Geeks.com, a large online seller of computer hardware and software, has agreed to allow federal regulators to monitor its website security for 10 years to settle charges it violated federal laws requiring it to adequately safeguard sensitive customer data. The agreement, which also applies to sister site computergeeks.com, …
" Payment card industry regulations require merchants to follow a maze of procedures designed to protect card data as it's stored on servers and zapped to authorization services"
Then why do the authorisation services _let_ you connect to them without using SSL or similar?
Doesn't excuse these people in any way, shape or form, but still...
Must run Windows ME.
@Then why do the authorisation services _let_ you connect to them without using SSL or similar?
Could it be because SSL is just used for transport security of insecure data .. whereas transactions could be digitally-signed and encrypted as the content of traffic, e.g. signed SOAP over HTTP ?? SSL would give extra security against proxy or MiM attacks but for these financial transactions I would hope that each transaction is separately protected from both alteration (e.g. signing with SHA1 or better, using public key certificates) and eavesdropping (AES/3-DES encryption using public key certificates) rather than just relying on end-point transport layer security.
PCI-DSS does require all access to data is secured (e.g. SSL, edge firewalls, RBAC) and that the card holder data (PAN) is held on servers in encrypted form and then only as long as is strictly necessary. If transactions are transferred in their encrypted form then I can see how easy it would be decrypt them in memory only when necessary and keep them in the databases secured.
Which payment authorisation services let you connect to them with non-secure connections? Do you have any examples?
A payment authorisation service, isn't a Bank or a Merchant, they are Visa, Mastercard, AmEx etc. You usually wouldn't connect to their servers directly, instead your merchant would send your information to the bank, who would then relay the request for you.
If you know of merchants, or even banks who allow non-secure connections they'll be in for a big kicking from the PCI.
@Richard and Fraser
Read the article.
>Names, addresses, credit card numbers, and other data were routinely sent unencrypted to >authorization services, making them ripe for identity thieves, the complaint alleged.
frymaster then quite sensibly asked why these "authorization services" accepted unencrypted data in the first place.
Why is geek.com getting the bashing? Surely the fault lies squarely with McAfee for not correctly testing the defences and making sure the changes were made?
Hacker Safe - Tested Daily
I always had a feeling those banners were only for show. They only seemed to appear on websites that seemed a bit sub-par.
And another thing...
...geeks.com has to answer to the credit card industry? Well, perhaps they will; but only if the credit card industry puts its own house in order first.
The blind leading the blind.
That's a pretty vague way of describing what is happening, there needs to be more detail. Are the details unencrypted and being sent over a VPN (In which case the security of the VPN, within certain limits, would be suitable for PCI regulations.) or is the data sent across a point to point dedicated leased line, in which case encryption would be good practice, but not 100% required. Or plain text across the internet?
Also, still no clarification if an authorization service is an online 3rd party service, a bank or (highly unlikely) they are going directly to the PCI, beit AmEx, Visa, etc.
- Product round-up Coming clean: Ten cordless vacuum cleaners
- Something for the Weekend, Sir? I need a password to BRAKE? What? No! STOP! Aaaargh!
- Episode 13 BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
- Vulture at the Wheel Ford's B-Max: Fiesta-based runaround that goes THUNK
- Worstall @ the Weekend BIG FAT Lies: Porky Pies about obesity