So any cop you don't like, like the one who is going to testify against you, is easy to get rid of by just braking the antenna off on his car? Man, that's just a brilliant plan!
When the taxpayer is paying for it, and in NASA's case, the taxpayer is always paying for it, it is most certainly the taxpayer's business. And the American public will not take well to suicide missions. First in space death followed by the talking heads wringing their hands about "well, we planned that," and NASA is gone, by public demand.
(I, personally, do not entirely disagree with you, but the political reality is that it's not going to happen.)
For a large enough school district, just put the unvaccinated kids together in the same class. They'll all get each other sick, and their parents will have to deal with it (and children are all disease vectors). Meanwhile, the vaccinated kids are together in another classroom, healthy, and getting better grades, getting in to better colleges and getting better jobs.
The world needs it's poor, it's losers. Somebody has to dig ditches.
(5) "Troll" is lingo --- you may have people who enjoy trolling, who have absolutely no idea what the word 'Troll' means.
And, generally speaking, what it really means is "someone who says something that I don't like." I wonder if this study even bothered to define the term, and if so, if it's a measurable definition.
The "builder" building the wall is the contractor, who may or may not be the guy putting bricks on top of each other. If it's not, the guy putting bricks on top of each other is his employee, who gets paid by the hour. The contractor eats the cost of bad workmanship, and it it's not the first time, probably fires the employee for incompetence. If he expected his bricklayer to fix it on his own time, he'd be fined, possibly even jailed, for violating state and federal labor law.
The only relevant question is, are you a contactor working on a contract that allows this, or are you paid by the hour? If you're an employee of the company, what your boss proposes is a crime.
EMV will not alter how secure banks are in either direction. That is irrelevant. It removes the merchant - the retailer - from the equation. That removes the biggest weak spot in the system today.
Everything you say is different than my 30 years experience in retail (most of it in an IT position, responsible for things like PCI compliance). Our merchant service tells us that when 80% of our equipment is EMV capable, we no longer have to worry about PCI. EMV isn't required for PCI compliance because PCI compliance isn't required with EMV.
Given conflicting stories between our merchant service compliance officer and some random guy on the internet, I know which I believe.
The chip and pin system is called EMV, for Europay, MasterCard and Visa. The heart of EMV is chip cards, which allow for the card reading pad to encrypt the transaction before it leaves the pad, using keys from both the card (the chip part) and the merchant service. The cards have to be set up by the merchant service with their key; the merchant at no point has access to that key.
The EMV standard also includes NFC - Near Field Communications. It is similar to RFID, but not the same thing. The main difference is that RFID has a range of a meter or two, while NFC has a range of a centimeter or two.
The are separate standards. One is part of the other. I don't think there is a requirement that merchants deal with NFC, but I haven't see any EMV equipment that doesn't include it.
EMV is two factor. The PIN is one, but all the card data is also encrypted on the pad, and the merchant never sees it. The customer can't produce usable card data without the actual card. If the PIN is entered by the card holder at the table, the waiter has no opportunity to steal the card.
This will reduce the sort of fraud you refer to. But that's a happy side effect. The real target is, well, the Target type breach. If the merchant never sees the card information, you can't steal 120 million card numbers from the merchant. The only place to get that kind of payoff is to break in to the bank's computers, and that is, so far, rather more difficult.
What you say simply isn't true, for brick & mortar stores (which is the only place this applies to). There are specific rules and procedures the merchant is required to follow - swipe the card, and if you can't, make a physical imprint of it (many merchants won't bother, they'll just decline any card that won't swipe), to prove you had a physical card in the store, and get a signature. Sometimes, there are other requirements, like checking ID, for high risk industries or merchants that have had problems in the past, but those two things protect the merchant in most cases.
What the article refers to (and the summary, at least, don't really explain very well) is that after October 2015, merchants that do not have chip and pin equipment (specifically, EMV compatible) in place are automatically responsible not only for the amount of the transaction, but for all costs associated with investigating and remediating fraud. This is a change from now, where those costs are carried by the merchant service if the merchant is PCI compliant, and by the merchant if he's not. (This is the only time that the difference between swearing you're compliant and being compliant matters.) EMV removes PCI compliance from the equation entirely, because the merchant never sees the card information at all, and cannot store it. The only place to steal millions of card numbers at once will be from the merchant service, which is more difficult, at least.
