digg

Facebook Connect Join Digg About

Visa says, "Merchants Comply or Else!"

braintreepaymentsolutions.… Visa made a pretty significant announcement today. Here is some context for what they are trying to address. Over the past few years, Point of sale (POS) systems used by retailers and restaurants have been a gold mine for criminals stealing credit card. This has been the case because certain POS systems have been designed to store prohibited ......

Who dugg this? Made popular Oct 31, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

132 Comments

show profanity settings
expand all
  • vinblackham, on 11/01/2007, -2/+48It is good to see huge companies like Visa taking security into their own hands, by forcing merchants to comply tho their regulations.
  • linkinpark342, on 11/02/2007, -23/+64Did anyone else read the headline and see "Vista" before "Visa"?
  • trparky, on 11/02/2007, -0/+24All the mirrors are down are slow as heck.

    "Visa made a pretty significant announcement today. Here is some context for what they are trying to address. Over the past few years, certain Point of sale (POS) systems used by retailers and restaurants have been a gold mine for criminals stealing credit card. This has been the case because these POS systems have been designed to store prohibited credit card information - the exact data that criminals need to successfully sell the stolen information on the black market. Merchants are usually not aware that their systems are storing such data, but they’re still held responsible if breached. Credit card information that cannot be stored includes magnetic stripe data, CVV (three digit codes), PIN’s, or encrypted PIN blocks.

    To address this security vulnerability, which Visa has cited as the leading cause of breaches among small merchants, they announced that beginning January 1, 2008, the first of five mandates will be implemented to start the process of eliminating non-secure payment applications from processing with Visa. In other words, Visa is announcing to merchants they will be unable to process Visa credit or debit cards if their POS system does not meet required security standards and is still storing prohibited data."
  • Otto, on 11/01/2007, -0/+21A better explanation of this can be found here:
    http://www.computerworld.com/action/article.do?com ...

    The short of it is that Visa has planned a phased rollout for their security requirements. Merchants that accept Visa will basically have to use certified payment processing systems.

    This is relatively normal, the whole credit card realm has been beefing up internal security lately. I've had to make several changes to major systems due to it.
  • fkr3, on 11/01/2007, -0/+17Visa has always said "Comply or Else" and they've always had security guidelines that must be followed.
  • superkendall, on 11/03/2007, -10/+26Did you mean Vista?
  • resentment, on 11/01/2007, -5/+20Visa>MasterCard
  • linkinpark342, on 11/01/2007, -6/+21Yes.
  • slashbot, on 10/31/2007, -1/+14You tell em Visa, eh
  • chris4404, on 11/01/2007, -1/+13I'm sure your trying to make a really grand statement about society, but if you'd read the ***** article you'd realise how you missed the point.
  • inactive, on 11/01/2007, -1/+11Even on Digg, your anti-American posts have to relate to the topic.
  • chrisOrbit, on 11/01/2007, -1/+10What a dumb question. Seriously.
  • signal15, on 11/01/2007, -0/+8VISA is leading the charge (see what I did there?) on security. Their PCI requirements are strict, and companies that do certain numbers of transactions need to abide by these. I do PCI auditing for companies, and sometimes, it's pretty amazing what people think passes for security. We should all be very thankful that VISA is forcing people to do these things, or some merchants would happily put our card info up on their website for easy access.
  • Yez70, on 11/01/2007, -0/+8It's all BS. Comply or else means nothing. Take a signed card to a retailer who asks for ID and refuse to show it. They'll often not sell you whatever you purchase. Visa PROHIBITS retailers from asking for ID if the card is signed already - so why do they still ask?
  • LordVance, on 11/01/2007, -9/+17Why the hell do people have to constantly put one another down for stupid ass reasons, especially when they don't seem to understand what the ***** they are talking about. Someone with a third grade reading level would be carefully sounding out the words, and would likely not make that mistake. Someone with a more natural adult reading level on the other hand reads quite differently. As you live your life your brain becomes wired to instantly recognize words based on the first letter, the last letter, and any letters in between.

    A nmalorly slikled aludt rdeear culod ianstntly raed tihs stneecne, due to the way yuor barin pesorcses wdros. Because of this, we also sometimes mix up words that are very similar in lettering, and have the same lead in and lead out letter - such as Visa and Vista. The guy didn't respond to the title as if it was Vista - he likely realized his mistake within milliseconds of first recognizing the word as he originally read it.

