Hacker News new | ask | show | jobs
by beilabs 4833 days ago
How would this sit with payment gateways from a PCI standpoint?

An ideal customer would be an e-commerce marketplace, I imagine that Sift Science would want to receive as much information about the customer as possible, including credit card / address details. Are you guys completely PCI compliant? You're taking 10 out of 16 credit card digits...

From a quick glance of your website you make no reference to PCI.
2 comments
brandonb 4833 days ago
Great question. We should add it to a FAQ. The PCI-DSS rules apply to systems that store the entire credit card number ("PAN" in PCI-DSS parlance). We don't accept the full credit card number -- just the first six digits (which identify the type of credit card and bank) and the last four (typically printed on receipts), which the PCI-DSS rules allow for. So if you're PCI compliant already, you'll still be PCI compliant if you use Sift Science.
link
beilabs 4833 days ago
Thanks for the information, I think I'll be in touch about an account in the next few weeks for a marketplace I'm developing.

Perfect timing too, I just started looking at our options for developing something similar internally.

Would love to see the systems that Etsy / Ebay for handling this type of fraud.

link
Volpe 4833 days ago
https://siftscience.com/docs/rest-api

There is no requirement in their api to supply CC details... so no requirement to be PCI.

So it would be weird if they did mention PCI...

The first 6 and the last 4 is not enough to make a valid CC... And if you are still guessing the last details then it's the same as just guessing the full number. (just you'll get their quicker)

link
alttag 4833 days ago
No, but 10 of 16 numbers that must conform to a checksum algorithm significantly reduces the search space to a point that a brute force seems trivial if other information is already possessed (e.g., zip code, or especially, cvv).
link
nwh 4833 days ago
The MyKi ticketing system in Australia prints the first 6 digits, last 4 digits, expiry date and full name on it's recepts. I mentioned to them in the past how easily it could be attacked, but the response was "nobody would do that".
link
Volpe 4829 days ago
Brute forcing "ALL" the credit card numbers is not hard... Limitiing the search space doesn't make it easier... it just saves a little bit of electricity.
link