Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | [3] | 4 | (show all)   Print Thread
Standard User wingco1
(legend) Wed 08-Feb-17 12:45:33
Print Post

Re: Credit card details stolen from website.


[re: caffn8me] [link to this post]
 
Sarah, could you clarify something for me please, regarding PCI-DSS? Does this apply to all terminals where card details are entered, or just to the Bank etc., who process the card information?

Standard User caffn8me
(knowledge is power) Wed 08-Feb-17 14:01:22
Print Post

Re: Credit card details stolen from website.


[re: wingco1] [link to this post]
 
PCI-DSS rules apply to anywhere and to anything that transmits, stores or processes card data. PCI-DSS applies equally to the terminals at retailers where cards are swiped, inserted or tapped, and systems at banks and retailers used to process transactions.

PCI-DSS also covers paper records such as the printouts from card machines. A lot of people don't realize that there are two different formats of printout for each card transaction from a regular card machine. The copy given to the customer doesn't contain the full card number but the merchant copy has the full account number as well as the expiry date. That's all that's needed to commit card fraud. It's easy for a waiter in a restaurant, for example, to harvest credit card numbers and expiry dates. They could also harvest CVV numbers quite easily.

Card payment terminals supplied to small businesses are increasingly using an internet connection rather than dialup modems and this means that PCI-DSS covers the retailer's internal network as well as the card terminals. Does the retailer have wifi enabled? Is this segregated from the network used to transmit card data? Are all other systems segregated from the network used by card terminals? If they're not, the system isn't compliant.

Achieving PCI-DSS compliance for a small business that uses IP connected terminals can be prohibitively expensive. It's certainly quite a few hours of work for someone who has a reasonable level of technical expertise and there are other costs too. Small businesses often staple the merchant copy of the card slip to their till copy for their records. They need to keep the card slip until the card company chargback period has passed - which can be six months. At the end of this period they are required to destroy the card data. Do they? Are all these slips stored safely under lock and key?

I think that the banks are aware how difficult it is for small businesses to achieve proper PCI-DSS compliance and see it as a money making opportunity. Businesses which don't achieve PCI-DSS compliance are charged a monthly 'non-compliance fee' or a less favourable card processing fee. It's just another way for the banks to grab more money. As you can see from my previous post, banks' own systems aren't compliant with the latest PCI-DSS requirements.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Wed 08-Feb-17 14:10:42)

Standard User caffn8me
(knowledge is power) Wed 08-Feb-17 14:08:27
Print Post

Re: Credit card details stolen from website.


[re: caffn8me] [link to this post]
 
Just as an example, have a look at the final post on UK Business Forums where a small business owner is trying to find a router suitable for PCI-DSS with network segregation. They've been quoted £1400 just for the router - a total ripoff. It just needs a basic router with VLAN capability.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs


Register (or login) on our website and you will not see this ad.

Standard User wingco1
(legend) Wed 08-Feb-17 14:21:17
Print Post

Re: Credit card details stolen from website.


[re: caffn8me] [link to this post]
 
How can businesses use PayPal over the internet with no requirement by PayPal to be PCI compliant?

Standard User caffn8me
(knowledge is power) Wed 08-Feb-17 14:44:39
Print Post

Re: Credit card details stolen from website.


[re: wingco1] [link to this post]
 
If a business uses PayPal only, they never have the customer's card number so aren't affected by PCI-DSS.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User wingco1
(legend) Wed 08-Feb-17 16:14:47
Print Post

Re: Credit card details stolen from website.


[re: caffn8me] [link to this post]
 
Thanks for the clarification. One last question if I may. A Payments page on a website that links from that website, directly to a Merchant Account, where the details are entered on the Merchant Accounts page directly, and are not stored locally are not affected by PCI-DSS?

Standard User caffn8me
(knowledge is power) Wed 08-Feb-17 18:35:32
Print Post

Re: Credit card details stolen from website.


[re: wingco1] [link to this post]
 
If the payment details are entered directly on the website of the vendor but relayed to the processor, even if they are not stored by the vendor, they are subject to PCI-DSS. If the vendor's page has a frame within it for entering payment details that originates wholly and directly from the processor's site, the vendor isn't subject to PCI-DSS.

With PayPal (and Sage Pay/Worldpay etc), the vendor's page typically redirects the customer to a page hosted by the processor and so the vendor has no PCI-DSS involvement.

I hope that all makes sense.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User wingco1
(legend) Wed 08-Feb-17 21:33:15
Print Post

Re: Credit card details stolen from website.


[re: caffn8me] [link to this post]
 
Thank you very much for your patience and clarification. It is a complicated subject which you have explained very well to me. smile

Standard User TrishaH
(knowledge is power) Fri 10-Feb-17 22:02:05
Print Post

Re: Credit card details stolen from website.


[re: caffn8me] [link to this post]
 
If a business uses PayPal only, they never have the customer's card number so aren't affected by PCI-DSS.

If a business offers card payment, or another button for Paypal payment ..do they still not get the card details?

Do you know if the Kaspersky Virtual Keyboard is a good thing for adding extra security to entering payment details?

Standard User caffn8me
(knowledge is power) Sat 11-Feb-17 00:32:05
Print Post

Re: Credit card details stolen from website.


[re: TrishaH] [link to this post]
 
A business that takes payment through PayPal never receives the card details, they just receive the payment from PayPal and not directly from the customer. That's one reason why some people prefer to use PayPal for as many online transactions as possible.

Kaspersky is a very well respected firm so I'd imagine their Virtual Keyboard has been properly designed to add extra security to a transaction. I'll have a look at it next time I'm at a site that uses Kaspersky

[edit] OK, I've had a look online and, yes, the Virtual Keyboard protects against certain attack vectors such as keyboard loggers. It's a good solution.

Some UK banks have a similar system requiring certain login information to be entered using the mouse on screen rather than the keyboard - for exactly the same reasons.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Sat 11-Feb-17 00:51:41)

Pages in this thread: 1 | 2 | [3] | 4 | (show all)   Print Thread

Jump to