Comment by Mordisquitos
2 years ago
Yes, I have filled out a CC form on a website uncountably many times. I can also deny that I have ever given any merchant my card information (at most, if the merchant was utterly massive, I may have given my information to their own fully-owned subsidiary PSP).
My source is that I work in a payments backend software engineering team at a large company (FTSE 100) that provides an ecommerce platform for multiple medium-to-huge retailers worldwide. And yet, even at such a massive scale, neither our software nor let alone our partnered retailers ever even see the customer credit card number. It's not that we pass it directly to the many PSPs that we integrate with. Rather, only the PSPs' own systems actually see it. And yet, if you were to shop online on any of our retailer partners, as a customer you would still have the illusion that you are giving the actual merchant your number.
Could a non-PCI-compliant merchant ask you for your credit card number and store it themselves? Well, technically yes. But then they would not be able to do any legitimate transaction using it, as they have no way to use card numbers to get money into their bank account without a PCI-compliant PSP performing the transaction.
Could a non-PCI-compliant merchant integrate with a PSP in such a way that they send the inputted card number to the PSP [0] rather than the PSP receiving it directly? No, the PSP would laugh in their faces at the suggestion.
Could a non-PCI-compliant merchant ask you for your credit card number and details and then use them to buy stuff in your name for themselves? Yes, but "non-PCI-compliant merchant" is a very bad euphemism for "online scammer".
[0] One exception being MOTO (Mail Order/Telephone Order) transactions, but they are a specifically regulated case which, by its very name, is by definition not applicable to online card input.
I think you’re confusing what you’re supposed to do (according to PCI) vs. what you’re technically capable of doing. Look at the Stripe’s documentation for creating a payment method [0]. The parameters it takes are card number, expiration, and CVC. Any merchant using this API could trivially save the information for future, malicious use.
0: https://stripe.com/docs/api/payment_methods/create
Please refer to the section just above, in the "Tokens" section. Emphasis is mine:
> Tokenization is the process Stripe uses to collect sensitive card or bank account details, or personally identifiable information (PII), directly from your customers in a secure manner. A token representing this information is returned to your server to use. You should use our recommended payments integrations to perform this process client-side. This ensures that no sensitive card data touches your server, and allows your integration to operate in a PCI-compliant way.
> If you cannot use client-side tokenization, you can also create tokens using the API with either your publishable or secret API key. Keep in mind that if your integration uses this method, you are responsible for any PCI compliance that may be required, and you must keep your secret API key safe. Unlike with client-side tokenization, your customer's information is not sent directly to Stripe, so we cannot determine how it is handled or stored.
So in summary, yes, you can integrate with Stripe in such a way that you send them the card details... but then your business will need to be PCI compliant to the level of a PSP which, believe me, is damn hard. If you suspect that a merchant may go through the trouble of becoming PCI compliant only for the sake of being able to get customers card numbers for possible future malicious use, or do it in such a shoddy way that a malicious employee will be able to steal card numbers, you might as well just stop trusting online card payments in absolutely all cases, including Apple Pay.
You are insistently missing the point, and overlooking a series of security flaws just by reasoning that people aren't authorized to exploit them.
I really hope that your job at that security provider is on marketing, because this is a hell of a bad mindset to work with security.
11 replies →
What point are you even making?
Are you talking about trivial e-commerce transactions that you could make with Shopify? Yes, you could embed a payment gateway here. However, this is hardly universal or the norm.
In an actual application, you're going to have some API layer over the processor you use. You don't store these credentials, but you do pass them over your API layer and could easily intercept them.
1 reply →