Sorry - I didnt mean to get your back up. Fact is however that I am an EFT system developer working for a Payment Service Provider, and as such deal with multiple acquiring banks, merchants, card schemes and am very familiar both with the PCI standards and inter-bank communications.
I did mention that point b varies greatly between card issuers, and acquiring banks, so I wont argue if you have different experiences there. But point c is an actual fact. Point d is also a fact with the vast majority of acquiring banks, if the acquiring bank receives a chargeback request from the cardholder they will contact the merchant with an RFI on the transaction. At this point its up to the merchant to prove that the transaction flowed through their system, and they'll receive the PAN in the RFI. If the merchant doesnt store the PAN they have nothing to tie the transaction to the RFI. These points are not detailed in the PCI standards, these are just things that any decent EFT systems developer will be familiar with.
In your original post you also said that 'The Payment Card Industry standards are, at this point, simply a recommendation.'. Thats also not true. Compliance is mandatory. There are various levels of compliance, requiring different levels of validation of compliance, but even at the lowest level, completion of an SAQ is mandatory.
You also said that compliance was as simple as changing one line. This leads me to believe that you're authorising through a payment gateway / PSP, and your payment gateway will therefore undertake the burden of PCI compliance. This probably also explains why you're not familiar with the settlement process (PSP will generally take care of that also). Please understand however that a lot of merchants dont use PSPs, and PCI compliance is anything but trivial.
There are some mistruths in this otherwise quite informative post.
Firstly, most of the acquiring banks actually request that the merchants keep card number data for *at least* 6 months after the original transaction. This is to allow the cardholder time to make a chargeback, and for the acquiring bank to make enquiries with the merchant about the transaction. Some acquirers have much longer data retention periods.
So the full card number is required for
a) initial authorization request, typically taken when the cardholder places the order,
b) reauthorisation prior to dispatch (typically required when the order has taken more than a week or so to process - if the card is not re-authed the merchant may face chargeback. This varies between card issuers and acquirers.)
c) Settlement, ie when the merchant actually banks the money. For this the merchant sends an end of day settlement file containing card number and authorization details.
d) Then, as mentioned most acquirers request the details are kept for at least six months to allow for Request For Information queries about the transaction.
Final point is that PCI allows for card numbers to be stored in first six, last four format - but for receipts you're quite right in that it must be only the last four digits (at most) printed.
Actually, thats the way it currently does work according to the PCI-DSS. There are four levels of compliancy, and although the compliancy points across all levels are similar, the accreditation is more difficult at the higher levels (requires certification from independant Qualified Security Assessor).
I think most of the EFT industry sees this move by Arnie as the correct thing. The payment card industry 'PCI Co' (mainly Visa and MasterCard) already has mandated merchants must comply with the Data Security Standard. They also have the means to force non-compliance fees on merchants, through their acquiring banks.
In short, there's no need to add layers of government bureaucracy to the mix - it would just cost the tax payer for something that the card industry should be able to manage, and add extra levels of confusion to what is already a difficult landscape of compliancy.
You've jumped on the bandwagon at just the wrong time. The EFT industry (which I'm part of) is currently going through a bit of an upheaval to increase security of card number data. If you're seriously thinking about devloping a POS solution, then I would take a long hard look at the number of hoops you need to jump through to become compliant.
PCI-DSS covers system and network security. PA-DSS (still in draft format, and perhaps still better known as PABP) covers software application security. There are also things like EMVCo if you're thinking about chip and pin cards, and APACS standards (in the UK - not sure what the US equivalent is) for message formats to and between acquiring banks.
Considering you state you havent even learnt coding yet, you will most certainly be jumping in at the deep end with this task. I've got around 10 years experience in the field, and the pace of change is... breathtaking. Good luck - you'll need it!:)
When.NET was announced as a platform independent language, I always struggled to imagine Microsoft developing the framework on anything other than Windows. Can you imagine Microsoft developing class libraries for Linux, or Apple Macs? Surely the world would end.
