Hacker News new | ask | show | jobs
by cryptnoob 5882 days ago
I got frightened by all the PCI DSS fear that permeates this board. I assumed you guys had it all figured out, and to a man, you seem to all be of the same mind on this issue. Fear, fear, fear.

When I actual Read the F----ing Manual about this ...., actually read that what was required was peanuts compared to the thousands of posts and comments I've read here pontificating on how to safely store a freaking password to a dating site, I am perplexed. How can a group of people who can talk your arm off for two hours about salts, rainbow tables, hashes, and password entropy, be frightened of PCI? https://www.pcisecuritystandards.org/security_standards/pci_...

I store my own credit card info. Exactly how I do it is none of your business, as, while I don't rely on obscurity for my security, I'd be foolish to deny myself it's added protection. I don't just meet PCI standards, which are easy, I greatly, greatly, exceed them. Why anybody would use a third party billing company is not mysterious, but why somebody who reads HN would do so, is strange to me.

I already know the comments I'll get for uttering such blasphemy. I would respectfully request that you actually spend 10 minutes reading actual PCI DSS guidelines before doing so, however.
3 comments
jacquesm 5882 days ago
Funny. I have a friend in the 'business', he does a very substantial amount of volume every year. I've helped a bit coding the now mandatory 'VBV' component for their system.

The spec was about 400 pages, it took weeks to read it and digest it to find out that it was relatively simple to implement.

This work gave me some insight in what goes on behind the scenes to get those deceptively simple rules from that page that you link put in to practice.

On paper, it's very easy to be PCI compliant. The problem is that in practice it really isn't all that easy. The auditing firms that will verify that you are indeed PCI compliant (you did request an audit?) are not going to sign off on this on a lark, they want really hard proof.

The nasty ones are requirement '9', anything short of a cage at a provider with biometric access protection and a whole host of other measure simply isn't going to do. That alone will outweigh the costs for most small time merchants of doing this by themselves.

Requirement '6', '7', '10', '11' and '12' are beyond the capabilities of most small business to implement anyway.

A guy like cperciva (and you, by your moniker) could probably do it in their sleep but I think you're the exception, not the rule.

It's fairly easy to miss a trick or two, the consequences would be pretty grave, the cost of outsourcing it is actually not that bad so that's the way most people will choose to go.

link
cryptnoob 5882 days ago
Looks like 73 pages... Here's the link https://www.pcisecuritystandards.org/security_standards/pci_...

I'm not saying that a lot of consultants aren't out there, making a crap load of money. Hmmmmm.

link
jacquesm 5882 days ago
There were a pile of supporting document as well regarding all the different encryption protocols that you have to support because the various banks could not agree on a single one.

Also, that's not the VBV documentation but an entirely different thing you are linking to there.

PCI compliance and VBV have little to do with each other, you could be PCI compliant without implementing VBV, but if you implement VBV you probably should be PCI compliant otherwise you will not be using it.

link
modoc 5882 days ago
I respectfully suggest that you undergo a 3rd party Type 1 PCI audit....

The amount of legal and policy documentation you are required to have is by itself a massive undertaking. The 3rd party audit will cost $150,000-$300,000 and a huge amount of man hours.

link
jacquesm 5882 days ago
And he'll come up 'failed'.

If he did get an audit and passed I'll eat my proverbial hat.

link
cryptnoob 5882 days ago
One in every crowd, isn't there?
link
modoc 5882 days ago
One what? One person who's actually undergone multiple type 1 PCI audits? :)

Encrypting the credit card is the smallest part of it (although the number of people who actually pull off the encrypted key, key pieces kept by different people/systems, etc... is low). The networking, server, secure audit/logging to a dedicated server, patch within 90 days, policy documents, and so on are the hard parts.

link
jacquesm 5882 days ago
I note you sidestepped the question that you had been audited by (as they put it so nicely) a "Qualified Security Assessor" to complete your "Report On Compliance" ?
link
cryptnoob 5882 days ago
Well, I have to admit, I am certainly not a 6,000,000 transaction per year merchant, which is when I would need a level 1 audit that you and your friend so gleefully salivate over. I wish I was! If I was, I think it very reasonable to audit your processes to insure security.

