← Back to context

Comment by Mordisquitos

2 years ago

I don't think you have paid enough attention to detail when reading my comments to have an informed opinion as to whether I am "missing the point" or whether I am instead talking from in-depth practical experience on the subject.

8 comments

Mordisquitos

Reply
unethical_ban  2 years ago

New user joining the fray here. I worked in cybersecurity at a bank for many years. I haven't read all of what you said, because I agree that you're missing the point that someone was making. Right now, I could throw up some kind of merchant page for some homebrew service, and have an HTML form that asks for a credit card number a CVV and an expiration date. That would be illegal or otherwise non-compliant with PCI, absolutely but it's technically doable. Every time that someone types in a credit card number into a website, they have to trust that the merchant they are doing business with is handling that data in a secure and compliant manner. That is the point of the OP.

Their point extends to the fact that there are other ways of exchanging payment data that would not allow a malicious recipient to reuse that data illegally.

tmpfile  2 years ago

You’re arguing that using a PCI compliant PSP solves the problem of credit card number harvesting, but that’s not correct unless the entire transaction takes place on the psp (like PayPal). Once the payment details are collected in environments outside the psp’s control, it’s not protected. For example, payment info could be skimmed by devs with access to payment pages using js like in the NewEgg Magecart attack

  • Mordisquitos  2 years ago

    No, that is not what I am arguing. Please reread the thread.

    • rcme  2 years ago

      Here is a summary of your argument in your own words:

      > So in summary, yes, you can integrate with Stripe in such a way that you send them the card details... but then your business will need to be PCI compliant to the level of a PSP which, believe me, is damn hard.

      What others in this thread are arguing is that sharing CC details with anyone is a stupid way of doing payments. It doesn't matter if you're interacting with a PSP or otherwise. You shouldn't share a secret that someone else could use to generate payments. You should share some type of payload that is only valid for the payment you're making.

      3 replies →

    • tmpfile  2 years ago

      You:

      > You may be surprised to know that, when doing a "conventional" CC transaction, you are most certainly not giving any stranger information that would allow them to perform a transaction in your name on another merchant.

      How do you know as a client the merchant doesn’t have a skimmer embedded in their payment page? Or that they don’t post directly to their servers (whether accidentally or not)? Are the PCI police going to catch them? Maybe they want to store cards to process later and don’t know or care about pci.

      The problem is using the same details for every transaction in a loosely authorized way.

      In a perfect world the merchant won’t have access to the card details (like with one-time payments) and everything would go thru a provider with a preauthorized payment. But we don’t live in that world right now.