Visa yanks creds for payment card processing pair Visa on Friday alerted the world that RBS WorldPay and Heartland Payment Systems are not on its list of payment card processors who are in good standing with industry-mandated standards for data security. The move follows announcements by both companies that they experienced data breaches that exposed details for a large …
Visa does not supply a one time tokens, banks do, blaming the processors doesn't fix their problem. They need to provide a one time token for their Visa cards and an authentication mechanism to verify that token when buying online.
iDeal is the solution IMHO, it uses the banks one time token to perform a direct debit.
Worldpay cannot fix Visas problem, Worldpay on the other ARE in iDEAL via their ABN AMRO purchase. So they should push people towards that and proper security.
PCI compliance is an exercise in feelgood, nothing more. There are SO many vulnerabilities in credit card processing it is downright hilarious. PCI compliance is being forced on everyone, down to mom&pops who process 5 cards a day - and they are being told THEY are the risk - the risk is that the system itself is basically flawed, and as used can never be secure.
What's even more amazing is that the software to solve this problem already exists. When you do an online transaction, some banks create a one-time-use authorization number. That number only works for that transaction, you could broadcast it around the world and it would be utterly useless. The merchant never sees your card number, the processor only sees the authorization number, the only people who are in on it are you and your bank.
PCI is patching a rowboat made out of window screening - an exercise in futility. MasterCard and Visa are just trying to shift the risk to someone else to cover their own behinds - that is of course easier and cheaper than developing a truly secure system and solving the problem.
I had a WorldPay account once. I used a unique email address for all my communications with them, and it started getting spam - from one of their competitors. My guess was a disgruntled former employee taking a list with him. They didn't seem even slightly concerned when I told them.
Posting anonymous as I don't want this comment linked back to me. But the bank's insistence on us all becoming PCI-DSS compliant is seriously grating. In the particular industry I work in, there are a sum total of three sales systems. None of the three suppliers have succeeded in getting their databases and payment systems to be PCI-DSS compliant. The banks fine us for not being compliant. What do they expect us to do? Pull compliancy out of our arse?
PCI is a weak standard at best.
There are reasons why its weak, and it should be treated as a minimum level of security.
Unfortunately IT in retail is not a money maker but a cost center so retailers will do anything to cut down on their IT costs regardless of the consequences.
Could TJX been avoided? Absolutely.
Could the hacks at the clearing and payment processors been avoided? Sure, but if its an inside job, the amount of work securing the systems is a bit more tricky. Not to say that it couldn't be done, but that an insider has more avenues of attack and its harder to protect.
You have to understand that you're only focusing on one vector of attack. If you want to get down to the nuts and bolts, there's only one database that offers the extensibility to lock down the database and still provide the OLTP performance. IBM's Informix engine. But even there, it takes a bit of skill and a lot of planning. Money Retailers don't want to spend.
Is that the real decision makers in a company usually regard it as an IT problem. I would be willing to bet good money that apart from a few high profile hacking or malware cases, the vast majority of credit card fraud is carried out by dishonest or disgruntled employees and this is made possible by weak vetting procedures or poor line management.
It was an open secret for years within RBS Card Services that it and its subsidiaries didn't meet the standards for VISA or Mastercard. You may imagine that the banks' processing was high tech but a big chunk of the processing used to be done on Excel; splitting up files so that they were less than 64k lines each! The sheer number of transactions meant that they wouldn't pull the plug on RBS.
Anonymous due to proximity.
So Worldpay is no longer PCI-DSS compliant and VISA have told them off and removed them from the official list....how amusing.
Try going to www.visabs.com (the Visa Business School website), pick a course, and go to the "add your email/register/pay/whatever" page for it - you'll see at the bottom that this delightful service is processed through....that's right, Worldpay :-)
While PCI DSS compliance may help prevent some attacks, it, like everything else, does not guarantee security. Since processors must accept unsolicited data from untrusted sources (sources they do not control and therefore cannot be assured of anything), and because they use general-purpose software running on general-purpose operating systems which themselves run on general-purpose computers, there is literally no way to guarantee security. There could be any number of vulnerabilities in the hardware itself, the OS, the apps, the communication medium, or through social engineering. That said, they (in theory, at least) do cut down on the possible exposure to known exploits.
