Slashdot Mirror

Since some tool abused the moderation system, I've decided to re-post everything I wrote. This way it goes back to +2 and everybody can see it and enjoy my wit :)


God, this is so much fun.

1. I specifically said "a card with the Visa or MasterCard logo."

2. I know you're not speaking in absolutes. That's because people like you who have no clue what they're talking about use language that's as general as possible to try to hide the fact that you have no clue what you're talking about.

3. And HERE'S where you look stupid again...


You talked out your ass and said...
". And I don't care what you think you read, they are not going to return it to you the day you call to complain. Most take 30-45 days to resolve. It's not uncommon for some to go 120+ days. And in some cases, the money is NEVER returned."

But the FACTS are...
"Visa's cardholder protection policy requires all financial institutions issuing Visa products to extend provisional credit for losses from unauthorized card use within five business days of notification of the loss. However, many major financial institutions affiliated with Visa will issue provisional credit even earlier--within 24 to 48 hours after the loss is reported."
http://usa.visa.com/personal/security/visa_security_program/zero_liability.html

It just so happens that my bank offers 24-hour cash replacement. And a cursory look at the policies of other major banks (Wells, Citi, BoA, Chase) confirms the "24 to 48 hour" window.

I really hope you reply because I'm having a really great time over here rubbing your nose in it. Just put your tinfoil hat back on and carry on with your normal business. It'll save you both time and embarrassment.

Since some tool abused the moderation system, I've decided to re-post everything I wrote. This way it goes back to +2 and everybody can see it and enjoy my wit :)

Again, here's a cross-post. I want you to feel stupid as soon as possible, and by cross-posting I can ensure you feel stupid a couple seconds earlier than you otherwise would...


"Visa's cardholder protection policy requires all financial institutions issuing Visa products to extend provisional credit for losses from unauthorized card use within five business days of notification of the loss. However, many major financial institutions affiliated with Visa will issue provisional credit even earlier--within 24 to 48 hours after the loss is reported." http://usa.visa.com/personal/security/visa_security_program/zero_liability.html

It just so happens that my bank offers 24-hour cash replacement. And a cursory look at the policies of other major banks (Wells, Citi, BoA, Chase) confirms the "24 to 48 hour" window.

Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures.

Merchants may not refuse to honor a Visa card simply because the cardholder refuses a request for supplementary information. The only exception is when a Visa card is unsigned when presented. However, "See ID" is not considered a valid signature. In these situations, a merchant must obtain authorization, review additional identification, and require the cardholder to sign the card before completing a transaction.

Again, here's a cross-post. I want you to feel stupid as soon as possible, and by cross-posting I can ensure you feel stupid a couple seconds earlier than you otherwise would...


"Visa's cardholder protection policy requires all financial institutions issuing Visa products to extend provisional credit for losses from unauthorized card use within five business days of notification of the loss. However, many major financial institutions affiliated with Visa will issue provisional credit even earlier--within 24 to 48 hours after the loss is reported."
http://usa.visa.com/personal/security/visa_security_program/zero_liability.html

It just so happens that my bank offers 24-hour cash replacement. And a cursory look at the policies of other major banks (Wells, Citi, BoA, Chase) confirms the "24 to 48 hour" window.

God, this is so much fun.

1. I specifically said "a card with the Visa or MasterCard logo."

2. I know you're not speaking in absolutes. That's because people like you who have no clue what they're talking about use language that's as general as possible to try to hide the fact that you have no clue what you're talking about.

3. And HERE'S where you look stupid again...


You talked out your ass and said...
". And I don't care what you think you read, they are not going to return it to you the day you call to complain. Most take 30-45 days to resolve. It's not uncommon for some to go 120+ days. And in some cases, the money is NEVER returned."

But the FACTS are...
"Visa's cardholder protection policy requires all financial institutions issuing Visa products to extend provisional credit for losses from unauthorized card use within five business days of notification of the loss. However, many major financial institutions affiliated with Visa will issue provisional credit even earlier--within 24 to 48 hours after the loss is reported."
http://usa.visa.com/personal/security/visa_security_program/zero_liability.html

It just so happens that my bank offers 24-hour cash replacement. And a cursory look at the policies of other major banks (Wells, Citi, BoA, Chase) confirms the "24 to 48 hour" window.

I really hope you reply because I'm having a really great time over here rubbing your nose in it. Just put your tinfoil hat back on and carry on with your normal business. It'll save you both time and embarrassment.

