Posted Saturday 7th February 2009 01:43 GMT
" Payment card industry regulations require merchants to follow a maze of procedures designed to protect card data as it's stored on servers and zapped to authorization services"
Then why do the authorisation services _let_ you connect to them without using SSL or similar?
Doesn't excuse these people in any way, shape or form, but still...
Posted Saturday 7th February 2009 19:48 GMT
Could it be because SSL is just used for transport security of insecure data .. whereas transactions could be digitally-signed and encrypted as the content of traffic, e.g. signed SOAP over HTTP ?? SSL would give extra security against proxy or MiM attacks but for these financial transactions I would hope that each transaction is separately protected from both alteration (e.g. signing with SHA1 or better, using public key certificates) and eavesdropping (AES/3-DES encryption using public key certificates) rather than just relying on end-point transport layer security.
PCI-DSS does require all access to data is secured (e.g. SSL, edge firewalls, RBAC) and that the card holder data (PAN) is held on servers in encrypted form and then only as long as is strictly necessary. If transactions are transferred in their encrypted form then I can see how easy it would be decrypt them in memory only when necessary and keep them in the databases secured.
Posted Saturday 7th February 2009 21:22 GMT
Which payment authorisation services let you connect to them with non-secure connections? Do you have any examples?
A payment authorisation service, isn't a Bank or a Merchant, they are Visa, Mastercard, AmEx etc. You usually wouldn't connect to their servers directly, instead your merchant would send your information to the bank, who would then relay the request for you.
If you know of merchants, or even banks who allow non-secure connections they'll be in for a big kicking from the PCI.
Posted Sunday 8th February 2009 18:06 GMT
Read the article.
>Names, addresses, credit card numbers, and other data were routinely sent unencrypted to >authorization services, making them ripe for identity thieves, the complaint alleged.
frymaster then quite sensibly asked why these "authorization services" accepted unencrypted data in the first place.
Posted Monday 9th February 2009 11:09 GMT
Why is geek.com getting the bashing? Surely the fault lies squarely with McAfee for not correctly testing the defences and making sure the changes were made?
Posted Monday 9th February 2009 11:40 GMT
I always had a feeling those banners were only for show. They only seemed to appear on websites that seemed a bit sub-par.
Posted Monday 9th February 2009 11:40 GMT
...geeks.com has to answer to the credit card industry? Well, perhaps they will; but only if the credit card industry puts its own house in order first.
http://www.theregister.co.uk/2008/12/20/american_express_website_bug_redux/
The blind leading the blind.
Posted Monday 9th February 2009 19:32 GMT
That's a pretty vague way of describing what is happening, there needs to be more detail. Are the details unencrypted and being sent over a VPN (In which case the security of the VPN, within certain limits, would be suitable for PCI regulations.) or is the data sent across a point to point dedicated leased line, in which case encryption would be good practice, but not 100% required. Or plain text across the internet?
Also, still no clarification if an authorization service is an online 3rd party service, a bank or (highly unlikely) they are going directly to the PCI, beit AmEx, Visa, etc.
Sign up, sign up for The Register's weekly IT security newsletter - click here
Back to the article
