[clug] The 1st Internet Tax is here.

Kim Holburn kim at holburn.net
Thu Nov 13 08:23:54 GMT 2008 

On 2008/Nov/13, at 1:48 AM, Daniel Pittman wrote:
>> You pay or you don't get paid.. It's a very harsh "standard" to
>> "demand".  Only the Bankers can pull this off.. It's sad..
>
> Just to check here, but are you actually arguing that companies that
> store your credit card details -- enough details to charge  
> transactions
> to your card -- should *NOT* be help to a high standard?

Actually, if we had a decent payment system that was actually designed  
to cope with the internet it wouldn't really be a problem.  It's  
retrofitting an insecure-already system to the internet which makes it  
worse.

What the credit card companies are doing is forcing on-line merchants  
to pay for the their own bad security practises.

> Just in case my point isn't clear: credit card theft and subsequent
> fraud on the Internet comes from poorly stored credit card numbers, or
> from phishing, not from people stealing them in-flight.
>
> Requiring people who enable one of those two behaviours to implement
> high standards of accountability is, I think, quite reasonable.

designing a system where this wasn't necessary would be even better.

> Finally, much of the PCI standard is about auditing to address the  
> final
> big risk in this sort of thing: inside crime.
>
> The vast majority of information loss, fraud and related crime in
> companies is from people *inside* the company, not outside.  PCI has a
> lot of security and auditing requirement in place to prevent this.
>
>> After further reading I found additional more troubling things.
>>
>> Not only do you have to have the transaction computer certified but
>> you would be required to have your database server done as
>> well. Providing you have your database on a separate server which is
>> part of the white paper standard ( create more revenue in the  
>> standard
>> here and good practice as an admin ).
>
> For the love of god, *please* tell me that you don't store credit card
> numbers in the same SQL database you store other web accessible  
> details?
>
> Seriously, these are the design decisions that lead to the loss of
> credit card numbers to hackers -- and, honestly, that will take down  
> any
> small business, not to mention the cost to end users.
>
> For example, all it takes is one bad actor in your company -- or one
> compromised developer PC -- for 'select cardnumber from creditcards'  
> to
> happen.
>
>
> If you /must/ store credit card details then a dedicated system used
> only for payments is the sanest approach, and should cost you less  
> than
> ten thousand dollars all told, including setup and integration.
>
> If that seems to much then, hey, storing credit cards might not be a
> good part of your business model.
>
>> This goes well beyond the 7/11 or Pizza Huts it's very literally  
>> every
>> company that does any type of Credit Card transaction. That's  
>> number is
>> amazingly large.
>
> No, it doesn't.  It means any company that stores credit card numbers,
> and falls under the PCI system.  This is a much more limited set of
> businesses than you imagine, and in most cases the PCI  
> responsibility is
> passed off to a third party.
>
>> ---
>> On another note. 3rd party payment gateways were mentioned in a  
>> reply. Does
>> anyone recommend from personal use a 3rd party company/gateway?
>
> I can say that the CBA and ANZ systems are reasonably light-weight,
> secure and effective.
>
> Integrating with their three party payment methods is easy and  
> incurs no
> PCI obligations unless you store credit card details online.
>
> Integrating their two party payment methods is also pretty easy, but
> probably sets you up for the lightest PCI auditing, which is  
> reasonably
> easy to pass unless you are doing something silly.
>
> You know, like storing credit card details on an SQL server accessible
> from a web interface directly, or that stores more than just the  
> credit
> card details.
>
>
> I can also say that the MYOB payment system is reasonably good, if
> slightly less nice than the CBA system, and works well.  I can't give
> you a cost comparison, though.
>
>
> For someone small, just use a three party payment system where someone
> big handles the credit cards for you, and you just get the money at  
> the
> end.
>
> Regards,
>        Daniel
> -- 
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux

--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the linux mailing list