So this move is a fairly wise one by MS. There's now a chance that the.NET framework will be developed for other platforms. And once that happens MS can help nuture a happy little band of developers, all sucking up MSDN licenced tools.
I like this one. It seems the record companies try to get marketing data from illegal p2p downloads.
----------
Subject: Nicole Scherzinger
Date: Fri, 24 Aug 2007 15:14:31 -0700
Nicole from pussy cat dolls has a single called "whatever u like". It's
not selling well on itunes or playing that great on radio. A song
called "Baby Love" just leaked (I don't know how long ago). Interscope
wants to know if Baby Love is picking up steam on p2p. They need to
make a decision by early next week on whether they should switch to this
song as the single. Please get me a score comparison on Monday for
these two tracks. Also, please put beyonces, fergie, gwen, and nelly
furtado singles as comparisons.
It's a cunning move. Seeing as I already own HL2 and EP1 my obvious choice is to buy the orange box, and gift the extra HL2 and EP1 to a friend... who then likes them enough to want to buy EP2, and decides the orange box is best choice, so he passes on the extra HL2 and EP1 to a friend...etc etc...
I agree, and of course thats why I never register my car. Because if someone steals my car and uses it in a bank raid - I go to jail. I also never buy legal registered versions of software incase they get hacked and it looks like *I* was the bad guy. Psheesh.
This process exists already. Its called Verified By Visa, or MasterCard SecureCode. In both cases the merchant site redirects you to the acquiring bank, gets you to enter a secure password, and returns a unique 'Cardholder Authentication Verification Value'.
Obviously this is currently an optional process, requiring you to sign up to the VBV or SecureCode service - but its becoming more mandatory.
No similar process exists for recurring transactions (or continuous authority as its sometimes known). This is obviously harder as you cant authenticate the cardholder each month. Your idea of returning a unique code that can only be used by the merchant that originated the transaction would be a good idea though.
Unless I'm missing something, we've had this service in the UK for the last year or so. It's available via Blueyonder (a cable TV provider who actually laid their own fibre backbone years ago I believe).
The service is called Teleport, and in a lot of ways it seems better than this offering because it streams instantly (like really, instantly) to the TV. There is no lag, the picture quality is normal broadcast quality, and the price competes with DVD rental (with the obvious bonus of not having to move off your couch).
As part of the normal cable tv subscription Blueyonder also offer the ability to stream a variety of TV programmes that you may have missed earlier in the week. Streaming TV shows is free. Its almost like having a PVR, but without the need to remember to record stuff. Its a great service that I sorely miss since I moved 6 months ago into a street which isnt wired for cable.
One of the features I most missed when I migrated (perhaps downsized) from my beloved Amiga to PCs / Microsoft Windows was the RAM disk.
http://www.amigaos4.com/index.php%3Foption=content &task=view&id=9&Itemid=0&limit=1&limitstart=2.html
How come Microsoft didnt copy this feature I wonder? The ability to temporarily store files to ram (rather than having some temporary disk space that you had to remember to delete) was a great feature for me that I really missed in the early days of my PC use. For example, to copy files from one floppy disk to another in the Amiga OS you would use the ram disk, but on DOS / Windows you had to create a temp folder on hard disc, copy stuff back and forth then delete it all.
The best part about this is that if you refuse the roadside test, they can arrest you, take you back to the station and get your FULL fingerprints (rather than the index finger only that the roadside test takes).
I find it pretty disgusting that the first time we hear of the system its already out there and ready to be used. What happened to discussing these things, getting opinions, considering the implications. Or dare I say was it rushed out to avoid exactly those kinds of questions.
Its the chip in the card that verifies the pin, and it locks out after 3 failed attempts (at which point you have to take the physical card to the bank for a reset).
But thats kinda besides the point anyway, because you cant clone the chip. Only the magstripe can be cloned.
Its probably worse than you think. (I write software for card authorisation and Electronic Funds Transfer systems.)
In my eyes the end of day polling file is the easiest attack. At the end of the working day each store will gather all of that days transactions into a file and submit them to the bank for collection. The file contains the card number, expiry date, value of the transaction etc etc. Most stores will submit this file over PSTN dialup, and without encryption. A few banks (Natwest/Streamline for example) encourage encryption, but none mandate it.
You can imagine for large stores that the file will contain thousands of live card numbers. Its like a wet dream to a fraudster and all it would take is a phone tap on the line (similar to what this guy did).
I bought a pre-n router, and its not because I'm 'clueless' about bottlenecks. There is a major USP to most of the pre-n gear, and its range.
With my old.11b router I could get a decent signal at most points around the house, but as soon as I took the laptop outdoors I was in trouble. I basically had to huddle near the wall and hope the signal didnt drop.
I passed the.11b router onto a friend and bought a belkin pre-n router and was astonished at the range. I can get great signals outside now, and actually can still get a strong signal outside, down the street and around the corner (ie through someone elses house as well as my own)
So next time you want to talk about smucks, make sure you know what you're talking about. I couldnt care less about the bandwidth (infact my laptop still has its original.11b adapter), but the range benefit is significant.
You're absolutely right of course, people are overreacting in mostly all of these situations.
..but put yourself in their shoes for a moment. Imagine you're working in some dull 9-5 job, doing the same monotonous thing day in, day out. Then one day something unusual happens.. a parcel with white powder, an odd looking device where you dont expect it, whatever.
If its unusual, you will want to make a big deal out of it, for two reasons:
1 - The usual rap that every good right-winger spouts... There's always that chance that if it is something bad, you could save lives by reporting it, and you cant risk being responsible for the consequences of ignoring it. But more probably..
2 - Something unusual just happened! You can make a big deal out of it. Its something to tell your buddies at the bar. It could lead to some recognition from people above who perhaps previously didnt even know your name. You can make a name for yourself, perhaps even get a minute on the local news. You can probably cause enough disruption to take a short break from the 9-5 monotony when the law agencies arrive. And lets face it, having a bomb squad arrive at your place of work IS pretty exciting, especially if they use one of those neato robot things...
So anyway, dont be too suprised that this happens. Its human nature.
I'm curious as to how the Data Protection Act applies to the ID Card scheme. Under the data protection act I have the right to demand a hard copy of all the data that any company holds on me. Will I be able to use this to demand knowledge of what info the ID Card database holds on me? And if so - how do I prove that its me thats requesting the data? By ID Card? Seems a bit catch-22 to me.
Avian flu is now endemic amongst birds in South Asia, and was reportedly suspected to be endemic amongst birds in Turkey (which I still find bitterly ironic)
It may have only killed 80 people so far, but thats over 50% of the 150 or so people that have been infected. If the mortality rate is as severe when the virus mutates into a form more transmitable between humans then we're in real trouble - estimates of 150,000,000 deaths worldwide would ensure that someone you know personally will die.
There arent many professionals in the field that believe we can escape an imminent birdflu pandemic. So, in short, yes - it is likely that this will turn into a pandemic and we should all be as prepared as possible for that.
Brilliant. The one good use for the ANPR system (tracking criminals) has now become public knowledge. That means your local gang-land thugs will find a way to avoid their registration plate being scanned (custom plate with obscure font). Meanwhile, every other law abiding joe normal will continue along their merry way, quite happy being scanned and tracked because "it's to help catch criminals".
We end up with a system that spies upon and punishes the law abiding citizens that make accidental mistakes, whilst letting the professional criminals find an easy loophole. Its good to see my tax money finding new and creative ways to rape me of my income.
Slashdot Mirror
Why do people say 'sol' instead of 'sun'. Is there some fundamental difference, or are they just trying to sound smart?
I just deleted (or rather 'deactivated') my account too. Is this enough, or do I have to start deleting all the cookies too?
