Geeks.com settles charges claiming its security was crap Geeks.com, a large online seller of computer hardware and software, has agreed to allow federal regulators to monitor its website security for 10 years to settle charges it violated federal laws requiring it to adequately safeguard sensitive customer data. The agreement, which also applies to sister site computergeeks.com, …
" Payment card industry regulations require merchants to follow a maze of procedures designed to protect card data as it's stored on servers and zapped to authorization services"
Then why do the authorisation services _let_ you connect to them without using SSL or similar?
Doesn't excuse these people in any way, shape or form, but still...
Could it be because SSL is just used for transport security of insecure data .. whereas transactions could be digitally-signed and encrypted as the content of traffic, e.g. signed SOAP over HTTP ?? SSL would give extra security against proxy or MiM attacks but for these financial transactions I would hope that each transaction is separately protected from both alteration (e.g. signing with SHA1 or better, using public key certificates) and eavesdropping (AES/3-DES encryption using public key certificates) rather than just relying on end-point transport layer security.
PCI-DSS does require all access to data is secured (e.g. SSL, edge firewalls, RBAC) and that the card holder data (PAN) is held on servers in encrypted form and then only as long as is strictly necessary. If transactions are transferred in their encrypted form then I can see how easy it would be decrypt them in memory only when necessary and keep them in the databases secured.
Which payment authorisation services let you connect to them with non-secure connections? Do you have any examples?
A payment authorisation service, isn't a Bank or a Merchant, they are Visa, Mastercard, AmEx etc. You usually wouldn't connect to their servers directly, instead your merchant would send your information to the bank, who would then relay the request for you.
If you know of merchants, or even banks who allow non-secure connections they'll be in for a big kicking from the PCI.
Read the article.
>Names, addresses, credit card numbers, and other data were routinely sent unencrypted to >authorization services, making them ripe for identity thieves, the complaint alleged.
frymaster then quite sensibly asked why these "authorization services" accepted unencrypted data in the first place.
That's a pretty vague way of describing what is happening, there needs to be more detail. Are the details unencrypted and being sent over a VPN (In which case the security of the VPN, within certain limits, would be suitable for PCI regulations.) or is the data sent across a point to point dedicated leased line, in which case encryption would be good practice, but not 100% required. Or plain text across the internet?
Also, still no clarification if an authorization service is an online 3rd party service, a bank or (highly unlikely) they are going directly to the PCI, beit AmEx, Visa, etc.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
