← Back to context

Comment by Mordisquitos

2 years ago

> Every time I do a CC transaction I’m giving a stranger exactly the information they need to do an entirely different, arbitrarily large CC transaction in my name with any merchant. That’s bonkers.

You may be surprised to know that, when doing a "conventional" CC transaction, you are most certainly not giving any stranger information that would allow them to perform a transaction in your name on another merchant. What you are doing is providing your card information to a PSP (payment service provider) that has been contracted by the merchant and will provide the merchant with a token with which the merchant can trigger a charge request to your card but only to their own pre-approved acquirer account. The merchant can do nothing else with these tokens.

A breach of the merchant's token database would be embarrassing but harmless. A breach of the PSP's database of card numbers would be bad and inconvenient for the cardholders, sure, but it would be a business-terminating event for the PSP as its PCI DSS [0] compliance would be shattered and it would be unable to operate again.

In summary, ordinary card payments are essentially as secure as Apple Pay. The only difference is that in one case you are trusting a gigatech brand which is very saliently involved in the process but whose side-business in payments has only operated since 2014, while in the other case you are trusting businesses that you may or may not have ever heard of —Adyen? Braintree? WePay? Worldline?— but that have probably been dealing with secure payment processing as their primary or only business for much longer.

[0] https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Sec...

I think you missed the “over the internet” part. When you do a CC transaction over the internet, you give the merchant your CC number and all the other information needed to make a transaction happen. A legitimate merchant may pass that information directly to a PSP, but you can’t deny you’ve given the merchant the information. Surely you’ve filled out a CC form in a website before?

  • Yes, I have filled out a CC form on a website uncountably many times. I can also deny that I have ever given any merchant my card information (at most, if the merchant was utterly massive, I may have given my information to their own fully-owned subsidiary PSP).

    My source is that I work in a payments backend software engineering team at a large company (FTSE 100) that provides an ecommerce platform for multiple medium-to-huge retailers worldwide. And yet, even at such a massive scale, neither our software nor let alone our partnered retailers ever even see the customer credit card number. It's not that we pass it directly to the many PSPs that we integrate with. Rather, only the PSPs' own systems actually see it. And yet, if you were to shop online on any of our retailer partners, as a customer you would still have the illusion that you are giving the actual merchant your number.

    Could a non-PCI-compliant merchant ask you for your credit card number and store it themselves? Well, technically yes. But then they would not be able to do any legitimate transaction using it, as they have no way to use card numbers to get money into their bank account without a PCI-compliant PSP performing the transaction.

    Could a non-PCI-compliant merchant integrate with a PSP in such a way that they send the inputted card number to the PSP [0] rather than the PSP receiving it directly? No, the PSP would laugh in their faces at the suggestion.

    Could a non-PCI-compliant merchant ask you for your credit card number and details and then use them to buy stuff in your name for themselves? Yes, but "non-PCI-compliant merchant" is a very bad euphemism for "online scammer".

        [0] One exception being MOTO (Mail Order/Telephone Order) transactions, but they are a specifically regulated case which, by its very name, is by definition not applicable to online card input.

    • I think you’re confusing what you’re supposed to do (according to PCI) vs. what you’re technically capable of doing. Look at the Stripe’s documentation for creating a payment method [0]. The parameters it takes are card number, expiration, and CVC. Any merchant using this API could trivially save the information for future, malicious use.

      0: https://stripe.com/docs/api/payment_methods/create

      15 replies →

  • That's actually not how most of e-commerce payment works nowadays. If you use Shopify, merchant doesn't see your credit card. Same for SquareSpace. Same for Salesforce Commerce Cloud / Demandware, where everything is more often integrated with Stripe/Paypal directly and merchant never even see it. Very rare the merchants that will actually "see" your credit card.

    Merchant doesn't pass your information to the PSP, you are actually talking to the PSP directly.

  • You don't send anything to the merchant. The information goes directly to the PSP and the PSP sends a token to the merchant.

    This usually works by the PSP embedding iframes for the CC fields on the merchants site (so you're inputting directly to e.g. stripe.com)

    • People use Stripe’s forms because they’re convenient. It’s not a requirement in any way. Stripe provides APIs to build everything in their provided forms so you can build the functionality into your own site easily.

      5 replies →

  • You’re usually prohibited by the PSP from gathering or storing the CC details directly. You’ll notice you often don’t give the merchant the details directly.

    Some large merchants do take the details directly, but they typically have to go through all the PCI compliance hoops and maintain that.

    There are exceptions, but most of the time the merchant does not see your credit card details.

What prevents me from cloning some product's website and changing the payment form to send me the details instead, which I then submit somewhere else to purchase something online for myself? Not sure why Stripe or PCI is even important here.

(IMO) what GP was arguing for is that we should have a fundamentally asymmetrical form of payment, viz. the information I give for one purchase should not be able to be reused for another purchase, like a one-time token. Imagine if you had to send your private key every time you wanted to purchase something in crypto, for example.

This is correct and the GP is (confidently) talking nonsense.

However the big issue is most normal users would not have the ability to see if they're using an embedded iframe or cross origin JS from Stripe, Braintree, etc.

  • He is not talking no-sense. He is talking what he perceives as a user.

    the same way that when you get a refund, you dont see the money back immediately. What the user doesn't know is that when you pay a business, the same thing happens, and the business don't get the money immediately.

    And to pay by credit card feels much more insecure than using paypal or amazon pay, even if it isn't.

> You may be surprised to know that, when doing a "conventional" CC transaction, you are most certainly not giving any stranger information that would allow them to perform a transaction in your name on another merchant.

No. In best case, you’re giving your payment details to a PSP. A couple years ago NewEgg had a javascript skimmer on their checkout page that harvested all their customers payment details for months. Obviously anyone with access and intent could do the same for any payment page.