[clug] The 1st Internet Tax is here.
kim at holburn.net
Thu Nov 13 08:23:54 GMT 2008
On 2008/Nov/13, at 1:48 AM, Daniel Pittman wrote:
>> You pay or you don't get paid.. It's a very harsh "standard" to
>> "demand". Only the Bankers can pull this off.. It's sad..
> Just to check here, but are you actually arguing that companies that
> store your credit card details -- enough details to charge
> to your card -- should *NOT* be help to a high standard?
Actually, if we had a decent payment system that was actually designed
to cope with the internet it wouldn't really be a problem. It's
retrofitting an insecure-already system to the internet which makes it
What the credit card companies are doing is forcing on-line merchants
to pay for the their own bad security practises.
> Just in case my point isn't clear: credit card theft and subsequent
> fraud on the Internet comes from poorly stored credit card numbers, or
> from phishing, not from people stealing them in-flight.
> Requiring people who enable one of those two behaviours to implement
> high standards of accountability is, I think, quite reasonable.
designing a system where this wasn't necessary would be even better.
> Finally, much of the PCI standard is about auditing to address the
> big risk in this sort of thing: inside crime.
> The vast majority of information loss, fraud and related crime in
> companies is from people *inside* the company, not outside. PCI has a
> lot of security and auditing requirement in place to prevent this.
>> After further reading I found additional more troubling things.
>> Not only do you have to have the transaction computer certified but
>> you would be required to have your database server done as
>> well. Providing you have your database on a separate server which is
>> part of the white paper standard ( create more revenue in the
>> here and good practice as an admin ).
> For the love of god, *please* tell me that you don't store credit card
> numbers in the same SQL database you store other web accessible
> Seriously, these are the design decisions that lead to the loss of
> credit card numbers to hackers -- and, honestly, that will take down
> small business, not to mention the cost to end users.
> For example, all it takes is one bad actor in your company -- or one
> compromised developer PC -- for 'select cardnumber from creditcards'
> If you /must/ store credit card details then a dedicated system used
> only for payments is the sanest approach, and should cost you less
> ten thousand dollars all told, including setup and integration.
> If that seems to much then, hey, storing credit cards might not be a
> good part of your business model.
>> This goes well beyond the 7/11 or Pizza Huts it's very literally
>> company that does any type of Credit Card transaction. That's
>> number is
>> amazingly large.
> No, it doesn't. It means any company that stores credit card numbers,
> and falls under the PCI system. This is a much more limited set of
> businesses than you imagine, and in most cases the PCI
> responsibility is
> passed off to a third party.
>> On another note. 3rd party payment gateways were mentioned in a
>> reply. Does
>> anyone recommend from personal use a 3rd party company/gateway?
> I can say that the CBA and ANZ systems are reasonably light-weight,
> secure and effective.
> Integrating with their three party payment methods is easy and
> incurs no
> PCI obligations unless you store credit card details online.
> Integrating their two party payment methods is also pretty easy, but
> probably sets you up for the lightest PCI auditing, which is
> easy to pass unless you are doing something silly.
> You know, like storing credit card details on an SQL server accessible
> from a web interface directly, or that stores more than just the
> card details.
> I can also say that the MYOB payment system is reasonably good, if
> slightly less nice than the CBA system, and works well. I can't give
> you a cost comparison, though.
> For someone small, just use a three party payment system where someone
> big handles the credit cards for you, and you just get the money at
> linux mailing list
> linux at lists.samba.org
IT Network & Security Consultant
Ph: +39 06 855 4294 M: +39 3494957443
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
More information about the linux