Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

One problem that PCI compliance has had in the past is that an enterprise was only "compliant" for a very brief period, right after the security scan. So it's easy for TJ Maxx to get nailed for "non-compliance" if and when they have a card number leak.

The PCI specification seems to have been written to protect the payment card industry, not the merchants.



> The PCI specification seems to have been written to protect the payment card industry, not the merchants.

That goes for almost anything in the credit card world. Witness the way chargebacks due to failed approval policies on the part of the credit card companies are taken out on the merchants, lending policies that are totally irresponsible get taken out on the general public and so on.

Credit card companies are amongst the biggest scum on the planet, unfortunately they are so entrenched now that you can hardly move without them.

Try renting a car or booking an airplane ticket without a credit card.

I've outsourced each and every bit of the handling and processing to third parties, we still get hit with the chargeback penalty.


That reminds me: why didn't we have any public debate about electronic money? We just let the Big New York Banks slide credit cards in, despite the badness of the format, and indeed, the whole system.

I guess we're all going to find out how a privatized monetary system works, at least on the consumer level.


> I guess we're all going to find out how a privatized monetary system works, at least on the consumer level.

That doesn't make sense. First, general credit cards has been around for 50 years, more limited predecessors for closer to 100 years.

Second, credit cards are decoupled from the monetary system, they are merely vessels for transferring money.


> I've outsourced each and every bit of the handling and processing to third parties, we still get hit with the chargeback penalty.

Ignoring the flaws in most current implementations, isn't this the kind of thing 3D-Secure (VBV, SecureCode, etc.) is supposed to reduce?


Using VBV just reverses the penalty of abuse on to the user instead of the merchant, because it is 'secure', whatever that means. If and when it will be hacked there will be a bit of a problem.

I helped a friend that runs an IPSP implement it, the spec is so large and convoluted that there's bound to be holes, so the flaws in the implementations are a problem but flaws in the spec are likely to crop up as well.


I thought a merchant implementing 3DS wouldn't receive chargebacks if a customer denies placing the order, since the issuing bank has performed "enough" authentication to satisfy themselves that the transaction is legit.

If that's the case then, holes aside, it makes sense for a merchant to integrate 3DS to reduce chargebacks (not to mention some acquirers charge lower rates for VBV payments, which can help offset PSP fees). But your earlier comment suggested that you were still being stung for chargebacks - I'd be interested to know why.

(and yes, it's a lot of spec for what's essentially 3 XML request/response pairs, but that's the payments industry for you - you'll know what I mean if you've had the joy of ploughing through APACS-70 or its predecessors...)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: