[clug] The 1st Internet Tax is here.

Michael Cohen scudette at gmail.com
Wed Nov 12 22:34:37 GMT 2008


Seth,

  The VISA PCI DSS standard (http://en.wikipedia.org/wiki/PCI_DSS)
came up in response to many small business getting hacked in the
states. We are talking about your local 711 or pizza shop. Turns out
that if you are a small business you need to buy a Point of Sale
system (POS) to actually run your register. Most POS providers just
sell you a windows xp system with no security or patching, and it gets
connected to the internet (possibly behind a nat fw). Because it looks
like an appliance the business owners didnt think it needed patching
or any security whatsoever (we are talking about a pizza guy or a 711
boss not an IT savvy user by any stretch).

What tended to happen is that the employees would use the system for
general browsing - get hacked and all the credit card numbers would be
stolen. This costs VISA a huge amount and is a very big problem.

The PCI standard came up as a response to this - and its going to get
even worse for businesses. In the states if you get hacked you get
fined a huge amount of money (over $20k i think) and you need to get
re-certified again. Many very small operators will have no choice but
to not offer credit card processing any more.

I think an alternative solution is to certify the actual POS system
itself - make it hardened maybe running linux and a real appliance.
Unfortunately there is too much political weight behind the POS lobby
to make that fly. I think eventually this will have to be done though
- so if you buy a certified POS you can get certified much easier and
cheaper.

Its a necessary evil. You can see it from the banks point of view too
and some minimum standards need to be enforced. I believe there is a
self assessment mechanism though in the states where you can assess
your own security if you know what you are doing though.

Michael.

On Thu, Nov 13, 2008 at 9:06 AM, Seth Turnbull <seth.turnbull at gmail.com> wrote:
> I run a smaller Internet based information company that handles a medium
> number of credit card transactions each month.
> Yesterday I received a letter in the mail from our transaction company that
> all e-commerce computers had to conform to
> this new banker / committee thought up standard. You can find the standard
> here
> http://www.vormetric.com/solutions/documents/Vormetric_PCICompliance_WP_11.2007.pdf
> (requires
> free login).
>
> I don't mind the banking industry setting some security standards for
> computers and programmers to follow. What really
> floored me was the following.
>
> They will charge as follows:
> 1. Up to $1,800.00 per server to test and verify your server is in
> compliance.
>
> OR
>
> 2. You can register as a "non-compliance" member and they will charge you
> $20.00 per month to have online CC transactions.
>
> There's no way around this. You will do this or you won't be able to process
> Credit Cards.
>
> While they claim they are trying to lay the burden of stolen information
> back on the merchants this is in fact a forced tax.
> Now not only do you have a % of your transaction to the banker you will also
> have to pay a crazy testing fee or a monthly tax.
>
>
> Maybe I'm fully misunderstanding this. If anyone else has more information
> please reply to this with your thoughts.
>
> Thanks
> ~Seth
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>


More information about the linux mailing list