back to article Online payment standards fall on deaf websites

We see a lot of lip service paid to the importance of complying with payment card industry standards when merchants accept credit and debit cards. But it seems plenty of websites still can't be bothered to follow the rules, which are designed to protect their customers against fraud and identity theft. Just last week, Reg …


This topic is closed for new posts.
  1. RW
    Jobs Horns

    You're doing it wrong

    Instead of emailing the company, El Reg or Martti Ylioja should have directly contacted the organization that imposes, and enforces, these rules.

    With a little luck, they'd lower the boom toot sweet...maybe...or are all those rules just window dressing?

    It's really reached the point where no mercy should be shown to sites that so obviously flout good practice, mercy including advanced warning that the jig is up.

    "Vengeance is mine, sayeth the Lord"

    Snr. Ballmer because vengeance seems to be one of his specialties too.

  2. Anonymous Coward
    Anonymous Coward

    And others?

    How come PayPal is allowed to store that?

  3. Solomon Grundy

    @And others

    Because PlayPal isn't remotely a real currency. It's sort of like Monopoly money or game credits. You agree to give PayPal your real money in exchange for their play money. So they don't fall under the same rules as a real financial institution.

  4. lvm

    I wonder...

    whether this website is indeed storing sensitive info or it is just a case of an idiot and form-caching-capable browser?

  5. Kevin

    LoveFilm, HateTheirStupidWebsite

    Signed up for the LoveFilm free 2 week trial, i had to put in my card details but i was assured i would not be charged during the 2 week trial. after those two weeks i decided to cancel my subscription and deleted my account.

    I dont know what made me do it, but i tried logging back in with my old credentials, and not only did it log in successfully, my credit card details were still there!! there is actually no way to competely remove your account just deactivate and reactivate. I emailed them to tell them this and they assured me via email my account was deleted. Nope, logged in again! Credit card details still there! emailed back and i just get told its being investigated by the relevant dept!

    As it wont let me just remove the card from the account without putting another card in its place, i need to make up a fake card. is what they are doing against the law??

  6. GottaBeKidding


    I don't know about anyone else, but I'd be more concerned that this is not a https connection. These details are going out in plaintext, unless the frame is secure, of course.

  7. Maverick

    @ Solomon Grundy

    you missed one . . and because PayPal are a bunch of useless w**kers who flout every known security good practice - you got it right play money! LOL

    To be even handed, Google Checkout rapidly descended into the same mess so I will have nothing to do with either thank you

    Some credit card company integrated verification systems are good, but the the NatWest one is utterly hopeless. From recent experience it simply just does NOT work on the websites of three (yes 3) of the UK's biggest retailers (talking listed companies here).

    First time I thought it might be me (after all I only store about 60 passwords in my secure database so I am obviously not used to this stuff), by the 3rd time in a row and losing a delivery slot for my daughters birthday present . . . well I knew the answer - and it wasn't me!

    No point in complaining of course to such an organisation, so this month's NatWest CC statement will be my last few transactions - after >30 years with the same CC company, so well done lads! Still new, loyal customers like me are SO easy to get eh?

  8. Anonymous Coward
    Anonymous Coward


    Firstly a lot of this seems to be English media paranoia. I work with a group who take payments from all over the world and it's pretty much only English and perhaps Americans who worry about these things.

    Secondly you have to keep the CVC in case the processing company ask questions or the person denies they made the payment.

    Thirdly I checked my agreement with the payment processing company and there's no clause that prevents me keeping the details as long as they are stored in a secure way (the agreement defines this in more detail).

    Of course this is differnet to a web form remembering (via a cookie or is it your browser?) the data. Some browsers remember form data and some don't so I always overwrite the CVC with an empty string just in case!

  9. David Perry


    You'd hope they still make sure you keep the info for cards assigned to your account in a secure manner though.

  10. Matthew Johns

    @Solomon Grundy

    Not quite, the PCI rules are enforced by Mastercard and Visa and apply to their transactions. Paypal isnt included as once it has taken your 'Visa money' all of your transactions are then in 'Paypay money'. All money has to be issued by someone and Paypal's is as valid as Visa's or even Airmiles.

    If someone's not playing by Visa and Mastercard rules then they take it very seriously and will refuse to let those people take their cards. Report these guys to the Visa compliance team and you should get a response.

  11. Paul

    @And others

    Cos even Pay Pal count bidding on ebay as a big gamble

  12. Jon


    Theoretically it would be fine to enter your credit card details into a page received over http if it then posted to an https url. Not that this would be very reassuring for the customer...

  13. Anonymous Coward
    Anonymous Coward


    Not if they then published the non-HTTPS page with your details 'remembered' in it as described here.

  14. Anonymous Coward
    Anonymous Coward

    RE: Rules

    No you are only supposed to retain the CVV number until you have taken payment. Just because the English and Americans complain it doesn't mean we are wrong does it.

  15. mike2R

    Re: https & caching

    By the look of the vertical scroll bar to the right of the the payment info bit, this is being taken in a separate frame, which presumably is using https.

    It does look like it is storing the cvv though, rather than autofilling old results. It isn't just a "please enter your details form" but rather says that these are details that have been provided before. That said it could be that they've stored the rest and have a blank box to fill in the cvv (not uncommon), but his browser has helpfully autofilled it

  16. TrishaD

    @ Rules


    You absolutely not need to keep a CVC under any circumstances.

    And under PCI its expressly forbidden......

  17. Matt

    Re: Re: Rules

    It doesn't mean they're wrong about the rules, although as I say our contract with the payment company doesn't prohibit this.

    I was just lightly commenting that to read English papers or to watch English TV one has the impression that credit cards and bank accounts are being ripped off every second and that we're all about to die.

    Other countries give the impression that you need to be a little careful but it's a fairly rare event.

  18. Chris

    stolen CCs

    You are actually much more likely to have your credit card information stolen if you give it to a waiter/waitress and let them take it out of your sight, than if you use it for an on-line purchase.

  19. Fred

    Discover has a useful service ---

    you can go to their web site - login of course - and get them to give you a one time use CC number, with CV

    you then use THIS value for your online purchase - use it once - forget it.

    if it gets compromised - who cares it only works once.

    Obviously not much use for subscriptions though

  20. Pascal Monett Silver badge

    Paypal excuses

    I've seen some interesting explanations about PayPal here - except for the only one that is needed.

    There is but one explanation for PayPal and its behaviour : PayPal is not a bank. PayPal has not signed any bank charter anywhere, nor is it subject to any banking rules.

    Thus, PayPal can "do what it wants", and that pretty much explains everything that has happened to unwary PayPal "customers".

    Of course, PayPal does get it right sometimes - heck I'll even accept most of the time. Unfortunately, it's not when all is fine that you need help. And when you do need help, PayPal is most definitely no longer your "pal".

    What continues to gall me about PayPal is the fact that this company that is not a bank continues to (mis)manage people's money without any government stepping in and checking what is going on.

This topic is closed for new posts.

Other stories you might like