Generally speaking, under US law, with the current system, it is the merchant service - the bank - that eats the cost of most fraud. Only stupid merchants who don't follow the rules lose out. (In brick & mortar retailers. For online transactions, yeah, the merchant is pretty much hosed, because they never have a physical credit card in their hands.)
I usually just write "Please check ID" in the signature box on my cards,
I've always found that an amusing form of stupidity. Your contract with the card issuer requires you sign it. Period. Any cashier who is aware enough of the rules to know to check the signature will likely know it has to be signed. I've seen credit cards refused because someone wrote "check ID" on the back instead of signing it - and rightly so, as they are required to do so.
The signature (on the card, and on the transaction, both) has nothing to do with security. It is a signature on a legally binding contract.
The most sophisticated fingerprint scanners can be defeated with gummy candy. Mythbusters got past one - a brand new design, which included checks for pulse, etc., with a Xerox of the correct fingerprint. The "is it a live finger" feature they defeated by licking the Xerox.
And if you steal someone's card, the odds are, their fingerprints are all over it. The average person can build a fingerprint kit for about $10, if they have access to Google.
Even before the Target breach came to light, they were asking for them and the plan was to start rolling out in October of 2015.
No. The plan was, and is, to have EMV fully implement at the retail level by October 2015. That has been the plan for at least two years. Most merchant services are pushing, hard, to get in in place by the end of this year. The incentives are considerable.
However, even then the credit card issuers wanted to make the PIN optional and up to the issuing bank or CU. This would essentially make them chip and sign by default. The retailers want mandatory PINs.
Retailers want as little liability for things beyond their control as possible, and mandatory PIN helps that. Once you have EMV compatible hardware in place, you no longer have to worry about PCI compliance (because the merchant has nothing to steal, no matter how thoroughly their network is compromised).
The Target breach was a large enough embarrassment to light the fuel under the motivational bonfire.
The Target breach has absolutely nothing whatsoever to do with this. The push to move to EMV chip and pin technology in the US has been going on for years. The requirement for merchants to switch as announced at least two years ago.
Er, dude, in the US, t he card processors are liable for fraudulent transactions (assuming the merchant follows the rules). That has been the case for decades.
Which means that profits and security are intimately linked.
It's taken this long because it has only been in recent years that the fraud has been more expensive than the upgrade. That is a side effect of the recent rash of huge breaches involving tens of millions (or more) of card numbers at a time, exploited by large organized crime groups.
The big security advantage of the EMV chip and pin system is that it eliminates the merchant as a source of card number theft. The EMV pads encrypt all the account info before it leaves the pad, and the merchant never sees it. That way, you can break in to Target's network and steal 120 million transaction records, but you get zero usable accounts (or any other info, unless you're the NSA tracking "terrorists" through "metadata" or something). All but one (IIRC) of the really big breaches have been of merchant networks, not banks, so this really is a big improvement.
Also, in the US, the PIN on a debit card is already encrypted on the pad, and the merchant never sees it. I gather this is not necessarily the case elsewhere.
You should also avoid cards with magnetic strips on them. Damn dirty electromagnetic field technology!
I know a guy who used to deliberately de-magnetize all his cards. Until stores started refusing to take them because they couldn't swipe them. (Whether or not the mag strip is swiped is part of the transaction record, and makes a difference in who is liable if the transaction is disputed.)
HIs middle name isn't "idiot," but that's mostly because he can't spell "idiot."
If fraud happens on these new cards, it becomes up to the consumers to prove that it was fraud and that they did not compromise their PIN.
I'm not aware of any changes in the law regarding credit cards, which say that the consumer is only responsible for the first $50 (and not even that once it's been reported). Do you have a source on that claim? No? Why am I no surprised?
The enforcement comes after a breach, not before. It takes of form of "You weren't compliant, even though you swore under oath you were, so you are 100% responsible for all costs. You pay for the investigation, you pay for remediation, new cards, mailing costs, etc., and you pay 100% for all fraud committed with the stolen numbers. You do so now, or we sue you until you do." And you, the merchant, agreed to all that when you signed up for the merchant account, so you'll lose if you fight.