Sorry - I didnt mean to get your back up. Fact is however that I am an EFT system developer working for a Payment Service Provider, and as such deal with multiple acquiring banks, merchants, card schemes and am very familiar both with the PCI standards and inter-bank communications.
I did mention that point b varies greatly between card issuers, and acquiring banks, so I wont argue if you have different experiences there. But point c is an actual fact. Point d is also a fact with the vast majority of acquiring banks, if the acquiring bank receives a chargeback request from the cardholder they will contact the merchant with an RFI on the transaction. At this point its up to the merchant to prove that the transaction flowed through their system, and they'll receive the PAN in the RFI. If the merchant doesnt store the PAN they have nothing to tie the transaction to the RFI. These points are not detailed in the PCI standards, these are just things that any decent EFT systems developer will be familiar with.
In your original post you also said that 'The Payment Card Industry standards are, at this point, simply a recommendation.'. Thats also not true. Compliance is mandatory. There are various levels of compliance, requiring different levels of validation of compliance, but even at the lowest level, completion of an SAQ is mandatory.
You also said that compliance was as simple as changing one line. This leads me to believe that you're authorising through a payment gateway / PSP, and your payment gateway will therefore undertake the burden of PCI compliance. This probably also explains why you're not familiar with the settlement process (PSP will generally take care of that also). Please understand however that a lot of merchants dont use PSPs, and PCI compliance is anything but trivial.
There are some mistruths in this otherwise quite informative post.
Firstly, most of the acquiring banks actually request that the merchants keep card number data for *at least* 6 months after the original transaction. This is to allow the cardholder time to make a chargeback, and for the acquiring bank to make enquiries with the merchant about the transaction. Some acquirers have much longer data retention periods.
So the full card number is required for
a) initial authorization request, typically taken when the cardholder places the order,
b) reauthorisation prior to dispatch (typically required when the order has taken more than a week or so to process - if the card is not re-authed the merchant may face chargeback. This varies between card issuers and acquirers.)
c) Settlement, ie when the merchant actually banks the money. For this the merchant sends an end of day settlement file containing card number and authorization details.
d) Then, as mentioned most acquirers request the details are kept for at least six months to allow for Request For Information queries about the transaction.
Final point is that PCI allows for card numbers to be stored in first six, last four format - but for receipts you're quite right in that it must be only the last four digits (at most) printed.
Actually, thats the way it currently does work according to the PCI-DSS. There are four levels of compliancy, and although the compliancy points across all levels are similar, the accreditation is more difficult at the higher levels (requires certification from independant Qualified Security Assessor).
I think most of the EFT industry sees this move by Arnie as the correct thing. The payment card industry 'PCI Co' (mainly Visa and MasterCard) already has mandated merchants must comply with the Data Security Standard. They also have the means to force non-compliance fees on merchants, through their acquiring banks.
In short, there's no need to add layers of government bureaucracy to the mix - it would just cost the tax payer for something that the card industry should be able to manage, and add extra levels of confusion to what is already a difficult landscape of compliancy.
You've jumped on the bandwagon at just the wrong time. The EFT industry (which I'm part of) is currently going through a bit of an upheaval to increase security of card number data. If you're seriously thinking about devloping a POS solution, then I would take a long hard look at the number of hoops you need to jump through to become compliant.
:)
PCI-DSS covers system and network security. PA-DSS (still in draft format, and perhaps still better known as PABP) covers software application security. There are also things like EMVCo if you're thinking about chip and pin cards, and APACS standards (in the UK - not sure what the US equivalent is) for message formats to and between acquiring banks.
Considering you state you havent even learnt coding yet, you will most certainly be jumping in at the deep end with this task. I've got around 10 years experience in the field, and the pace of change is... breathtaking. Good luck - you'll need it!
When .NET was announced as a platform independent language, I always struggled to imagine Microsoft developing the framework on anything other than Windows. Can you imagine Microsoft developing class libraries for Linux, or Apple Macs? Surely the world would end.