Simply put, people have to realize that compliance does not guarantee security, especially since the processors are only audited (tested) once per year. McAfee's "hacker-safe" tests sites every day, and even that doesn't guarantee security. It just means that the sites are protected against known exploits.
re: Disingenuous -- "Visa does not supply a one time tokens, banks do... They need to provide a one time token for their Visa cards..." Your argument falls flat on its face when you realize that Visa does not provide cards, the banks (the ones lending the money) do. They (the banks) are the ones who decide what type of cards to use and what level of security the cards use.
re: "Retrospectively decertifying them on the grounds that 'Oh, well if they got hacked they must not have been secure after all', merely points out that the original certification process is worthless and guarantees nothing." The article mentions nothing of the sort. It does, however, say ""Based on compromise event findings, Visa has removed Heartland and RBS WorldPay from its list of PCI DSS compliant service providers", which is something very different. Most likely, it means those processors were storing data they are not allowed to store, or the findings showed that they did not have the proper protections in place. Since they don't explicitly say, we don't know why the processors were decertified. However, as I pointed out above, even full compliance is not a guarantee of security.
Simply put, there is literally no way to guarantee security. Ever. Period. You can do a lot of things to lower your risk, but there will never be guaranteed security. Once you accept that, then its time to move on to try to find a balance between acceptable risk and inconvenience and cost.
"So, why doesn't VISA stop processing payments from RBS WorldPay and Heartland Payment Systems? Oh yea. It's all about the money, not security."
Yes, of course it is, but why do you make it out like that's a bad thing? Let's say you make 1% on each transaction but one in a 1000 turns out to be fraudulent and has to be refunded. Clearly, it's still worth doing the business for the other 0.9%, ie. "for the money". Doing it for the money is after all the whole point of business.
And I'm not sure why consumers always get so worked up about credit card security as they're not the ones who lose out if their card details are misused, it's the retailers.
If you do a quick google for "ASP.NET PCI DSS training", give the top-listed company a call (starts with J) and ask for Tom, I'd be glad to help....We do Java, and PHP-flavoured secure coding training too, focusing heavily on best practices, and can be tailored for on-site delivery too.
Don't forget to ask for Tom, and mention El Reg while you're at it and I'll bung you a 5% discount off public course prices.
Blatant plug over...you may get back to spluttering over your morning coffee now :-)
The system's fscked, totally broken, but it's still business as usual.
I'll bow to others' expert opinion on whether PCI is effective or serves any purpose but surely, if you have minimum standards which must be met, you make sure those standards are met and don't deal with those who cannot meet them.
Is it any surprise the financial sector is in such a mess and dragging us all into the crapper ?
I'm now waiting for Mad Jacqui to get drift of this down at the Home Office. The concept will boost police productivity and slash costs by an amazing amount; put the names of criminals on a list but otherwise do nothing about them.
@Rolf Howarth
" And I'm not sure why consumers always get so worked up about credit card security as they're not the ones who lose out if their card details are misused, it's the retailers.”
Eh!!!! Not when the Credit Card Mafia will cite card fraud (Sorry no references) as a reason for charging 18%+ interest rate when the 3-month inter-bank lending rates are between 4% and 6% for Euro, USD and GBP, or does anyone want a sub-prime credit card from Capitalone? The interest is only a minuscule 34.9% http://www.capitalone.co.uk/creditcards/cards.jsf, or how about this one, a Provident Financial Visa Card with a 365% interest rate http://www.streetdirectory.com/travel_guide/166234/credit_cards/visa_card_issued_with_365_interest_rate.html
Also Anonymous due to proximity.,
Paris, ‘cos she can also generate high interest rates with a “small deposit”
They simply are not taking this seriously. I suffered some card fraud last year on my Visa. My bank told me that the payment processing website concerned did not use the three digit security number from the back of the card. When I asked why they dealt with such dodgy sites I was told that it wasn't down to the bank, it was down to Visa.
Now I know the simple 3 digit "security" number is not much of a security feature, but it's better than it not being used. So if Visa will deal with payment processors who don't use that simple security step then I'm sorry, but I don't believe any of their protestations on security.
The only way for an online payment to even approach being secure is for it to be handled on the card company's own website. VBV is moving in the right direction, but unfortunately it's too easy to change your password. The only additional information over and above the card details that you need to change your password is the card holder's date of birth. Not too hard to get hold of is it? Hell even Paypal is more secure than VBV.
If all online payments were handled on the card companies own properly secured servers then we could sleep soundly in our beds at night. It ain't going to happen partly because there would be so many complaints from existing payment processors who would be put out of business and partly because the card companies would find it hard to blame anybody but themselves for card fraud.
OK that last doesn't account for all the idiots who would keep passwords and the like written down in their wallets right next to the card. You could sort those idiots out with an SMS based 2FA system (no token to pay for or to lose). That really isn't going to happen because then the card companies really would have no one else to blame for fraud.
I still don't understand why the Cahoot Webcard system (which hasn't been invented by Cahoot, some Irish and US or Canadian Banks use it too) hasn't been adopted by everyone.
It's one time credit card numbers with individual limits the user can set him/herself (within their general credit limit) and valid for only a single transaction generated on the fly when needed, fairly bulletproof, certainly much better than using you physical credit card details on the web.
Unless Visa and the banks don't actually want a very secure system....
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