The enforcement, in this case, according to TFA, is up to $420 million.
But PCI compliance isn't actually all that difficult to do, and Target probably was compliant. There are numerous provisions for exceptions based on business need. If you decide you need computerized HVAC systems, and given the size of their stores, they do, and you can demonstrate that it's cheaper (and probably by quit a bit) to contract that out to a third party, and I'm sure they can, and that third party give s a significantly lower quote if they can work remotely, and it's hard to imagine that's not the case, then there's a business need for remote control. And that is an opportunity for compromise, as Target has brilliantly demonstrated.
Be interesting to see some details on exactly how that compromise took place. Most likely, I would imagine, social engineering, or a simple bribe.
And no, there's no requirement anywhere in PCI that your air conditioners be segmented from your credit card processing servers. Yeah, it's stupid not to, but if "don't be stupid" were a PCI compliance issue, there wouldn't be a single credit card merchant anywhere in the world.
The only segmentation required is for WiFi and publicly visible servers, like web and email. And "segmentation" isn't really defined in the PCI specs, so it's very, very fuzzy. Remote access to any part of the network is explicitly allowed (provided it's encrypted) if it's needed. And that's the thing about PCI - almost anything can be an exception based on the needs of the business. When the choice is between keeping the network secure and losing an important customer, even Visa and MasterCard get real practical, real quick. And Target is a big customer. I suspect they're one of the handful (as in, you can count them on your fingers) Class I merchants in the country.
Plus, as has been noted, PCI isn't law, it's a contractual requirement with a merchant account. A purely civil matter. It isn't possible to go to prison for not being PCI compliant (though many have speculated there might be an "inside job" component to this, which would be a completely different matter).
Slashdot Mirror
So any cop you don't like, like the one who is going to testify against you, is easy to get rid of by just braking the antenna off on his car? Man, that's just a brilliant plan!
When the taxpayer is paying for it, and in NASA's case, the taxpayer is always paying for it, it is most certainly the taxpayer's business. And the American public will not take well to suicide missions. First in space death followed by the talking heads wringing their hands about "well, we planned that," and NASA is gone, by public demand.
(I, personally, do not entirely disagree with you, but the political reality is that it's not going to happen.)
Morgan Freeman didn't actually say it, but wisdom comes from other people, too:
"'I hate the word homophobia. It's not a phobia. You are not scared; you are an asshole."
"We're not saying anything new here. We're just saying the same things that need to be said again and again with fierce conviction."
For a large enough school district, just put the unvaccinated kids together in the same class. They'll all get each other sick, and their parents will have to deal with it (and children are all disease vectors). Meanwhile, the vaccinated kids are together in another classroom, healthy, and getting better grades, getting in to better colleges and getting better jobs.
The world needs it's poor, it's losers. Somebody has to dig ditches.
It's called "inciting to riot," and yes, it's been a crime for decades. Duh.
And lost a cast member over it (Isaac Hayes). They Parker and Stone say "no sacred cows," they mean it.
(5) "Troll" is lingo --- you may have people who enjoy trolling, who have absolutely no idea what the word 'Troll' means.
And, generally speaking, what it really means is "someone who says something that I don't like." I wonder if this study even bothered to define the term, and if so, if it's a measurable definition.
The "builder" building the wall is the contractor, who may or may not be the guy putting bricks on top of each other. If it's not, the guy putting bricks on top of each other is his employee, who gets paid by the hour. The contractor eats the cost of bad workmanship, and it it's not the first time, probably fires the employee for incompetence. If he expected his bricklayer to fix it on his own time, he'd be fined, possibly even jailed, for violating state and federal labor law.
The only relevant question is, are you a contactor working on a contract that allows this, or are you paid by the hour? If you're an employee of the company, what your boss proposes is a crime.
EMV will not alter how secure banks are in either direction. That is irrelevant. It removes the merchant - the retailer - from the equation. That removes the biggest weak spot in the system today.