Always honor valid Visa cards in your acceptance category, regardless of the
dollar amount of the purchase. Imposing minimum or maximum purchase
amounts in order to accept a Visa card transaction is a violation of the Visa rules.

Always treat Visa transactions like any other transaction; that is, you may not
impose any surcharge on a Visa transaction. You may, however, offer a discount
for cash transactions, provided that the offer is clearly disclosed to customers
and the cash price is presented as a discount from the standard price charged for
all other forms of payment.

Actually, you should check your facts.

Any bank that issues a card with the Visa or MasterCard logo has agreed to meet or exceed the consumer protection policies of Visa or MasterCard. This is how it's ALWAYS been, debit card horror stories notwithstanding.

Visa:
"Debit cards have the same security protections as credit cards. Just like credit card cards, debit cards have Zero Liability* fraud protection and dispute resolution options."
http://usa.visa.com/personal/using_visa/personal_finance/debit.html

MasterCard:
"With your debit card, you'll enjoy great features such as worldwide acceptance at millions of locations, MasterCard Global Service, and Zero Liability* protection from unauthorized purchases."
http://www.mastercard.com/us/personal/en/aboutourcards/debit/standard_card.html

No, this protection is not mandated by LAW as it is with Credit Cards, but it is mandated by Visa and MasterCard who have ZERO INTEREST in seeing their good name tarnished.

Everyone has heard Debit Card Horror Stories. My suggestion is to have a critical ear and check the facts, instead of just passing-on the FUD.

I work at a bank and we get this complaint all the time. Check out the bottom of page 14: http://www.usa.visa.com/download/merchants/rules_for_visa_merchants.pdf. This is clearly against visa's terms, and if you report it to both Visa (800-VISA-911) and your bank, chances are the merchant will get a stern talking to by a visa rep.

I certainly hope they have fixed that since.

http://usa.visa.com/merchants/risk_management/cisp.html

I know my company has been quite busy lately making sure the equipment we are selling is compliant.

Aren't there those prepaid credit card things which you can put money on with no identification and of no limited amount? What's the point here?

http://usa.visa.com/merchants/risk_management/cisp_overview.html?it=c|/merchants/risk_management/cisp.html|How%20to%20Comply#anchor_2 but this does not mention the amount fined.

Wells-fargo mentions the scope of fines here https://www.wellsfargo.com/biz/merchant/service/manage/associations/news and it seems my information may have been out of date. The fines are still pretty hefty.

I have yet to see an actual URL to either case law, or a state/federal law that actually spells out the legality of bag checking.

bitch about cashiers checking who ask for photo ID when they take your credit card. Every merchant account contract I've signed or read explicitly prohibits this. You aren't even supposed to match signatures according to the contract.

Wrong. According to Visa's Rules for Visa Merchants: http://usa.visa.com/download/merchants/rules_for_v isa_merchants.pdf

Page 28 directs the sales clerk, "The final step in the card acceptance process is to ensure the customer signs the sales receipt and to compare that signature with the signature on the back of the card..."

On page 29, note "Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures..."

(emphasis mine)

There is no requirement to possess, much less carry, much less produce on demand, any identification other than your signature.

According to Visa's Rules for Visa Merchants: http://usa.visa.com/download/merchants/rules_for_v isa_merchants.pdf

Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures

So you can't *mandate* that someone provide ID in order to complete their transaction. But at least with Visa, merchants do have the right to ask (knowing that you don't have to give it to them).

Well, in the case of Visa anyway, you are protected whether your visa card is a credit or a check card.

I used to think there was increased risk to using a check card (esp. online), but listening to Dave RamseyI found out about this feature (which you can read for yourself on the Visa website).

I write "ASK FOR ID" on the back of all my credit cards.

The credit card company's don't like that. Your agreement with the credit card company when you opened the account dictates that the card is not valid until signed. Additionally, if it's blank or says "See ID" on the back of your card, merchants are contractually required to have you sign it before accepting the card.

See VISA's fraud guidelines. Notice the crossed-out circle around the picture of the card with "See ID". If the card's not signed, the merchant's not supposed to accept it.

Whether or not requiring the signature is more secure may be open for debate, but "Ask for ID" is, literally, unacceptable.

