I'm the CTO of a company that offers, among other things, online transaction services. I established a policy from the start of not storing credit card data, as simple security common sense (we outsource that to the card processors) and this has stood us in good stead with the subsequent introduction of SB 1386 et al. and PCIDSS.

It's a practical fact that every single one of these big compromises involved stored credit card data sitting on a server - not storing it reduces risk enormously.

The retailers have a legitimate complaint; they are forced to store the full card number, as it's needed to generate settlement batch files, and is also required to process follow-on transactions (refunds, automated monthly billing, etc.) ... what they are asking for here is for the banks to take on that responsibility.

The article contains one other significant misleading comment - it says that you don't have to store the CSC (CVV2, CID2, etc.) number, when in fact, the card issuers *forbid* you to store it - you are only allowed to hold it for the time required to auth the initial transaction, which is typically a few seconds.

The CSC system was introduced specifically to prevent online use of stolen cards (unlike the PIN, the CSC is thankfully not stored on the magnetic stripe) and to offer a reliable alternative to the AVS street number and ZIP checking for fraud detection - AVS is a retrofitted hack and has an error rate of nearly 5%, which makes it more or less worthless in many environments.

PCIDSS has a lot of good practical security policy in it, but it has no scaling at all, and it is very much aimed at large installations - the same rules theoretically apply to momandpop.com as to Bank of America, though the Level 3 and 4 self-certification loophole ensures that mom and pop don't ever follow it in practice - more new clothes for the emperor.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11491/34869#34869