From: Phpster on


On May 31, 2010, at 1:24 AM, Paul M Foster <paulf(a)quillandmouse.com>
wrote:

> On Sun, May 30, 2010 at 03:30:28PM -0400, Phpster wrote:
>
> <snip>
>
>>
>> I work with some of the largest retailers in north America if not the
>> world, and I can confirm that the security measures taken to enforce
>> pci compliance are not something lightly undertaken.
>>
>> If those entities choose to store the cc#s then they do the
>> following:
>>
>> 1. Store the encrypted values on servers that are NOT web facing
>
> Absolutely! If I were trying to do this on a web server, I *would*
> use a
> payment gateway. There's no way I could secure it adequately
> otherwise.
>
>>
>> 2. Use ridiculously long encryption keys ( well into the 1000s of
>> characters)
>>
>> 3. They also create a representative value that exists outside the
>> system that has to allow some basis of data mining.
>>
>>
>> Really as mentioned you don't want to do this. Especially if you have
>> no control over the servers.
>
> I have complete control over the server this information is stored on,
> including physical control. It is behind a NATed firewall and only
> accessible to certain machines on my internal network. The only
> personnel with access to the server are myself and my wife.
>
> To be clear, we process credit cards MOTO, meaning we have no physical
> access to the cards themselves. We use a small terminal which dials up
> our payment processor to get approvals. The problem is that virtually
> all of our credit card business is with the same customers and
> recurring. So it's not feasible to call them every month or several
> times per job to ask for a credit card number. This would aggravate my
> customers. So I have to store the information one way or another, on
> 3x5
> cards, in the computer or some way.
>
> And it appears from all the replies that there is no other way to do
> it
> than to have a separate key or password for accessing just these
> credit
> card numbers, and every time they must be accessed, the user must
> provide this key, which would be in addition to the usual password for
> that user.
>
>
> Paul
>
> --
> Paul M. Foster
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

It sounds like a lot of the activity is subscription based, is that
correct? Paypal does support that.

I would suggest looking thru the oci guidelines if you haven't done so
already. The point there are essential requirements and should be
enough for you to judge if you can be compliant with the rules.

Pci is a total PITA, and the fines are not worth it if you can't meet
the requirements.

Bastien

Sent from my iPod
From: tedd on
At 1:38 AM -0400 5/31/10, Paul M Foster wrote:
>On Sun, May 30, 2010 at 10:50:05AM -0400, tedd wrote:
>
> > Besides, most credit card processing agencies even require that you
>> use the customer's data (cc number, expiry date and CCS) to make the
>> sale and then immediately dispose of it afterwards, usually within 24
>> hours under a signed agreement. Holding that information for more
>> than 24 hours can be a criminal offense regardless of what type of
>> hashing you use.
>
>Not true. It depends on the type of merchant and the situation.

*blink*

"Not true" and "It depends" are conflicts in logic.

Either what I said is "true" or it isn't -- and if what I said is
"true" for some (as it is and I can prove it) then what I said is
indeed "true".

I'm curious, why say it's not "true" and then follow with "it
depends"? It appears to me that you have your mind made-up and don't
care to listen to our experiences and recommendations.

That's Okay, but I'm simply telling you what I KNOW to be true. You
may either accept what I have to say, or reject it, but to reply that
what I say is "Not true" is somewhat offensive and confrontational. I
hope you didn't mean it that way. :-)


>The PCI
>validation process allows for storage of all data except the 3-4 digit
>validation number. What I'm asked for at transaction time is the CC
>number, expiration date, digits for the billing address, and the billing
>zip code. And I can get the address and zip digits completely wrong and
>still have the transaction go through.

Party true.

What data are used in credit card transactions are the: name of the
card holder, credit card number, expiration date, CCV number, and zip
code. I have not dealt with any credit card processors that require
the billing address -- they just use the zip code. Additionally, it
is up to the client to determine the level of security they want.
They *can* require that *all* information be correct before accepting
a sale.