Requesting Cardholder ID
When should you ask a cardholder for an official government ID? Although Visa
rules do not preclude merchants from asking for cardholder ID, merchants
cannot make an ID a condition of acceptance. Therefore, merchants cannot
refuse to complete a purchase transaction because a cardholder refuses to
provide ID. Visa believes merchants should not ask for ID as part of their regular
card acceptance procedures.

That is a defense in American statutory law, but not in practice. There are any number of outlets where anyone of any age with a sufficient amount of cash may buy a Visa gift card. I once sent an 8 year old to do it and he came back to me with a legally-purchased, fully working card I used to buy a subscription to a porn site.

Indeed, Visa specifically prohibits using a Visa card number as an age verification mechanism in their Rules for Merchants:

"The merchant must not use the account number for age verification or any purpose other than payment."

(Approximately 60% of adult industry transactions carried our by credit card on the net are carried out with Visa cards.) cite

Even if Visa permitted such a use, the merchant fees make it unworkable: Visa charges a percentage of every transaction, and the acquiring bank charges a fee as well, generally anything from a quarter to a dollar per transaction, PLUS a percentage, ranging anywhere from 2.3% to 15% of the ticket price, depending on a lot of factors they won't tell you about. This means that it simply isn't economical to use credit cards as a verification mechanism: It costs the merchant too much. To make a credit card transaction pay for itself, the merchant must make enough profit on the transaction to cover the fee, and if there's no fee, there's no profit one can use to cover the cost of the transaction, so it's a money-losing proposition.

So, right now, there is no way to effectively prove age, either adult or minor, on the internet. None.

Thanks for pointing this out. I'm so sick of being asked for ID when I use my credit card. BTW, here's a PDF of the merchant rules - page 29 also mentions the "See ID" nonsense.

Remember: if you try to buy something with your Visa, but they won't let you because you won't show your ID, you can file a complaint against the merchant by calling (800) VISA-911. So far I've never had to make the call, just had to threaten it.

Then it sounds like you were taught wrong. See page 29 of the Rules for Visa Merchants (PDF).

"Years ago"?

Just downloaded seconds ago from VISA.com:

""See ID" Some customers write "See ID" or "Ask for ID" in the signature panel, thinking
that this is a deterrent against fraud or forgery; that is, if their signature is not
on the card, a fraudster will not be able to forge it. In reality, criminals don't take
the time to practice signatures: they use cards as quickly as possible after a
theft and prior to the accounts being blocked. They are actually counting on you
not to look at the back of the card and compare signatures--they may even have
access to counterfeit identification with a signature in their own handwriting.
"See ID" or "Ask for ID" is not a valid substitute for a signature. The customer
must sign the card in your presence, as stated above."

Check it out yourself: http://www.usa.visa.com/download/merchants/rules_f or_visa_merchants.pdf?it=r|/merchants/new_acceptan ce/merchant_responsibility.html|Rules%20for%20Visa %20Merchants

I process cards for customers every day that have 'ask for id' in big letters on them.

And those cards - unless they are both signed and say "ask for ID" - are not valid.

Issuers require card members to sign the card as an acceptance of the terms of the contract. Visa says:

Some customers write "See ID" or "Ask for ID" in the signature panel, thinking that this is a deterrent against fraud or forgery; that is, if their signature is not on the card, a fraudster will not be able to forge it. In reality, criminals don't take the time to practice signatures: they use cards as quickly as possible after a theft and prior to the accounts being blocked. They are actually counting on you not to look at the back of the card and compare signatures--they may even have access to counterfeit identification with a signature in their own handwriting. "See ID" or "Ask for ID" is not a valid substitute for a signature. The customer must sign the card in your presence, as stated above.

If you are accepting these, either you or your employer are violating the terms of your merchant agreement.

Seems that you haven't read the agreements too carefully then:

http://usa.visa.com/download/merchants/rules_for_v isa_merchants.pdf

Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID . Visa believes merchants should not ask for ID as part of their regular card acceptance procedures .

Master card is even worse, though I don't have their manual handy right now. And while the majority of cards don't have pictures on them, and increasing number do.

> If they authorize the charge then they think it's legitimate, too, so why should the merchant somehow be expected to think otherwise or be held responsible for 100% of the chargeback?

