Comment by marcosdumay
2 years ago
You are insistently missing the point, and overlooking a series of security flaws just by reasoning that people aren't authorized to exploit them.
I really hope that your job at that security provider is on marketing, because this is a hell of a bad mindset to work with security.
This conversation is really crazy to me. I’m going to assume these people really do work in payment processing and it explains a lot. Apparently they can’t even properly recognize a potential attack vector let alone mitigate it. If this mindset is common in the payments industry, then it explains why payments are still so insecure.
"But, but, it's illegal". But nonetheless it was a illuminating debate.
I don't think you have paid enough attention to detail when reading my comments to have an informed opinion as to whether I am "missing the point" or whether I am instead talking from in-depth practical experience on the subject.
New user joining the fray here. I worked in cybersecurity at a bank for many years. I haven't read all of what you said, because I agree that you're missing the point that someone was making. Right now, I could throw up some kind of merchant page for some homebrew service, and have an HTML form that asks for a credit card number a CVV and an expiration date. That would be illegal or otherwise non-compliant with PCI, absolutely but it's technically doable. Every time that someone types in a credit card number into a website, they have to trust that the merchant they are doing business with is handling that data in a secure and compliant manner. That is the point of the OP.
Their point extends to the fact that there are other ways of exchanging payment data that would not allow a malicious recipient to reuse that data illegally.
You’re arguing that using a PCI compliant PSP solves the problem of credit card number harvesting, but that’s not correct unless the entire transaction takes place on the psp (like PayPal). Once the payment details are collected in environments outside the psp’s control, it’s not protected. For example, payment info could be skimmed by devs with access to payment pages using js like in the NewEgg Magecart attack
No, that is not what I am arguing. Please reread the thread.
5 replies →