apluis
05-08-2009, 07:11 PM
Here is my opinion of PCI:
The card brands and in particular VISA, have decided that it is cheaper for them to force 25 million merchants to "secure" each and every merchant owned system instead of fixing a fundamental oversight on their end. Track data should be encrypted at the point of swipe and remain encrypted until at least beyond the processing platforms where the data is in control professionals versed in security. As it stands today, there are less than a few hundred processing platforms in general use. (a processing platform is essentially a large system your terminal or PC communicates with to process credit cards). Encrypted swipers are available today but none of the processing platforms can support them. So if you want to use them, you have to decrypt the data on the local machine before sending it off to the processing center or pay a middle man(gateway) to take your encrypted data and decrypt it before sending it off to the processing center.
Here is the thing that I find incredible: Some platforms require you to STORE card numbers AFTER processing to be able to do things like VOIDS and FORCES.
How serious are the card brands about security? Does anyone remember the contactless card readers that the card brands were promoting? And the millions of credit cards they mailed out that could be read with a contactless reader? You would think those things would be secure. You would be WRONG. Those contactless readers just read the card and send both tracks through a serial connection back to their API unencrypted. Their API will then happily send that track data back to your system. They'll tell you that the connection between your system and their processing center is encrypted but what they don't tell you is that the track data HAS to be unencrypted in memory right before your system transmits it to them.
Does it make sense to try to secure millions upon millions of systems? I think it is time for the different associates like the Retail Federation, local chamber of commerce and other merchant groups to start questioning PCI. Does anyone else think that Congress should be looking at this? If Congress doesn't, is it time to start thinking about forming a class action suit?
The card brands and in particular VISA, have decided that it is cheaper for them to force 25 million merchants to "secure" each and every merchant owned system instead of fixing a fundamental oversight on their end. Track data should be encrypted at the point of swipe and remain encrypted until at least beyond the processing platforms where the data is in control professionals versed in security. As it stands today, there are less than a few hundred processing platforms in general use. (a processing platform is essentially a large system your terminal or PC communicates with to process credit cards). Encrypted swipers are available today but none of the processing platforms can support them. So if you want to use them, you have to decrypt the data on the local machine before sending it off to the processing center or pay a middle man(gateway) to take your encrypted data and decrypt it before sending it off to the processing center.
Here is the thing that I find incredible: Some platforms require you to STORE card numbers AFTER processing to be able to do things like VOIDS and FORCES.
How serious are the card brands about security? Does anyone remember the contactless card readers that the card brands were promoting? And the millions of credit cards they mailed out that could be read with a contactless reader? You would think those things would be secure. You would be WRONG. Those contactless readers just read the card and send both tracks through a serial connection back to their API unencrypted. Their API will then happily send that track data back to your system. They'll tell you that the connection between your system and their processing center is encrypted but what they don't tell you is that the track data HAS to be unencrypted in memory right before your system transmits it to them.
Does it make sense to try to secure millions upon millions of systems? I think it is time for the different associates like the Retail Federation, local chamber of commerce and other merchant groups to start questioning PCI. Does anyone else think that Congress should be looking at this? If Congress doesn't, is it time to start thinking about forming a class action suit?