In fact, I am a level 4 merchant, to my shame, so I have not spent money having an expensive "Certified QSA Security Consultant" audit my systems. I would remind everybody, that, sadly, they are probably level 4 merchants as well, unless they do over 20K transactions a year. Even if you do more than 20K,you're not in the scary big leagues till you get to 6M transactions.

Finally, I'd like to note that we hear a lot about these "possible fines", in theory, but have you heard of any in real life? I assume they must exist, but I invite you to read about the Heartland data breach, which exposed over 130 million credit card numbers. You'll note they still haven't been fined, but they "may be fined over $150K".

link
jacquesm 5882 days ago
One thing at the time here. Lennart, my buddy does indeed do well over 6M transactions per year, so a level 1 audit is his lot. Technically his company (vxsbill.com) is an IPSP, not a merchant. But because he has the requirement anyway all the merchants that he works with and for benefit from the secure facility that he offers.

If you are a level 4 merchant, so less than 20K transactions per year (which sounds like a lot but really is only about 55 transactions per day, which I've already crossed over all by myself) then you could theoretically roll your own, but you are setting yourself up for a big fall if there ever would be a breach of security involving your site. And you'll still be paying access fees to a gateway, or have you found a way around that?

As for your 'theoretical fines', the two biggest instances that I remember wrecked the companies involved, the first one involved a company called Dacotah Marketing and Research, one of the largest internet billing companies during the .com boom, the second involved iBill.com, which you could probably qualify as their successor.

Both of these companies offered 'third party billing', which is one thing you are at least staying away from.

But if VISA doesn't care about blowing 10K+ merchants to kingdom come by fining an IPSP that does not abide by their rules out of existence, you certainly are not going to be felt any more than a gnat would be felt if a car ran over it.

They really don't care about individual merchants at VISA or MC, and to work with a large to mid sized IPSP will have a significant advantage in that effectively you are bundling your negotiation powers against the card issuers.

This will help during acceptance, charge back issues, merchant account revocation for some imaginary sleight and so on (you did check if you have permission to run those logos, did you get it in writing?).

Last but not least, working through an IPSP rather than 'rolling your own', no matter how satisfying is that you get the benefit of a large pool of knowledge on scrubbing and pre-authorization checks to make sure that your customer is legit. But of course you've never had a fraudulent charge.

I don't know much about the Heartland data breach, other than what I read in the media so I'll decline to comment on that.

Let me close this bit with that 100 days ago you didn't know about PCI at all (http://news.ycombinator.com/item?id=1092224) and now you are the expert in the field and will tell people that they should just roll their own because you slapped something together and it worked - so far.

Me, I'll be leaning on a decade+ of experience and a couple of very dedicated employees to make sure that my money keeps rolling in, and that my customers data does not get compromised. There is only so much time.

I also don't make my own computer chips, circuit boards, and so on. I've found it to be un-economical to do so and the same logic is what stops me from rolling my own billing solution.

Incidentally, I'm the original author of 'webpay', the software that powered the first major IPSP, so it's not as though I wouldn't have an idea where to start, but some things require a whole lot more dedication than I'm willing to spend on it to do it right.

http://web.archive.org/web/19980507122555/http://mattheij.nl...

cheers!

edit: afterthought, you may be talking cross purposes when you compare the $150K that Hearland might be fined to the most common kind of fine, the chargeback penalty. If you haven't had a chargeback yet then I urge you to read up on this and why scrubbing is so important, especially if your volume is low a single group of unfortunately timed chargebacks can kill your merchant account, depending on your contract the permissable percentages can be as low as 0.7% of the volume in the running month, the latter is a real problem is there is a temporary change in volume on your website. I'll leave it up to you to figure out why that is a problem.

link
noonespecial 5882 days ago
Meeting the guidelines is a piece of cake. Proving it is like disproving that invisible dragon in Carl Sagan's garage.
link