The downside of not requiring *all* the data to be correct is that
the rate the credit processor charges for the transaction rises.
Simply and logically put, if you don't get all the information
correct, then there is risk and that risk is passed on to the client
via an elevated charge for processing -- look it up.

The up-side of getting only the minimal data is getting a sale under
a higher risk/rate -- that's the clients choice and they usually
choose it.

>We've been doing it this way for 14 years and using the type of service
>you suggest would be expensive and impractical. Only in the last two
>years has PCI become more stringent in their requirements. And
>consequently, I'm having to re-evaluate how we store this particular
>information. Otherwise, our physical and other security is more than
>adequate. Yes, of course, if you have a machine gun or you're Kevin
>Mitnick, or you have a network of 20,000 bots pounding on my router,
>you're coming in anyway. Again, this is about *reasonable* security.

You asked for opinions -- do what you want. :-)

Cheers,

tedd

--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
From: tedd on
At 12:36 PM -0400 5/31/10, I wrote:
>That's Okay, but I'm simply telling you what I KNOW to be true. You
>may either accept what I have to say, or reject it, but to reply
>that what I say is "Not true" is somewhat offensive and
>confrontational. I hope you didn't mean it that way. :-)

My apologies for taking what you said as I did and my reply -- it was
wrong of me. I am sure you didn't mean anything offensive.

Cheers,

tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
From: Waynn Lue on
Billing Address (at least the street number) is used in conjunction
with the zip code for AVS checks.

On 5/31/10, tedd <tedd.sperling(a)gmail.com> wrote:
> At 1:38 AM -0400 5/31/10, Paul M Foster wrote:
>>On Sun, May 30, 2010 at 10:50:05AM -0400, tedd wrote:
>>
>> > Besides, most credit card processing agencies even require that you
>>> use the customer's data (cc number, expiry date and CCS) to make the
>>> sale and then immediately dispose of it afterwards, usually within 24
>>> hours under a signed agreement. Holding that information for more
>>> than 24 hours can be a criminal offense regardless of what type of
>>> hashing you use.
>>
>>Not true. It depends on the type of merchant and the situation.
>
> *blink*
>
> "Not true" and "It depends" are conflicts in logic.
>
> Either what I said is "true" or it isn't -- and if what I said is
> "true" for some (as it is and I can prove it) then what I said is
> indeed "true".
>
> I'm curious, why say it's not "true" and then follow with "it
> depends"? It appears to me that you have your mind made-up and don't
> care to listen to our experiences and recommendations.
>
> That's Okay, but I'm simply telling you what I KNOW to be true. You
> may either accept what I have to say, or reject it, but to reply that
> what I say is "Not true" is somewhat offensive and confrontational. I
> hope you didn't mean it that way. :-)
>
>
>>The PCI
>>validation process allows for storage of all data except the 3-4 digit
>>validation number. What I'm asked for at transaction time is the CC
>>number, expiration date, digits for the billing address, and the billing
>>zip code. And I can get the address and zip digits completely wrong and
>>still have the transaction go through.
>
> Party true.
>
> What data are used in credit card transactions are the: name of the
> card holder, credit card number, expiration date, CCV number, and zip
> code. I have not dealt with any credit card processors that require
> the billing address -- they just use the zip code. Additionally, it
> is up to the client to determine the level of security they want.
> They *can* require that *all* information be correct before accepting
> a sale.
>
> The downside of not requiring *all* the data to be correct is that
> the rate the credit processor charges for the transaction rises.
> Simply and logically put, if you don't get all the information
> correct, then there is risk and that risk is passed on to the client
> via an elevated charge for processing -- look it up.
>
> The up-side of getting only the minimal data is getting a sale under
> a higher risk/rate -- that's the clients choice and they usually
> choose it.
>
>>We've been doing it this way for 14 years and using the type of service
>>you suggest would be expensive and impractical. Only in the last two
>>years has PCI become more stringent in their requirements. And
>>consequently, I'm having to re-evaluate how we store this particular
>>information. Otherwise, our physical and other security is more than
>>adequate. Yes, of course, if you have a machine gun or you're Kevin
>>Mitnick, or you have a network of 20,000 bots pounding on my router,
>>you're coming in anyway. Again, this is about *reasonable* security.
>
> You asked for opinions -- do what you want. :-)
>
> Cheers,
>
> tedd
>
> --
> -------
> http://sperling.com http://ancientstones.com http://earthstones.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--
Sent from my mobile device
From: Paul M Foster on
On Mon, May 31, 2010 at 12:36:55PM -0400, tedd wrote:

