back to article It’s 2015 and we're being told not to send credit cards as cleartext

The payments card industry (PCI) council has reviewed its guidance to encourage businesses to stop slinging credit card data in cleartext by giving the tick to encryption solutions built from different components, rather than products that handle every step of data's journey from merchant to banker. The change is reflected in …

  1. simmondp

    Only 10 years to late....

    By default, data must be appropriately secured when stored, in transit and in use - Jericho Forum Commandment #11. from 2005

    Great shame to see they've forgotten about "when stored" and "when in use" - maybe in another 10 years....

    1. mark 120

      Re: Only 10 years to late....

      PCI 1.0 came in in December 2004, and has always stated that it applies when card data is stored, processed or transmitted.

  2. Small Furry Animal
    Headmaster

    @ElReg Subs

    "Merchants can under the updates themselves manage P2PE solutions for point-of-sale locations, separating duties, systems, and functions between encryption and decryption environments, or pay a provider to do that for them."

    Under the updates, merchants can manage P2PE solutions for point-of-sale locations themselves - separating duties, systems, and functions between encryption and decryption environments - or pay a provider to do that for them.

    FTFY

    SMA (feeling particularly pedantic)

  3. Anonymous Coward
    Anonymous Coward

    Now someone tell the banks

    This is all great advice, but when will the banks be forced to take it? Card data is still sent in clear-text files for settlement between card provider and bank (hopefully at least over sftp/ftps but mileage may vary).

    If your little old merchant is expected to abide by these rules, why cant the banks?

    1. Fatman
      Joke

      Re: Now someone tell the banks

      If your little old merchant is expected to abide by these rules, why cant the banks?

      BECAUSE the expense doesn't increase shareholder value!!!

      </snark>

      1. Mark 85

        Re: Now someone tell the banks

        There's so much truth to that, I'm not sure the Joke Alert! icon is even valid. But it probably needs to be added... "and if there too's much fraud with too much loss, the banks will scream for and get a bail-out".

  4. TeeCee Gold badge
    Facepalm

    Sending card details in plaintext.

    Any expats based in Europe renewed their passports recently?

    Do the bunch of outsourcing thieves[1] based in Paris still force you to do this as the only[2] method of payment they'll accept?

    Dunno which Civil Servant decided to remove the responsibility from the various embassies and set that up instead, but with that track record of sheer fucking idiotic incompetence they're probably a Permanent Secretary by now.

    [1] With the extortionate markup they charge on return postage, the markup on the usual passport costs and the fact that, if you call them, they bill your credit card, per minute, on top of the premium rate number they force you to use, that is the correct word.

    [2] They're based in France so, while there is some electronic payment method available, this doesn't work outside France as it's uniquely French, as per usual there.

  5. phil dude
    FAIL

    one time pads?

    How about the credit organisations have a website where you can enter an amount , and you use local card reader and pin and generate a unique transaction code, that cannot be used more than once.

    Barclays uses this for payments, how hard would it be to make this the default?

    No CC numbers needed...

    P.

    1. Anonymous Coward
      Anonymous Coward

      Re: one time pads?

      Why not just use Paypal? Bitcoin? Deutschmarks or Dollars? Do anything you want me to do ?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like