1 hour ago, TheJoe wrote
My understanding is that this is already regulated by the FDIC and they license the processors. I not sure what legal hoops are in place for this though.
I cannot speak to the FDIC regulation side of things, but the CC industry (via processors) generally have tiers that a merchant can choose, each with it's own degree of required validation at transaction time & associated liability.
Don't mind an increased level of fraud and a higher liability? Choose the 'don't bother checking the CCV value or address, all you need is a CC # and a date well into the future' tier (see Obama campaign in 2008 & 2012).
Don't mind verifying the CCV, billing address & IP address of submitter? A lower liability risk for you!
19 minutes ago, figuerres wrote
what I do not get is that the cc processing guidelines and rules are that the merchant *should not store* card holder data in the first place. so why are large companies storing the data at all?
Do you like pulling out your wallet & typing in a credit card number every time you purchase a book from Amazon or a song off of iTunes?
No? There's your answer.
Especially in the e-retailer arena, I assume the retailers have found that those who already have a credit card on file are more likely to complete a purchase than those who do not.
For brick & mortar retailers, aside from making returns easy (ie you don't need your wife's credit card to return something on her behalf), after putting the CC# into a more secure DB, a hash of that # or other associated value can quickly become a foreign key for your purchase table, allowing you to data-mine... the value of which I'm sure makes up for the costs in securing the data.
so two problems: one what part of the data are they holding, two why are they not properly securing what they have ?
I'm still waiting to hear not just how they secured it, but the details of the attack. For all we know they did secure what they had... however were faced with a bad guy who was better.
As the Snowden espionage & the Manning leaks demonstrated... even secured information can be compromised.
Granted... I'd wager your average big bank is even more diligent about network & systems security than your average governmental agency... which would reduce the likelihood of a rouge employee disclosing this level of information.