[clug] The 1st Internet Tax is here.

Daniel Pittman daniel at rimspace.net
Thu Nov 13 00:48:28 GMT 2008 

"Seth Turnbull" <seth.turnbull at gmail.com> writes:

> I don't think people as a whole see the ramifications of this.  We're
> talking about millions of computers either being certified or paying a
> monthly fee.

You are assuming that there are millions of computers that capture and
store credit card details.  This may actually be true, but ...

> This would be every company that has a computer with transaction
> software on it. Every ecommerce server, utility companies, phone
> companies, etc. etc..

...no.  You are wrong in your assumption of what the PCI standards
mandate, and where they apply.

Specifically, if you don't store credit card numbers yourself then you
don't have to do anything, really.

> You pay or you don't get paid.. It's a very harsh "standard" to
> "demand".  Only the Bankers can pull this off.. It's sad..

Just to check here, but are you actually arguing that companies that
store your credit card details -- enough details to charge transactions
to your card -- should *NOT* be help to a high standard?


Just in case my point isn't clear: credit card theft and subsequent
fraud on the Internet comes from poorly stored credit card numbers, or
from phishing, not from people stealing them in-flight.

Requiring people who enable one of those two behaviours to implement
high standards of accountability is, I think, quite reasonable.


Finally, much of the PCI standard is about auditing to address the final
big risk in this sort of thing: inside crime.

The vast majority of information loss, fraud and related crime in
companies is from people *inside* the company, not outside.  PCI has a
lot of security and auditing requirement in place to prevent this.

> After further reading I found additional more troubling things.
>
> Not only do you have to have the transaction computer certified but
> you would be required to have your database server done as
> well. Providing you have your database on a separate server which is
> part of the white paper standard ( create more revenue in the standard
> here and good practice as an admin ).

For the love of god, *please* tell me that you don't store credit card
numbers in the same SQL database you store other web accessible details?

Seriously, these are the design decisions that lead to the loss of
credit card numbers to hackers -- and, honestly, that will take down any
small business, not to mention the cost to end users.

For example, all it takes is one bad actor in your company -- or one
compromised developer PC -- for 'select cardnumber from creditcards' to
happen.


If you /must/ store credit card details then a dedicated system used
only for payments is the sanest approach, and should cost you less than
ten thousand dollars all told, including setup and integration.

If that seems to much then, hey, storing credit cards might not be a
good part of your business model.

> This goes well beyond the 7/11 or Pizza Huts it's very literally every
> company that does any type of Credit Card transaction. That's number is
> amazingly large.

No, it doesn't.  It means any company that stores credit card numbers,
and falls under the PCI system.  This is a much more limited set of
businesses than you imagine, and in most cases the PCI responsibility is
passed off to a third party.

> ---
> On another note. 3rd party payment gateways were mentioned in a reply. Does
> anyone recommend from personal use a 3rd party company/gateway?

I can say that the CBA and ANZ systems are reasonably light-weight,
secure and effective.

Integrating with their three party payment methods is easy and incurs no
PCI obligations unless you store credit card details online.

Integrating their two party payment methods is also pretty easy, but
probably sets you up for the lightest PCI auditing, which is reasonably
easy to pass unless you are doing something silly.

You know, like storing credit card details on an SQL server accessible
from a web interface directly, or that stores more than just the credit
card details.


I can also say that the MYOB payment system is reasonably good, if
slightly less nice than the CBA system, and works well.  I can't give
you a cost comparison, though.


For someone small, just use a three party payment system where someone
big handles the credit cards for you, and you just get the money at the
end.

Regards,
        Daniel

More information about the linux mailing list