Re: PCI vulnerabilities

What about using alertsite.com for this and just start dumping the Mcaffe services in droves due to their apparent overreaching blanket decision on this cookie thing ?

In General I find it curious the motivation for all this PCI crap since it is my understanding still if there is card fraud,

1. the merchant loses their merchandise
2. the merchant loses the money for the merchandise
3. the merchant loses more with the charge back fee
4. the merchant loses the discount rate both ways
5. the criminal is happy with new surf board
6. the banking industry is happy with all their additional profits for the fees and charge back fee

What am I not understanding about this since it seems that card fraud is actually profitable to the credit card industry entities.

Re: PCI vulnerabilities

And that is precisely why we will not see the situation change anytime soon - unless something really major happens, like an international class action lawsuit or governmental inquiry into the situation. Banks and credit card companies couldn't care less about credit card fraud - they make money on both ends + chargeback fees, so they have zero incentive to remedy this problem. The PCI compliance is just adding insult to injury, if you ask me. It's not like if you do pass the PCI test they will at least side with you (the merchant) to recover lost revenue and product, or even waive the chargeback fees. It's a single-sided, self-serving system that makes them money and in return offers absolutely nothing to the merchant - no protection, no help with chargebacks, and not crediting the merchant for fraudulent transactions.

Re: PCI vulnerabilities

The purpose of pci compliance is so that VISA/MC and merchant account providers can take even more money from the victims of fraud since none of the requirements actually do much in the way of stopping it. If a given vendor is not pci compliant and someone steals a credit card number from that vendor and uses it to rip an innocent merchant off, then supposedly they can hit that original vendor with a big fine.

What's the purpose of the fine? No idea since it doesn't go to help the merchant who was ripped off as the result of the poor security practices of the vendor which is what you'd think it would go to.

My personal favorite pci compliance point is failing email servers for allowing connections using weak SSL encryption but not failing them for allowing no encryption. So basically it's ok to send your password in clear text but it's not ok to encrypt it using something that still may take quite a while to crack.