CVV numbers
Barry Shein
bzs at world.std.com
Sun Jun 10 17:49:08 UTC 2012
On June 9, 2012 at 16:25 mysidia at gmail.com (Jimmy Hess) wrote:
> I bet there is at least one small retailer out there who takes phone
> orders and gathers CVV2, and at least one POS software developer out
> there who is unaware of, has ignored, or has...
Yes, but there are also penalties, including loss of merchant account
and, I believe, fines, in the contract.
>
> In other words CVV2 is a "weak" physical "proof" mechanism that only
> works if all parties involved obey the rules perfectly without error,
Not at all, even if someone does store CVV2s in violation of their
contract they would ALSO have to be revealed to an evildoer to cause
any harm. And even then the evildoer has to leap any other security
barriers.
Probabilities, all about probabilities, and percentages.
You're making the best the enemy of the good.
We aren't dealing with military secrets here where one leak can undo
all tactical advantage.
We're dealing with fraudulent credit card charges where some amount of
loss is considered acceptable and one just tries to minimize those
losses.
The goal is cost/benefit analysis, minimize losses while allowing the
overall system to function as friction-free as possible, and doing
that within a reasonable cost framework of around 1%-3% per
transaction.
No different than router bugs etc, if one packet in a billion
(whatever) is dropped purely due to a software bug that may be
acceptable for a $10K router if the other alternative is to
hand-verify every line of code making the router cost $100K.
I think this all may be more operationally relevant than some might
protest, some here seem to have funny ideas about cost-benefits and
security which maybe can at least be shaken loose a bit.
--
-Barry Shein
The World | bzs at TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
More information about the NANOG
mailing list