The detective in this Stop & Shop store said the theft "involved card readers being removed, tampered with, and reinstalled". This is negligence on that merchants part. Here's a real life scenario of another form of negligence and why merchants should be held liable:

My Mother, who is retired, had her billfold stolen from her purse at a Whole Foods Store recently. One thief distracted her by pretending she was blind and asked her to assist in reading a food label, while the other thief meticulously rummaged through her purse. Before my mother had the chance to even leave the Whole Foods Store or checkout, several fraudulent charges were already placed at a nearby Walmart. The speed at which they made these fraudulent charges is important here, because many creditors recognize criminal case studies and factor those into their guidelines and procedures in a merchant agreement.

* The cashier never looked at the back of the card to match signatures. If they had, red flags and rockets would have flown all over that store. It wasn't even close, nor complete. You can read about such requirements here. Basically, and I never fully appreciated the importance of a signature on the back of a card before, 1) it has been shown in case studies that thiefs move swiftly and do not practice signatures before use (nor do they have time in such a scenario presented here), 2) even if they do, they are required to sign a receipt in the presence of a cashier (which greatly assists cashiers in making that determination), 3) if no signature is present, an ID can be requested for verification (but some states do not allow this), 4) they must sign that card by Visa acceptance policy (and imagine a thief attempting that on the fly), and 5) even for the extreme case scenario of 3 (where customer refuses to give ID and cites state law, where only the boldest of thiefs would venture here), that cashier is required to call a code 10. None of these precautions were followed. I fully recognize the time constraints of every cashier requiring every customer to follow along with these guidelines. I also fully recognize many stores have an acceptable loss scenario to facilitate customer expectations instead. Personally, I always thank a cashier for requesting my ID or matching signatures on my card. It is responsible and (as artificial as it might be) instills some level of assurance between me and that merchant.

> If the use was fraudulent, as the merchant I have absolutely no way to know that--that's why I'm asking Visa/Mastercard for authorization.

There is some implied trust here that merchants follow some simple safeguards and procedures. Visa and other credit issuers are protecting us, the careless or oblivious consumer, from the inept merchant; as in this Stop & Shop or in my mother's case.

Walmart was held liable in this case. Visa made them chew on every bit of some $700 for a TV and gift cards. Even the detective investigating this case cited Walmart (not Visa) as responsible, as it should be in my estimation. The Walmart manager even said they were responsible in this case. I sympathize with them, but I agree with their own conclusion as well. This was a more traditional theft case scenario. The PCI DSS guidelines to merchants seems like an acceptable extension for the non traditional approaches as well (like the Stop & Shoplift scenario).

To me it is annoying that 90%+ of the time the merchant never checks my signature line which says "See ID" and actually ask for an ID.

To me it is annoying that people keep writing "See ID". It's a myth that writing "See ID" on the back requires the merchant to ask for ID. Read Visa's opinion.

If you read your cardholder agreement, a card that is not signed isn't valid. If you write "See ID" instead, the merchant is supposed to make you sign the card before they can accept it.

In fact, if you read the merchant agreements for Visa & Mastercard, merchants are not allowed to refuse a card because the cardholder does not have ID.

But if it makes you feel warm & fuzzy, write "See ID" on the back of your cards. That is the only benefit.

No, I hate being asked for ID when using my card. In fact, Visa and MC rules prohibit merchants from requiring you to show ID to accept a card. I go They can ask, but can't require it. They also cannot accept a card with "See ID" without making the cardholder sign it. See page 29 of the Visa merchant rules (PDF) and pg 48 of the MasterCard merchant rules (PDF).

I usually file a complaint here and check the "merchant required identification" box.

I'm sure the law would say you stole the money, and so would anyone else

Are you a lawyer or a judge perhaps? Because, if not, then you can't be sure about anything the law would say. Even if you were, you could only state your own opinion unless you were actually involved in such a case.

Now yes, people might call you dishonest, but whether the law would is anyone's guess until it actually hits the courts.

Having been involved in such instances (been given more money than I paid, or billed incorrectly a low amount to my card because somebody missed a digit), in most cases the stores were very grateful when they are corrected, because otherwise they would have eaten the loss. However, in a physical store the solution would be to catch the person before they leave the store, because they have not actually "paid" for the invoice amount for the item in that case. It would be dubious if they could charge you with theft, but they could likely prevent you from leaving with the item until it is actually purchased.

The fact is that stores, banks, and others screw up all the time. Most of the time the customer doesn't profit from this, and most of the time you can get the issue resolved by going back to the store or dealing with your credit-card merchant. When you start involving credit-cards things get very murky as well, as there are many rules that go beyond law and deal strictly with the relationship between you, the merchant, and the CC company.

