[clug] The 1st Internet Tax is here.

Seth Turnbull seth.turnbull at gmail.com
Wed Nov 12 22:56:44 GMT 2008

Here is some additional information. I should have provided more information
vs. just ranting in my original post and I should have provided better links
to the information.

Agreeing to being liable for being hacked is one thing but for everyone with
an ecommerce server out there to have to be tested or pay this monthly "tax"
is huge.
This is a huge money maker for the banks. This isn't just a liability issue
for the server administrator and developer. This opens the door for
segregation of the Internet.
What's next? Pay $20.00 per month to have email access over your land line
or wireless? That's pretty far out there I know...........but I would never
have thought of this

After 4 years of planning this is what they came up with? A white paper and

I called and spoke with an "assessor". I asked what software(s) are listed
as compliant?
I asked if my base system was considered in compliance.
- FreeBSD
- Apache server (version)
- MySql
    - I also asked if MySql built in encryption was considered "enough".

The answer I got was "we haven't white listed any software but rather the
additional implementation of security measures you have deployed".
Understanding that the majority
of computers still user MicroSoft I can see why they wouldn't list an
opperating system.

I asked "with out root access to my server how do you plan to accurately
test/see what additional measures I have taken as the majority of the items
listed in you the white paper
are only features that a root user would have access and knowledge of".
Answer: "That's a good question"..

I'm waiting on a return call from someone who performs testing.

Like I said in my original email, I have no issue making sure I conform to
this standard but I have great issues with being charged a monthly fee or a
per server fee.




On Wed, Nov 12, 2008 at 3:34 PM, Michael Cohen <scudette at gmail.com> wrote:

> Seth,
>  The VISA PCI DSS standard (http://en.wikipedia.org/wiki/PCI_DSS)
> came up in response to many small business getting hacked in the
> states. We are talking about your local 711 or pizza shop. Turns out
> that if you are a small business you need to buy a Point of Sale
> system (POS) to actually run your register. Most POS providers just
> sell you a windows xp system with no security or patching, and it gets
> connected to the internet (possibly behind a nat fw). Because it looks
> like an appliance the business owners didnt think it needed patching
> or any security whatsoever (we are talking about a pizza guy or a 711
> boss not an IT savvy user by any stretch).
> What tended to happen is that the employees would use the system for
> general browsing - get hacked and all the credit card numbers would be
> stolen. This costs VISA a huge amount and is a very big problem.
> The PCI standard came up as a response to this - and its going to get
> even worse for businesses. In the states if you get hacked you get
> fined a huge amount of money (over $20k i think) and you need to get
> re-certified again. Many very small operators will have no choice but
> to not offer credit card processing any more.
> I think an alternative solution is to certify the actual POS system
> itself - make it hardened maybe running linux and a real appliance.
> Unfortunately there is too much political weight behind the POS lobby
> to make that fly. I think eventually this will have to be done though
> - so if you buy a certified POS you can get certified much easier and
> cheaper.
> Its a necessary evil. You can see it from the banks point of view too
> and some minimum standards need to be enforced. I believe there is a
> self assessment mechanism though in the states where you can assess
> your own security if you know what you are doing though.
> Michael.
> On Thu, Nov 13, 2008 at 9:06 AM, Seth Turnbull <seth.turnbull at gmail.com>
> wrote:
>  > I run a smaller Internet based information company that handles a
> medium
> > number of credit card transactions each month.
> > Yesterday I received a letter in the mail from our transaction company
> that
> > all e-commerce computers had to conform to
> > this new banker / committee thought up standard. You can find the
> standard
> > here
> >
> http://www.vormetric.com/solutions/documents/Vormetric_PCICompliance_WP_11.2007.pdf
> > (requires
> > free login).
> >
> > I don't mind the banking industry setting some security standards for
> > computers and programmers to follow. What really
> > floored me was the following.
> >
> > They will charge as follows:
> > 1. Up to $1,800.00 per server to test and verify your server is in
> > compliance.
> >
> > OR
> >
> > 2. You can register as a "non-compliance" member and they will charge you
> > $20.00 per month to have online CC transactions.
> >
> > There's no way around this. You will do this or you won't be able to
> process
> > Credit Cards.
> >
> > While they claim they are trying to lay the burden of stolen information
> > back on the merchants this is in fact a forced tax.
> > Now not only do you have a % of your transaction to the banker you will
> also
> > have to pay a crazy testing fee or a monthly tax.
> >
> >
> > Maybe I'm fully misunderstanding this. If anyone else has more
> information
> > please reply to this with your thoughts.
> >
> > Thanks
> > ~Seth
>  > --
> > linux mailing list
> > linux at lists.samba.org
> > https://lists.samba.org/mailman/listinfo/linux
> >

More information about the linux mailing list