> At 1:38 AM -0400 5/31/10, Paul M Foster wrote:
>> On Sun, May 30, 2010 at 10:50:05AM -0400, tedd wrote:
>>
>> > Besides, most credit card processing agencies even require that you
>>> use the customer's data (cc number, expiry date and CCS) to make the
>>> sale and then immediately dispose of it afterwards, usually within 24
>>> hours under a signed agreement. Holding that information for more
>>> than 24 hours can be a criminal offense regardless of what type of
>>> hashing you use.
>>
>> Not true. It depends on the type of merchant and the situation.
>
> *blink*
>
> "Not true" and "It depends" are conflicts in logic.
>
> Either what I said is "true" or it isn't -- and if what I said is
> "true" for some (as it is and I can prove it) then what I said is
> indeed "true".
>
> I'm curious, why say it's not "true" and then follow with "it
> depends"? It appears to me that you have your mind made-up and don't
> care to listen to our experiences and recommendations.
>
> That's Okay, but I'm simply telling you what I KNOW to be true. You
> may either accept what I have to say, or reject it, but to reply that
> what I say is "Not true" is somewhat offensive and confrontational. I
> hope you didn't mean it that way. :-)

Okay, let me be precise, then. I have no idea whether "most credit
processing agencies... require...." I haven't dealt with "most credit
processing agencies", so I have no way of knowing. And in fact, I don't also know
whether "holding that information for more than 24 hours can be a
criminal offense...." This may be a criminal offense where you live, and
it may be a criminal offense in Zambatootie as well. Since I'm not
familiar with every jurisdiction, I can't vouch for where or when it is
a criminal offense.

I do know, however, that according to the PCI DSS FAQ, storing a credit
card number is discouraged, but not disallowed. Given the proper
cryptographic treatment, it is definitely allowed. This also jibes with
the self-evaluation questionnaire which Level 4 merchants (like myself)
must complete yearly.

>
>
>> The PCI
>> validation process allows for storage of all data except the 3-4 digit
>> validation number. What I'm asked for at transaction time is the CC
>> number, expiration date, digits for the billing address, and the billing
>> zip code. And I can get the address and zip digits completely wrong and
>> still have the transaction go through.
>
> Party true.
>
> What data are used in credit card transactions are the: name of the
> card holder, credit card number, expiration date, CCV number, and zip
> code. I have not dealt with any credit card processors that require
> the billing address -- they just use the zip code. Additionally, it
> is up to the client to determine the level of security they want.
> They *can* require that *all* information be correct before accepting
> a sale.

When you say "client" in this context, what do you mean? The ultimate
customer, the company issuing the credit card, the bank, the merchant
service company?

>
> The downside of not requiring *all* the data to be correct is that
> the rate the credit processor charges for the transaction rises.
> Simply and logically put, if you don't get all the information
> correct, then there is risk and that risk is passed on to the client
> via an elevated charge for processing -- look it up.

I have been told repeatedly by my merchant service company that my rates
do not and will not rise, should my "verification information" be
incorrect. I have been told repeatedly that the collection of this
information is for *my* benefit, to lessen the chances of *me* being
defrauded.

>
> The up-side of getting only the minimal data is getting a sale under
> a higher risk/rate -- that's the clients choice and they usually
> choose it.

Again, I'm not sure the definition of client as you are using it.
However, I am aware that MOTO merchants (those who take credit cards
over the phone, etc. and never have a physical card), like myself, pay
higher rates than those who swipe them. Part of the game.

Paul

--
Paul M. Foster