For example, see here. The issue is one of contract law between the three aforementioned entities. In this case, the promise is from Visa to you that you are not liable for an unauthorized transaction. In the case of amazon, you have not authorized an additional billing to your account. There is no signature, no invoice /w button click, or other suck things. The invoice was presented, the amount (even if the amount was nothing) was paid. As the customer has not agreed upon additional charges, he or she cannot be billed under the card-rules unless he/she agrees to the additional amount.

When should you ask a cardholder for an official government ID?

Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures . Laws in several states also make it illegal for merchants to write a cardholder's personal information, such as an address or phone number, on a sales receipt.
Page 29 - Rules for VISA Merchants

The Payment Card Industry (PCI) POS Pin Entry Device standards set by Visa/MC/JCB specifically require that a device used for credit card transactions NOT store the PIN and be resistant to tampering (such that a card holder would be able to see that something is wrong with the device if it had been tampered with). Merchants are required to use devices that have received PCI certification through a certified testing lab. It would be interesting if these devices have received that certification. Visa standards here - Visa Partner Network

Some companies specifically forbid using Virtual cards.
Their contract specifies a monetary value that a customer
must pay, if one signs up using one these cards.

This would be in violation of the VISA Merchant Agreement. Though merchantes ARE permitted to refuse to accept debit/prepaid VISA cards, they may not charge an additional fee for the use of a credit card (though a "cash discount" is permissible). See http://merchants.visa.com/ds/pdfs/Card_Acceptance_ and_Chargeback_Guidelines.pdf (PDF), pg. 10 "No Surcharging".

I also found a section of the TOS contract that read: "You also agree not to dispute any authorized charge by True.com or its authorized agents." And "if you fraudulent[ly] report that an authorized charge by True.com or its authorized agents is unauthorized, you shall be liable to True.com for liquidated damages of One Thousand Dollars ($1,000.00) per incident."

"No Chargeback" Sales Receipts
Independent entrepreneurs have been selling sales-receipt stock bearing a statement near the signature area that the cardholder waives the right to charge the transaction back to the merchant. These receipts are being marketed to merchants with the claim that they can protect businesses against chargebacks; in fact, they do not. "No chargeback" sales receipts undermine the integrity of the Visa payment system and
are prohibited.

The signature on the card is not intended to be an exemplar.

The final step in the card acceptance process is to ensure that the customer signs the sales receipt and to compare that signature with the signature on the back of the card. When signing the receipt, the customer should be within your full view, and you should check the two signatures closely for any obvious inconsistencies in spelling or handwriting.

According to page 29 of this PDF: "If you are suspicious about the transaction or feel you need additional information to insure the identity of the cardholder, make a Code 10 call." Page 33 describes the code 10 procedure, which is basically just making a phone call and answering some questions, all done in a manner designed not to make the customer suspicious (which is why they call it "code 10" instead of "I think this card is STOLEN!").

Wow. I didn't know that. I guess I shall be calling it soon - EBGames always checks ID for all credit card purchases. (They have a sign, too...) And yes, they take Visa - I only carry a Visa card. Not only that, but they record down the ID presented and the number. I believe that would really be against their rules...

Anyhow, how are merchants supposed to check signatures?

If you don't sign the back of the card, they ask you sign right there, so the signature strip on the back is useless for comparisons.

I can't recall what the purpose of the signature on the back of the card is for, other than maybe indicating that it's a valid instrument for financial transactions?

Why not ask them?

https://corporate.visa.com/ut/contactform.jsp?titl e=Other

I'm in the IT department for a large ISO and give the security lecture during new hire orientations. We have to follow PCI compliancy and are aware of the dangers on the Internet. Insider jobs are a threat, but not yet. Right now, most of the crime is organized out of European countries and the most they use outsiders for is as a mule. The list they gave along with social engineering is actually quite acurate. CardSystems, an ISO with some 119k merchants was compromised last year due to a SQL injection attack and the storing of track 2 data of failed transactions on their processing hosts in plain text. Part of PCI compliancy is to only store that data in a strongly encrypted form (They give examples) and it's common practice to only store it during standin (When the upstream processor is down) and after standin until all the transactions run through successfully. They really f*ed up! The debit card fraud that happened earlier this year is still under investigation, but rumors have it that the POS system that Sams Club and/or OfficeMax use to send all the transactions to their processor was compromised. Of course, we won't know the story until the feds either give up or find the criminals.

