Board index » delphi » Re: Obligations for storing credit card numbers

2006-05-25 06:36:44 AM
delphi230
On Wed, 24 May 2006 15:19:48 -0400, Wayne Niddery [TeamB] writes:
later.
--
Marc Rohloff [TeamB]
marc rohloff -at- myrealbox -dot- com
 

On Wed, 24 May 2006 14:12:53 -0400, Jim Rowell writes:
people keep telling me to keep it a secret and not give it to anyone
except the SSA!
--
Marc Rohloff [TeamB]
marc rohloff -at- myrealbox -dot- com
 

Jim Rowell writes:
sufficiently hard to steal credit card numbers, so that when one vendor
is seriously compromised (such as a database is stolen from a {*word*40}
site), it is possible for the credit card company to cross reference
customer complaints with transaction history, to track down the point of
compromise. That vendor might then be held liable.
Some year ago I encountered a hacker that had taken this one step
further. Apparently he had stolen credit card numbers from a {*word*40} site
and used them for purchasing lots of products on the Internet, including
ours. The interesting thing about the credit cards he used was however
that practically all of the credit card owners were members of different
political or otherwise vocal Christian organizations in the U.S. I guess
the hacker had found it amusing they had paid for {*word*40}. ;)
 

"Craig Stuntz [TeamB]" wrote
either ...<g>
Though normally I do tend to trust Henrick (StreamSec) on that topic.
bobD
 

"Chris Burrows" <XXXX@XXXXX.COM>writes
Thanks for the link. At least know i have something to throw on the table to
add strength to my argument.
 

Thanks everyone for the discussion and your input.
To be honest, i cant believe that im having to form an argument on the
merits of encrypting this sort of sensative data.
Glad to see that im not the only one who sees it as a no-brainer.
Thans once again for the discussion.
Stuart
 

Stuartj writes:
--
Wayne Niddery - Logic Fundamentals, Inc. (www.logicfundamentals.com)
RADBooks: www.logicfundamentals.com/RADBooks.html
"If there is any principle of the Constitution that more imperatively
calls for attachment than any other, it is the principle of free
thought ?not free thought for those who agree with us, but freedom for
the thought that we hate." - Oliver Wendell Holmes
 

"Wayne Niddery [TeamB]" <XXXX@XXXXX.COM>writes
Itll make me feel good anyway :)
 

information, I doubt there's anything specific that you need
to do. But, that being said, every one of those stored numbers
represents a potential participant in a class action suit
against your company if your scheme is ever compromised..
IOW, you probably should "lawyer up" before you put this
little scheme in place..
 

Wayne Niddery [TeamB] writes:
are making it law because there are still a good number of full credit
card numbers being printed on receipts.
tell the customer which card they used by giving them the last 4 digits
and removes any possiblity of having the credit card numbers fall into
the wrong hands. Our application is retail POS, not internet, so the
cards are almost always swiped so the customer does not really have to
enter anythihg. Example: Customer brings back an item for a refund
but does not have receipt. Clerk pulls up original sale and asks the
customer for his Visa card ending in 1234. That card is used to credit
the customer. This is all that our application requires. It may be
different for other types of applcations that require recurring billing
to a credit card.
 

Jim Rowell writes:
A transaction that contained the customer name, address, postal code,
phone number and credit card number/expiration date is often all that
is needed for a criminal to use your customers card. Credit card
numbers are not secret, as you say, but those numbers along with other
identifiying information makes it easy for thieves. Social Security
numbers are not secret either but I certainly would be careful who I
gave mine to.
 

David Farrell-Garcia writes:
liability. I'd imagine that as long as a database owner takes reasonable
precautions, I doubt there is any liability since a whole bunch of personal
info and a credit card number are not enough to legally complete a
transaction. Of course it *is* enough to *illegally* complete it but then
the liability rests with the thief and the credit card company that allowed
it rather than the company the records were stolen from. I am just giving a
layman's opinion here, of course. I am sure a judge would say the database
was only one of many possible sources, most of which would be far less
protected and absolve the DB owner of liability providing the system was
locked down reasonably well. Actually I would bet money it would never get as
far as a judge.
At the same time, I am not sure I would do business with a company that held on
to the numbers with no good reason. Credit cards have almost no inherent
security other than vigilance and effort on the part of the credit companies
and vendors. it is a very poor system that needs fixing soon!
--
Jim Rowell
 

"Jim Rowell" <XXXX@XXXXX.COM>writes news:XXXX@XXXXX.COM...
are enough to legally complete a transaction.
But it is a good idea to verify other attributes, for your own protection.