Retailers Fighting To No Longer Store Credit Data 136
Technical Writing Geek writes with the news that the retail industry is getting mighty fed up over credit card company policies requiring them to store payment data. The National Retail Federation (NRF) has gone to bat for store owners, asking the credit industry to change their policies. The frustration stems from payment card industry (PCI) standards and new security measures going into place across the retail experience. Retailers are now trying to point out that many of the elements of the standard would not be a requirement if they didn't have to store so much payment data. "Even if the NRF's demands were immediately met, it would take several years before retailers could purge their systems and applications of credit card data, he said. Over the years, retailers have collected and stored credit card data in myriad systems and places -- including relatively old legacy environments -- and they are just now realizing the data can be a challenge, he said. Purging it can be a bigger headache because the data is often inextricably linked to and used by a variety of customer and marketing applications; simply removing it could cause huge disruptions."
Re:Data Theft (Score:5, Interesting)
Re:Six letters for this. B O O H O O (Score:2, Interesting)
Why are these people "only now" realizing what this entails?
Oh yeah. Because they ignored it until they couldn't ignore it anymore.
Because the standard attempts to cover a widely disparate set of industries which have wildly different requirements, from Internet Ecommerce sites to the cashier at Ross.
Details of the standard are often in the eyes of the auditor. Auditor A may have one opinion, and you pass. Auditor B has a different opinion, and then you fail.
The standard is hopelessly vague when it comes to Ecommerce, and barely addresses network security, uses vague terms like 'deny all access to the server' without specifying specifics or context --- did you mean 'Deny physical to the server' vs. 'Deny SSH access to server' or 'Deny ALL access to the server, which means that my developer can't use a *webbrowser* to "Access the server"'. PCIDSS doesn't always make a distinction between which systems need to be L1 compliant vs L2.
Re:Data Theft (Score:5, Interesting)
"Nobody sniffs the wire or does man in the middle attacks to collect the data, because it's often very difficult, and requires physical access to cables."
No, usually a bot is placed in a router that does it for you. There is very little need to be physically at the wire it most cases, anymore.
OTOH, since his 'better method' was only better under the fallacy that no one watches the line.
As someone who has written sniffer to ferret out unauthorized movement of SSN within an organization, I can honestly say that I never physically went to any router or box to do the install.
Actually, now that I am thinking about it(it's been 10 years) I didn't physically go to one location.
I took a switch/router that I installed the bot on and physically unpluged a network cable, plugged it into this router and then plug a cable from the router to the port. No one monitoring the network noticed anything. It took me about 4 seconds to add the switch.
That was done on a bet.
Re:Data Theft (Score:2, Interesting)
In a way this is actually more secure than your professor's solution since it does not require the credit card company (read: banks) payment network to be exposed to retailers' systems, but instead, just a handful of companies specializing in card processing who are subject to very strict security standards (the gateways).
It's very simple (Score:5, Interesting)
In spite of the smokescreen being thrown up by the big credit cards, it's really very simple.
The banks ALREADY have and must keep all of the information. Their byzantine PCI standards demand that the merchants keep a full duplicate of this highly sensitive data and dictate how it must be stored. The merchants maintain (correctly) that if the banks had as much intelligence as a slug all they would need to retain is non-sensitive (and useless to identity thieves) transaction/approval numbers rather than very sensitive cc numbers and identifying info.
In other words, in spite of what the banks claim, this is about reducing the risks and liabilities rather than shifting them. In fact, it's the banks that are trying to spread liability by maintaining a situation where they can plausibly play the blame game.
Various schemes have been available for DECADES to make sure that fraudulant credit transactions can not happen but the banks have fought against them tooth and nail in order to keep the current approach where name and cc number are all that's needed to commit fraud. They're also the ones that have been routinely offering big limit credit cards to toddlers, dogs, and cats then trying to stick innocent 3rd parties with the liabilities.
The entire identity theft problem only exists because of the very same banks. I'll bet that it would all stop instantly if a law was passed banning any attempt at collections for credit card debt unless the bank can present a picture of the alleged debtor actually signing the agreement for the account AND that without a digital transaction signature, the cardholder is presumed NOT to be liable for the charge. You can be assured that credit cards with useful smart chips and public key signature capability would be implemented the INSTANT such a law went into effect.
Please feel free to visualise (or not!) an analogy involving identity thieves, defrauded individuals, bank managers and goatse.
Worse than that! (Score:2, Interesting)
Hell, I still support a POS system for a fairly large chain of dry cleaning shops that only runs on MS/DOS and uses a Lantastic peer-to-peer LAN in each store, and each store talks to the main office via LapLink and dialup modems each night to transfer it's daily sales data.
I was having hell locating motherboards that still had ISA card slots for the old Lantastic nics and dual RS-232 serial cards (each POS PC needs 4 serial port connections), but recently bought a whole truckload of ~1997-1998 vintage Gateway 2000 boxes with classic Pentium 233MHz cpus that work great, all for $100 the whole lot, so this dry cleaners company will keep running this old system for many years to come.
Agencies and bullshit (Score:2, Interesting)
I have to post this anonymously, because I certainly don't want it to ever come back to bite my client, and also this requires me to be vague and my story somewhat hard to read. So here goes.
We have some software that tracks a certain kind of data. There is really no reason whatsoever that social security numbers should be part of this data. However, certain "upstream" entities, whom my client's customers depend on accepting my client's reports for "accreditation" purposes started requiring social security numbers attached to reports. Now, we're really not a bunch of retards, so our first response was to leave a blank space on our reports and let the customers fill this in themselves. But eventually some of the agencies decided that wasn't good enough, and required that we collect social security numbers from our customers, store them, and print them on reports. So we did this.
Fast forward a few years, not only has SOX put in a whole batch of requirements on companies that store that kind of info (which we have complied with), but some of the "upstream" agencies which we deal with, because of complaints from their membership, are now requiring that we not collect or store social security numbers, while others are still insisting that we do. Fucktards! There are really days when I want to buy a plane ticket and go strangle some of these dumbshits!!!
Re:Speaking from experience... (Score:2, Interesting)
The standards themselves are a collection of best practices that all make sense individually, but it seems like a protection racket where only the certified consultants can pronounce you pure.
I'd be interested in hearing about any experiences that others have been through for the level 1 certification.