.NET framework will be developed for other platforms. And once that happens MS can help nuture a happy little band of developers, all sucking up MSDN licenced tools.
So this move is a fairly wise one by MS. There's now a chance that the
I like this one. It seems the record companies try to get marketing data from illegal p2p downloads. ---------- Subject: Nicole Scherzinger Date: Fri, 24 Aug 2007 15:14:31 -0700 Nicole from pussy cat dolls has a single called "whatever u like". It's not selling well on itunes or playing that great on radio. A song called "Baby Love" just leaked (I don't know how long ago). Interscope wants to know if Baby Love is picking up steam on p2p. They need to make a decision by early next week on whether they should switch to this song as the single. Please get me a score comparison on Monday for these two tracks. Also, please put beyonces, fergie, gwen, and nelly furtado singles as comparisons.
It's a cunning move. Seeing as I already own HL2 and EP1 my obvious choice is to buy the orange box, and gift the extra HL2 and EP1 to a friend... who then likes them enough to want to buy EP2, and decides the orange box is best choice, so he passes on the extra HL2 and EP1 to a friend...etc etc...
I agree, and of course thats why I never register my car. Because if someone steals my car and uses it in a bank raid - I go to jail. I also never buy legal registered versions of software incase they get hacked and it looks like *I* was the bad guy. Psheesh.
This process exists already. Its called Verified By Visa, or MasterCard SecureCode. In both cases the merchant site redirects you to the acquiring bank, gets you to enter a secure password, and returns a unique 'Cardholder Authentication Verification Value'.
Obviously this is currently an optional process, requiring you to sign up to the VBV or SecureCode service - but its becoming more mandatory.
No similar process exists for recurring transactions (or continuous authority as its sometimes known). This is obviously harder as you cant authenticate the cardholder each month. Your idea of returning a unique code that can only be used by the merchant that originated the transaction would be a good idea though.
Unless I'm missing something, we've had this service in the UK for the last year or so. It's available via Blueyonder (a cable TV provider who actually laid their own fibre backbone years ago I believe).
The service is called Teleport, and in a lot of ways it seems better than this offering because it streams instantly (like really, instantly) to the TV. There is no lag, the picture quality is normal broadcast quality, and the price competes with DVD rental (with the obvious bonus of not having to move off your couch).
As part of the normal cable tv subscription Blueyonder also offer the ability to stream a variety of TV programmes that you may have missed earlier in the week. Streaming TV shows is free. Its almost like having a PVR, but without the need to remember to record stuff. Its a great service that I sorely miss since I moved 6 months ago into a street which isnt wired for cable.
One of the features I most missed when I migrated (perhaps downsized) from my beloved Amiga to PCs / Microsoft Windows was the RAM disk. http://www.amigaos4.com/index.php%3Foption=content &task=view&id=9&Itemid=0&limit=1&limitstart=2.html
How come Microsoft didnt copy this feature I wonder? The ability to temporarily store files to ram (rather than having some temporary disk space that you had to remember to delete) was a great feature for me that I really missed in the early days of my PC use. For example, to copy files from one floppy disk to another in the Amiga OS you would use the ram disk, but on DOS / Windows you had to create a temp folder on hard disc, copy stuff back and forth then delete it all.
The best part about this is that if you refuse the roadside test, they can arrest you, take you back to the station and get your FULL fingerprints (rather than the index finger only that the roadside test takes).
I find it pretty disgusting that the first time we hear of the system its already out there and ready to be used. What happened to discussing these things, getting opinions, considering the implications. Or dare I say was it rushed out to avoid exactly those kinds of questions.
Its the chip in the card that verifies the pin, and it locks out after 3 failed attempts (at which point you have to take the physical card to the bank for a reset). But thats kinda besides the point anyway, because you cant clone the chip. Only the magstripe can be cloned.
Its probably worse than you think. (I write software for card authorisation and Electronic Funds Transfer systems.)