No, because when I buy my airline tickets on nwa.com with my Northwest Airlines WorldPerks Visa Signature card, I get:

a) Double miles (e.g. if the ticket from DTW to PEK $1700, I get 3,400 miles for the purchase + mileage for flying (about 30,000 w/ platinum elite). I wouldn't get those 3,400 miles if I paid cash
b) Lost baggage insurance (an extra $3,000 beyond what is covered by common carrier agreement)
c) Travel insurance (accidental death & dismemberment)
d) Travel emergency assistance
+ a lot more - http://usa.visa.com/personal/cards/credit/visa_sig nature_benefits.html

Personally, I put everything on my credit card, and it's gotten me a number of free roundtrip (international) tickets so far. And I pay no finance charges, because I pay the balance off. (Yes, the WP card has a $90/yr fee, but since miles are worth roughly $.01-$.02/mile, that's about 4,500-9,000 mile-equivalent. Since the credit card gets me much more than 9,000 miles/year, it's worth the $90 fee.)

I can't help but wonder whether the payment card industry will adjust their security standards in the face of this kind of threat. Currently, the security standards stipulate that a credit card number has been sufficiently protected/destroyed if only the last four digits of the account number are kept. In the face of this kind of attack, would that be enough? All of a sudden, what information is left is being used to obtain whatever was missing.

I can see security requirements being adjusted in a couple of ways: First, require complete obliteration of the credit card account number when it is no longer needed. Don't even keep the last four digits. Second, require that various pieces of information be kept in separate logical or physical databases. If card numbers are stored separate from addresses and other personal information, it's one more barrier for an attacker to overcome.

This is why small shops will often have some minimum transaction to accept credit.

Of course, in the case of Visa and MasterCard, this is a violation of the agreement that the store signed with the credit card company. See Visa's FAQ and MasterCard's FAQ. For more information, check out this article. (As an aside, it's interesting that the store is prohibited from demanding identification in most cases.)

This is why small shops will often have some minimum transaction to accept credit.

Of course, in the case of Visa and MasterCard, this is a violation of the agreement that the store signed with the credit card company. See Visa's FAQ and MasterCard's FAQ. For more information, check out this article. (As an aside, it's interesting that the store is prohibited from demanding identification in most cases.)

If they are accepting credit cards, then they must be affiliated with a merchant bank. It is not possible to accept a credit card without this affiliation. If they are considered a Level 1 merchant by Visa, then they have to go through an annual independent PCI compliance review.

A level 1 merchant is defined as the following:
Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year.
Any merchant that has suffered a hack or an attack that resulted in an account data compromise.
Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
Any merchant identified by any other payment card brand as Level 1.

The PCI Data Security Standard consists of twelve basic requirements and is actually very similar to what is regulated at most banks as per FFIEC guidelines. Every Level 1 merchant must have the following:
Annual On-site PCI Data Security Assessment performed by QDSPs that are working for a QDSC (individuals that have been certified to perform the review that are working for companies that have qualified to attest to the compliance to the standards)
Quarterly Network Scan by a qualified scanning vendor. The qualified scanning vendors are screened by Mastercard and are only able to qualify by scanning a controlled environment and producing results that meet the standard that has been established.

Finally, if there are any doubts, PayPal-Verisign is on the published list of qualified service providers, indicating that they have complied with the standard I mentioned before as a service provider, not just a merchant.

If they are accepting credit cards, then they must be affiliated with a merchant bank. It is not possible to accept a credit card without this affiliation. If they are considered a Level 1 merchant by Visa, then they have to go through an annual independent PCI compliance review.

A level 1 merchant is defined as the following:
Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year.
Any merchant that has suffered a hack or an attack that resulted in an account data compromise.
Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
Any merchant identified by any other payment card brand as Level 1.

The PCI Data Security Standard consists of twelve basic requirements and is actually very similar to what is regulated at most banks as per FFIEC guidelines. Every Level 1 merchant must have the following:
Annual On-site PCI Data Security Assessment performed by QDSPs that are working for a QDSC (individuals that have been certified to perform the review that are working for companies that have qualified to attest to the compliance to the standards)
Quarterly Network Scan by a qualified scanning vendor. The qualified scanning vendors are screened by Mastercard and are only able to qualify by scanning a controlled environment and producing results that meet the standard that has been established.