Everything you say is different than my 30 years experience in retail (most of it in an IT position, responsible for things like PCI compliance). Our merchant service tells us that when 80% of our equipment is EMV capable, we no longer have to worry about PCI. EMV isn't required for PCI compliance because PCI compliance isn't required with EMV.
Given conflicting stories between our merchant service compliance officer and some random guy on the internet, I know which I believe.
The chip and pin system is called EMV, for Europay, MasterCard and Visa. The heart of EMV is chip cards, which allow for the card reading pad to encrypt the transaction before it leaves the pad, using keys from both the card (the chip part) and the merchant service. The cards have to be set up by the merchant service with their key; the merchant at no point has access to that key.
The EMV standard also includes NFC - Near Field Communications. It is similar to RFID, but not the same thing. The main difference is that RFID has a range of a meter or two, while NFC has a range of a centimeter or two.
The are separate standards. One is part of the other. I don't think there is a requirement that merchants deal with NFC, but I haven't see any EMV equipment that doesn't include it.
EMV is two factor. The PIN is one, but all the card data is also encrypted on the pad, and the merchant never sees it. The customer can't produce usable card data without the actual card. If the PIN is entered by the card holder at the table, the waiter has no opportunity to steal the card.
This will reduce the sort of fraud you refer to. But that's a happy side effect. The real target is, well, the Target type breach. If the merchant never sees the card information, you can't steal 120 million card numbers from the merchant. The only place to get that kind of payoff is to break in to the bank's computers, and that is, so far, rather more difficult.
What you say simply isn't true, for brick & mortar stores (which is the only place this applies to). There are specific rules and procedures the merchant is required to follow - swipe the card, and if you can't, make a physical imprint of it (many merchants won't bother, they'll just decline any card that won't swipe), to prove you had a physical card in the store, and get a signature. Sometimes, there are other requirements, like checking ID, for high risk industries or merchants that have had problems in the past, but those two things protect the merchant in most cases.
What the article refers to (and the summary, at least, don't really explain very well) is that after October 2015, merchants that do not have chip and pin equipment (specifically, EMV compatible) in place are automatically responsible not only for the amount of the transaction, but for all costs associated with investigating and remediating fraud. This is a change from now, where those costs are carried by the merchant service if the merchant is PCI compliant, and by the merchant if he's not. (This is the only time that the difference between swearing you're compliant and being compliant matters.) EMV removes PCI compliance from the equation entirely, because the merchant never sees the card information at all, and cannot store it. The only place to steal millions of card numbers at once will be from the merchant service, which is more difficult, at least.
Generally speaking, under US law, with the current system, it is the merchant service - the bank - that eats the cost of most fraud. Only stupid merchants who don't follow the rules lose out. (In brick & mortar retailers. For online transactions, yeah, the merchant is pretty much hosed, because they never have a physical credit card in their hands.)
I usually just write "Please check ID" in the signature box on my cards,
I've always found that an amusing form of stupidity. Your contract with the card issuer requires you sign it. Period. Any cashier who is aware enough of the rules to know to check the signature will likely know it has to be signed. I've seen credit cards refused because someone wrote "check ID" on the back instead of signing it - and rightly so, as they are required to do so.
The signature (on the card, and on the transaction, both) has nothing to do with security. It is a signature on a legally binding contract.
The most sophisticated fingerprint scanners can be defeated with gummy candy. Mythbusters got past one - a brand new design, which included checks for pulse, etc., with a Xerox of the correct fingerprint. The "is it a live finger" feature they defeated by licking the Xerox.
And if you steal someone's card, the odds are, their fingerprints are all over it. The average person can build a fingerprint kit for about $10, if they have access to Google.
Even before the Target breach came to light, they were asking for them and the plan was to start rolling out in October of 2015.
No. The plan was, and is, to have EMV fully implement at the retail level by October 2015. That has been the plan for at least two years. Most merchant services are pushing, hard, to get in in place by the end of this year. The incentives are considerable.
However, even then the credit card issuers wanted to make the PIN optional and up to the issuing bank or CU. This would essentially make them chip and sign by default. The retailers want mandatory PINs.
Retailers want as little liability for things beyond their control as possible, and mandatory PIN helps that. Once you have EMV compatible hardware in place, you no longer have to worry about PCI compliance (because the merchant has nothing to steal, no matter how thoroughly their network is compromised).