In my eyes the end of day polling file is the easiest attack. At the end of the working day each store will gather all of that days transactions into a file and submit them to the bank for collection. The file contains the card number, expiry date, value of the transaction etc etc. Most stores will submit this file over PSTN dialup, and without encryption. A few banks (Natwest/Streamline for example) encourage encryption, but none mandate it.
You can imagine for large stores that the file will contain thousands of live card numbers. Its like a wet dream to a fraudster and all it would take is a phone tap on the line (similar to what this guy did).
You can add my name to that list. Maybe someone at Sony will notice the number of hostile replies on internet sites such as this and take note.
I bought a pre-n router, and its not because I'm 'clueless' about bottlenecks. There is a major USP to most of the pre-n gear, and its range.
.11b router I could get a decent signal at most points around the house, but as soon as I took the laptop outdoors I was in trouble. I basically had to huddle near the wall and hope the signal didnt drop.
.11b router onto a friend and bought a belkin pre-n router and was astonished at the range. I can get great signals outside now, and actually can still get a strong signal outside, down the street and around the corner (ie through someone elses house as well as my own)
.11b adapter), but the range benefit is significant.
With my old
I passed the
So next time you want to talk about smucks, make sure you know what you're talking about. I couldnt care less about the bandwidth (infact my laptop still has its original
You're absolutely right of course, people are overreacting in mostly all of these situations.
..but put yourself in their shoes for a moment. Imagine you're working in some dull 9-5 job, doing the same monotonous thing day in, day out. Then one day something unusual happens.. a parcel with white powder, an odd looking device where you dont expect it, whatever.
If its unusual, you will want to make a big deal out of it, for two reasons:
1 - The usual rap that every good right-winger spouts... There's always that chance that if it is something bad, you could save lives by reporting it, and you cant risk being responsible for the consequences of ignoring it. But more probably..
2 - Something unusual just happened! You can make a big deal out of it. Its something to tell your buddies at the bar. It could lead to some recognition from people above who perhaps previously didnt even know your name. You can make a name for yourself, perhaps even get a minute on the local news. You can probably cause enough disruption to take a short break from the 9-5 monotony when the law agencies arrive. And lets face it, having a bomb squad arrive at your place of work IS pretty exciting, especially if they use one of those neato robot things...
So anyway, dont be too suprised that this happens. Its human nature.
I'm curious as to how the Data Protection Act applies to the ID Card scheme. Under the data protection act I have the right to demand a hard copy of all the data that any company holds on me. Will I be able to use this to demand knowledge of what info the ID Card database holds on me? And if so - how do I prove that its me thats requesting the data? By ID Card? Seems a bit catch-22 to me.
This is the 21st century MSN Messenger in a Bottle.
Avian flu is now endemic amongst birds in South Asia, and was reportedly suspected to be endemic amongst birds in Turkey (which I still find bitterly ironic)
It may have only killed 80 people so far, but thats over 50% of the 150 or so people that have been infected. If the mortality rate is as severe when the virus mutates into a form more transmitable between humans then we're in real trouble - estimates of 150,000,000 deaths worldwide would ensure that someone you know personally will die.
There arent many professionals in the field that believe we can escape an imminent birdflu pandemic. So, in short, yes - it is likely that this will turn into a pandemic and we should all be as prepared as possible for that.
...it is always a good idea to have redundancy.
"The professor said the program would be easier to debug if we included a lot of comments."
Is that what we call a punchline?
Brilliant. The one good use for the ANPR system (tracking criminals) has now become public knowledge. That means your local gang-land thugs will find a way to avoid their registration plate being scanned (custom plate with obscure font). Meanwhile, every other law abiding joe normal will continue along their merry way, quite happy being scanned and tracked because "it's to help catch criminals".
We end up with a system that spies upon and punishes the law abiding citizens that make accidental mistakes, whilst letting the professional criminals find an easy loophole. Its good to see my tax money finding new and creative ways to rape me of my income.