCard say in their merchant processing agreement to you or provided to you. If you don't like it go do business with the other Visa and MasterCard.
AMEX and Discover also have similar guidelines... -
security vs sci-fi
Well not likely if you want to become PCI compliant or adhere to any number of secure standards. In theory a paper like this sounds good but you only need to dip below the surface of the real world to discover it's more like a sci-fi dream at the moment.