[franciscop]

> "The security of your card details is only marginally improved"

Please don't be ridiculous, I understand you have to instill fear in the people reading this for them to use your service, but the security of what you described before to today has improved by orders of magnitude:

- I'm going to guess no HTTPS 20 years ago (it was formally specified 22 years ago).

- Merchant employee has access to the raw data of your credit card. Lowest paid one probably, since it's manual data entry.

- Send this data using email, which is not secure neither at the sending point, receiving point or transportation.

- To the ordering service, again a lowly paid employee with access to the raw credit card data.

- In none of these points, except the first, the payment amount was confirmed/verified by the client.

- At none of these points the author of the order is verified to be the legit owner of the card.

Today, sure it's still complex, but we basically have 2FA, card tokenization, client verification of payments, forced HTTPS, etc. which remove all of the insecure points mentioned above.

Disclaimer: I recently joined Stripe, opinions my own though ofc

[ahopebailie]

I think you miss the point that card payments should never have evolved to still require us to type sensitive data into a web form at all.

Also, don't forget that 2FA etc are not ubiquitous, especially not in the US.

As I implied, PCI DSS is lipstick on a pig. We could have done much better in the last 20 years. Now Apple and Google are doing it for us and we won't have any choice but to get further locked into their walled gardens.

[franciscop]

No I get and agree to that point, but the article also literally says the line I quoted above! Those are not mutually exclusive.

Apple and Google pay I feel like will somehow get stuck in the USA, I'm from Spain and I can def not see how, seeing how convenient payments are over there, they will get any meaningful penetration. It's funny because every year that I've come back to Spain (now I live in Japan) there's been a totally different but more convenient way of payments there. I need to write about it some day. Like, I'm the last person who expected payment methods would have a 1-year turnaround in the "old school" country of Spain! But somehow it happened, and that while not locking foreigners out (which is common e.g. in Japan, where you have all these "strange" payment methods that are inscrutable for tourists).

[Retric]

Your timeline is off, Netscape Communications created HTTPS in 1994.

So while it became a formal specification in 2000, browsers where already supporting it at the time.

[franciscop]

True, I just searched when the standard was created, my point still remains that by 2002 most sites were probably without HTTPS though. Heck, I remember in ~2012 when I started programming about half of the login sites I used were without HTTPS!

[hotpotamus]

Took a quick look and SSL was 1994, so going on 30 years. Formal specification may have taken a bit longer, but I definitely remembered using SSL in the 90's.

[trentnix]

Yep. I remember it being recognized as essential for payments in 2002.