[clug] The 1st Internet Tax is here.

Seth Turnbull seth.turnbull at gmail.com
Thu Nov 13 10:50:47 GMT 2008

>> This would be every company that has a computer with transaction
>> software on it. Every ecommerce server, utility companies, phone
>> companies, etc. etc..

>...no.  You are wrong in your assumption of what the PCI standards
>mandate, and where they apply.

>Specifically, if you don't store credit card numbers yourself then you
>don't have to do anything, really.

Thank you for clarifying this point.

>> You pay or you don't get paid.. It's a very harsh "standard" to
>> "demand".  Only the Bankers can pull this off.. It's sad..

>Just to check here, but are you actually arguing that companies that
>store your credit card details -- enough details to charge transactions
>to your card -- should *NOT* be help to a high standard?

>Just in case my point isn't clear: credit card theft and subsequent
>fraud on the Internet comes from poorly stored credit card numbers, or
>from phishing, not from people stealing them in-flight.

>Requiring people who enable one of those two behaviours to implement
>high standards of accountability is, I think, quite reasonable.

>Finally, much of the PCI standard is about auditing to address the final
>big risk in this sort of thing: inside crime.

>The vast majority of information loss, fraud and related crime in
>companies is from people *inside* the company, not outside.  PCI has a
>lot of security and auditing requirement in place to prevent this.

No you must not have read where I stated 2 times that I fully agree with
the standard and I willing will comply. My argument here is the fee and
that the fee does not give the merchant anything in return.

Liability will still be passed off to the merchant. Which is great and
understandable as the merchant didn't protect the CC holders information.
So, then why are we paying a monthly fee? What does this fee gain the
merchant? How does it benefit us?

>> After further reading I found additional more troubling things.
>> Not only do you have to have the transaction computer certified but
>> you would be required to have your database server done as
>> well. Providing you have your database on a separate server which is
>> part of the white paper standard ( create more revenue in the standard
>> here and good practice as an admin ).

>For the love of god, *please* tell me that you don't store credit card
>numbers in the same SQL database you store other web accessible details?
No No.. We don't even store CC information on the same server as the CC
All of the information is encrypted. If you don't know the process of
the information from our structure I would venture to say you just might not
able to put the pieces together at all and if you were able to you woul
dhave to decrypt it.
It would be a rather large task and you would have to have some knowledge of
our structure.


>I can say that the CBA and ANZ systems are reasonably light-weight,
>secure and effective.

>Integrating with their three party payment methods is easy and incurs no
>PCI obligations unless you store credit card details online.

>Integrating their two party payment methods is also pretty easy, but
>probably sets you up for the lightest PCI auditing, which is reasonably
>easy to pass unless you are doing something silly.

>You know, like storing credit card details on an SQL server accessible
>from a web interface directly, or that stores more than just the credit
>card details.

>I can also say that the MYOB payment system is reasonably good, if
>slightly less nice than the CBA system, and works well.  I can't give
>you a cost comparison, though.

>For someone small, just use a three party payment system where someone
>big handles the credit cards for you, and you just get the money at the

Thank you for the information!!


More information about the linux mailing list