Comments on: Visa To Acquirers: Stop Forcing PAN Retention http://storefrontbacktalk.com/securityfraud/visa-to-acquirers-stop-forcing-pan-retention/ Techniques, Tools and Tirades about Retail Technology and E-Commerce Wed, 08 Feb 2012 16:02:40 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Howard Falcon http://storefrontbacktalk.com/securityfraud/visa-to-acquirers-stop-forcing-pan-retention/comment-page-1/#comment-80742 Howard Falcon Thu, 29 Jul 2010 13:27:27 +0000 http://www.storefrontbacktalk.com/?p=5704#comment-80742 Alex, your insight into PCI is outstanding. I now don't feel like I am the only one that thinks that PCI is nothing more than the good old boys putting together another business to make a ton of money on forced fees. Alex, your insight into PCI is outstanding. I now don’t feel like I am the only one that thinks that PCI is nothing more than the good old boys putting together another business to make a ton of money on forced fees.

]]> By: Alex Wieder http://storefrontbacktalk.com/securityfraud/visa-to-acquirers-stop-forcing-pan-retention/comment-page-1/#comment-78364 Alex Wieder Thu, 15 Jul 2010 15:31:56 +0000 http://www.storefrontbacktalk.com/?p=5704#comment-78364 I've been saying it for years.. Why the &$##$@(& do merchants store ANYTHING? The only exception being subscription services that need to bill users periodically, and even that can be done differently, securely, and just as efficiently. The convenience customers get for not having to present a credit card when they return something they bought is far out-weighed by the risk involved in trusting a stranger with your card's information. PCI is just like the patriot act. Totally useless other than for PCI-certifying agencies, which are now making a ton of money charging for the privilege of having merchants answer ridiculous surveys "correctly". Alex I’ve been saying it for years.. Why the &$##$@(& do merchants store ANYTHING? The only exception being subscription services that need to bill users periodically, and even that can be done differently, securely, and just as efficiently.

The convenience customers get for not having to present a credit card when they return something they bought is far out-weighed by the risk involved in trusting a stranger with your card’s information.

PCI is just like the patriot act. Totally useless other than for PCI-certifying agencies, which are now making a ton of money charging for the privilege of having merchants answer ridiculous surveys “correctly”.

Alex

]]> By: PCI Guy http://storefrontbacktalk.com/securityfraud/visa-to-acquirers-stop-forcing-pan-retention/comment-page-1/#comment-78361 PCI Guy Thu, 15 Jul 2010 15:05:06 +0000 http://www.storefrontbacktalk.com/?p=5704#comment-78361 I guess that means merchants will soon be required to switch to 'host-based' processing systems, and deal with all the associated headaches, since the 'terminal-based' transaction systems most merchants are currently using require storing PANs until the settlement batch is submitted. (Or does that not count as 'storage'? Neither the PCI Council nor the card brands have been willing to clarify that point.) I guess that means merchants will soon be required to switch to ‘host-based’ processing systems, and deal with all the associated headaches, since the ‘terminal-based’ transaction systems most merchants are currently using require storing PANs until the settlement batch is submitted. (Or does that not count as ‘storage’? Neither the PCI Council nor the card brands have been willing to clarify that point.)

]]> By: pcidssguy http://storefrontbacktalk.com/securityfraud/visa-to-acquirers-stop-forcing-pan-retention/comment-page-1/#comment-78352 pcidssguy Thu, 15 Jul 2010 13:12:31 +0000 http://www.storefrontbacktalk.com/?p=5704#comment-78352 Rearranging the deck chairs… While you must applaud Visa for coming out with a strong recommendation to improve the payment system, this particular action will do nothing to reduce the frequency of merchants getting breached. PAN data has very limited value to the criminals. You can’t make a counterfeit card with it. The major threat to merchants today is the memory parsing malware that was identified by Trustwave back in 2008. The way to protect against this threat is to secure the merchant’s network, a PCI-DSS requirement. End to end encryption is starting to look like a promising security layer as well. A more meaningful recommendation for the acquiring banks would have been: “Now that we’re past July 1 and all your merchants are running PA-DSS validated software, please make sure they install a commercial firewall and stop using their POS system for surfing the internet.” If this recommendation becomes an edict, it will create costly churn for the merchants, acquiring banks and technology providers that does nothing to stop the breaches. Rearranging the deck chairs… While you must applaud Visa for coming out with a strong recommendation to improve the payment system, this particular action will do nothing to reduce the frequency of merchants getting breached. PAN data has very limited value to the criminals. You can’t make a counterfeit card with it. The major threat to merchants today is the memory parsing malware that was identified by Trustwave back in 2008. The way to protect against this threat is to secure the merchant’s network, a PCI-DSS requirement. End to end encryption is starting to look like a promising security layer as well.

A more meaningful recommendation for the acquiring banks would have been: “Now that we’re past July 1 and all your merchants are running PA-DSS validated software, please make sure they install a commercial firewall and stop using their POS system for surfing the internet.”

If this recommendation becomes an edict, it will create costly churn for the merchants, acquiring banks and technology providers that does nothing to stop the breaches.

]]>