The Target breach was a large enough embarrassment to light the fuel under the motivational bonfire.
The Target breach has absolutely nothing whatsoever to do with this. The push to move to EMV chip and pin technology in the US has been going on for years. The requirement for merchants to switch as announced at least two years ago.
Er, dude, in the US, t he card processors are liable for fraudulent transactions (assuming the merchant follows the rules). That has been the case for decades.
Which means that profits and security are intimately linked.
It's taken this long because it has only been in recent years that the fraud has been more expensive than the upgrade. That is a side effect of the recent rash of huge breaches involving tens of millions (or more) of card numbers at a time, exploited by large organized crime groups.
The big security advantage of the EMV chip and pin system is that it eliminates the merchant as a source of card number theft. The EMV pads encrypt all the account info before it leaves the pad, and the merchant never sees it. That way, you can break in to Target's network and steal 120 million transaction records, but you get zero usable accounts (or any other info, unless you're the NSA tracking "terrorists" through "metadata" or something). All but one (IIRC) of the really big breaches have been of merchant networks, not banks, so this really is a big improvement.
Also, in the US, the PIN on a debit card is already encrypted on the pad, and the merchant never sees it. I gather this is not necessarily the case elsewhere.
You should also avoid cards with magnetic strips on them. Damn dirty electromagnetic field technology!
I know a guy who used to deliberately de-magnetize all his cards. Until stores started refusing to take them because they couldn't swipe them. (Whether or not the mag strip is swiped is part of the transaction record, and makes a difference in who is liable if the transaction is disputed.)
HIs middle name isn't "idiot," but that's mostly because he can't spell "idiot."
If fraud happens on these new cards, it becomes up to the consumers to prove that it was fraud and that they did not compromise their PIN.
I'm not aware of any changes in the law regarding credit cards, which say that the consumer is only responsible for the first $50 (and not even that once it's been reported). Do you have a source on that claim? No? Why am I no surprised?
Nice theory. How much less per hour are you willing to make to pay for it?
The enforcement comes after a breach, not before. It takes of form of "You weren't compliant, even though you swore under oath you were, so you are 100% responsible for all costs. You pay for the investigation, you pay for remediation, new cards, mailing costs, etc., and you pay 100% for all fraud committed with the stolen numbers. You do so now, or we sue you until you do." And you, the merchant, agreed to all that when you signed up for the merchant account, so you'll lose if you fight.
The enforcement, in this case, according to TFA, is up to $420 million.
But PCI compliance isn't actually all that difficult to do, and Target probably was compliant. There are numerous provisions for exceptions based on business need. If you decide you need computerized HVAC systems, and given the size of their stores, they do, and you can demonstrate that it's cheaper (and probably by quit a bit) to contract that out to a third party, and I'm sure they can, and that third party give s a significantly lower quote if they can work remotely, and it's hard to imagine that's not the case, then there's a business need for remote control. And that is an opportunity for compromise, as Target has brilliantly demonstrated.
Be interesting to see some details on exactly how that compromise took place. Most likely, I would imagine, social engineering, or a simple bribe.
And no, there's no requirement anywhere in PCI that your air conditioners be segmented from your credit card processing servers. Yeah, it's stupid not to, but if "don't be stupid" were a PCI compliance issue, there wouldn't be a single credit card merchant anywhere in the world.
The only segmentation required is for WiFi and publicly visible servers, like web and email. And "segmentation" isn't really defined in the PCI specs, so it's very, very fuzzy. Remote access to any part of the network is explicitly allowed (provided it's encrypted) if it's needed. And that's the thing about PCI - almost anything can be an exception based on the needs of the business. When the choice is between keeping the network secure and losing an important customer, even Visa and MasterCard get real practical, real quick. And Target is a big customer. I suspect they're one of the handful (as in, you can count them on your fingers) Class I merchants in the country.
Plus, as has been noted, PCI isn't law, it's a contractual requirement with a merchant account. A purely civil matter. It isn't possible to go to prison for not being PCI compliant (though many have speculated there might be an "inside job" component to this, which would be a completely different matter).