bloomberg on supermicro: sky is falling
dhubbard at dino.hostasaurus.com
Wed Oct 10 14:58:08 UTC 2018
They actually profit from fraud; and my theory is that that's why issuers have mostly ceased allowing consumers to generate one time use card numbers via portal or app, even though they claim it's simply because "you're not responsible for fraud." When a stolen credit card is used, the consumer disputes the resulting fraudulent charges. The dispute makes it to the merchant account issuer, who then takes back the money their merchant had collected, and generally adds insult to injury by charging the merchant a chargeback fee for having to deal with the issue (Amex is notable for not doing this). The fee is often as high as $20, so the merchant loses whatever merchandise or service they sold, loses the money, and pays the merchant account bank a fee on top of that.
Regarding CVV; PCI permits it being stored 'temporarily', but with specific conditions on how that are far more restrictive than the card number. Suffice it to say, it should not be possible for an intrusion to obtain it, and we know how that goes....
On 10/10/18, 10:41 AM, "NANOG on behalf of Naslund, Steve" <nanog-bounces at nanog.org on behalf of SNaslund at medline.com> wrote:
Yet this data gets compromised again and again, and I know for a fact that the CVV was compromised in at least four cases I personally am aware of. As long as the processors are getting the money, do you really think they are going to kick out someone like Macy's or Home Depot? After all, it is really only an inconvenience to you and neither of them care much about that.
>It's been a while since I've had to professionally worry about this,
>but as I recall, compliance with PCI [Payment Card Industry] Data
>Security Standards prohibit EVER storing the CVV. Companies which
>do may find themselves banned from being able to process card
>payments if they're found out (which is unlikely).
> - Brian
More information about the NANOG