Finally, if there are any doubts, PayPal-Verisign is on the published list of qualified service providers, indicating that they have complied with the standard I mentioned before as a service provider, not just a merchant.

If they are accepting credit cards, then they must be affiliated with a merchant bank. It is not possible to accept a credit card without this affiliation. If they are considered a Level 1 merchant by Visa, then they have to go through an annual independent PCI compliance review.

A level 1 merchant is defined as the following:
Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year.
Any merchant that has suffered a hack or an attack that resulted in an account data compromise.
Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
Any merchant identified by any other payment card brand as Level 1.

The PCI Data Security Standard consists of twelve basic requirements and is actually very similar to what is regulated at most banks as per FFIEC guidelines. Every Level 1 merchant must have the following:
Annual On-site PCI Data Security Assessment performed by QDSPs that are working for a QDSC (individuals that have been certified to perform the review that are working for companies that have qualified to attest to the compliance to the standards)
Quarterly Network Scan by a qualified scanning vendor. The qualified scanning vendors are screened by Mastercard and are only able to qualify by scanning a controlled environment and producing results that meet the standard that has been established.

Finally, if there are any doubts, PayPal-Verisign is on the published list of qualified service providers, indicating that they have complied with the standard I mentioned before as a service provider, not just a merchant.

Of course, you're probably not interested specifically in protecting "Visa's track data" but in whatever data you consider sensitive. Applying the listed policies and practices would go a long way towards securing your resources, whatever it is you want to secure.

As a large corporation, failure to comply would mean the penalties would be severe (and most likely business-damaging.) If you're not handling card data, you won't have the same consequences, of course. What the penalties meant to us, though, is that top management made a decree: 'fix the problems and pass the audit -- we can't afford not to.' Having top-down pressure means that if we have sensitive data that we're passing to another team, we're both inclined to work together to solve the issues. If one team balks, a phone call up the pyramid gets things back on track. If your university is serious about this, a similar edict will go a long way towards cleanup.

Another boost in the direction of securing our data was hiring an external consultant to perform the audit. Our auditor is very knowledgeable about ways to follow the data: where does it enter the system, where does it go from there, who writes it to disc, why do they save it, and do they have a business need to save it? Can the data be eliminated? Can a token be substituted for the data? Can the data be truncated? If not, can it at least be masked on reports where the details aren't needed?

As far as specifics go, each development and maintenance director's pyramid was required to assign a manager to own the PCI process. Each team had to go through their code, identify sensitive data, and take steps to protect it. They also had to go to the data owners, and have them redact their archives.

It's huge. But given the security breaches that are almost a daily occurrance, we can't afford not to.

Do we really depend so much on the internet?

Yes! Last holiday season, over 10% of purchases made using Visa were online (Source - PDF). If you are familiar with trends, 10% is critical mass, the point at which a concept takes off. The Internet is very much an entrenched part of the first-world economy.

I've just started considering these questions in preparation to handle some online creditcard processing.

I had thought about the "require a password on server startup to decrypt the passwords into RAM" method, but that prevents unattended server restarts and so in the (hopefully rare) case of an unscheduled service/process restart you'd have to get onto the server and enter the password before the application would be available again. Not optimal in my opinion.

Regarding best practices I've found The Open Web Application Security Project and the Credit Card industry's PCI Data Security Standard. Visa's implemention is called CISP.

Both seem to recommend a multi-level security strategy with numerous barriers between the outside world and your data.

Another thought: If you only need administrative access to the data or don't need to access it from that machine at all, using a public key encryption scheme would probably work well.

.jonah

Retailers can store the card number details as long as they're needed and can defend that need to the card company. Visa's security questionnaire implies they permit this by asking certain questions about the nature of encryption used for stored cardholder information. What you can't store are the full details from the mag stripe track (like accompanying cardholder name and expiration date) and you can't store the security code on the card.

http://usa.visa.com/download/business/accepting_vi sa/ops_risk_management/cisp_PCI_Self_Assessment_Qu estionnaire.doc?it=il

The PCI standards dictate how cardholder data must be protected.

http://usa.visa.com/business/accepting_visa/ops_ri sk_management/cisp.html

"In 2004, the CISP requirements were incorporated into an industry standard known as Payment Card Industry (PCI) Data Security Standard resulting from a collaboration between Visa and MasterCard to create common industry security requirements. Visa USA maintains CISP as the managing program for data security compliance endorsing the PCI Data Security Standard."

AND Visa is requiring that companies are audited for compliance.