    Seeing as how a large portion of the articles we see here on digg contain the word "Vista" and not the word "Visa" it is extremely easy to see why he would first recognize that letter pattern as vista. Having a third grade reading level doesn't have much of anything to do with his little skip up... ass.
  • Mononuclear, on 10/31/2007, -0/+7A lot of places don't take Amex because they charge more fees to stores for transactions. I used to have an Amex but I would also try to use it and places would never take it. Basically the only thing I could do with it was pay for gas.
  • GrammerPants, on 10/31/2007, -0/+7In Canada all newly issued VISA cards have a chip inside them. instead of swiping the card a merchant inserts it into their pin reader and the customer approves of the amount he/she is being charged. The card is then locked in until the transaction is completed. By 2010 every VISA will have a pin number attached to it as well as the chip.
  • fjc8, on 10/31/2007, -1/+7Amex does have some credit cards.
  • 3Den, on 11/01/2007, -0/+6You are both correct.

    The merchant (store) only has to prove they acted diligently... they had a signature, an address, proper documentation to support the purchase being legal. If they did that, they get their money. Visa is responsible for higher level fraud investigation.
    The store WILL be asked to provide documentation for every single chargeback though, or they will have to eat the cost.

  • inactive, on 10/31/2007, -2/+8What interest? Control your spending.
  • slashbot, on 11/01/2007, -3/+9Huh? Visa is the most used card out there.

    He must be referring to Vista...
  • tendonut, on 10/31/2007, -5/+11With all the Vista headlines that show up on Digg, my brain saw "Vista" first also. I was thinking "gee, people are just now figuring this out?"
  • lpmiller, on 10/31/2007, -0/+5Visa has always taken charge like this, they have to. They are beholden to all the member banks, not the merchants. To be a merchant for Visa or really, any credit card, you HAVE to follow a certain protocol, or you cannot processes their transactions. It has always been this way.
  • Firehed, on 11/01/2007, -1/+6As someone who's been heavily screwed over by chargebacks - don't complain about a transaction unless it's legitimate. I was having something like 10% of my customers calling up their card companies and claiming that it was an erroneous charge - and there was nothing I could do about it. They got their stuff and their money back, and I had to deal with my CC processor's bitching at me.

    That's theft, people. Making false claims about a payment is illegal.
  • TekTrixter, on 11/01/2007, -1/+5I agree that making the mistake was easy, but why did he feel that we all needed to know about it?
  • derkles, on 11/01/2007, -0/+4We just went through POS upgrade hell because of the more stringent CISP compliance. So many POS vendors are in bed with certain credit card processors too (Royal Bank of Scotland, I'm looking at you!) All in all, it was worth the headaches and $$$ spent replacing legacy software.
    FYI: The open source alternatives have a long way to go before they can roll with the big dogs. I wish them the best.
  • spenceman01, on 10/31/2007, -0/+4Only if you're dumb and you charge more than you can pay each month. To those of you paying interest: Thanks for subsidizing my cashback!
  • kahrn, on 10/31/2007, -0/+4Same/Similar technology in the UK, dubbed 'Chip and Pin', in which the card has a chip embedded into it. Does the US not have this technology yet though?
  • fjc8, on 10/31/2007, -1/+5just so you know, not all American Express cards have fees, and some American Express cards are credit cards, not charge cards.
  • 3Den, on 11/01/2007, -0/+4Can you elaborate on why you could do nothing about it? Did you have no supporting documentation? receipts? goods shipped to registered CC billing address on file?

    Interested to hear the story...
  • Speed, on 11/01/2007, -1/+5Why do you get offended if someone asks for ID? Do you really think that retailer can tell the difference between signatures? It's protects your identity (well,actually to reduce liability for the stores, but it does protect you)
  • SleeperGTP, on 11/01/2007, -0/+4PCI compliance for Visa is very stringent. Causes a lot of headache but it is better in the long run knowing you are secure.
  • noahw, on 11/01/2007, -0/+4I agree. I work for an ISO/Merchant services company and we were just audited not too long ago. I'm glad they require it.
  • ImOscar, on 11/01/2007, -0/+4Why is Amex any better than the card I'm using with no fees and 1% cash back? Serious question.
  • ChaosMotor, on 11/01/2007, -0/+3Here's some more issues to address -
    1) Merchants forcing customers to make mandatory minimum purchase values - against VISA terms (common in bars, i.e. $10 minimum)
    2) Merchants & Transaction Processors holding transactions for weeks and weeks - this makes it hard for customers to keep accurate account records, especially any who rely on the digital register on their internet banking account.
  • Woecip, on 11/01/2007, -1/+4What does this mean for those people who still use the old "carbon copy - cha chunk" manual method?
  • garabito, on 11/01/2007, -0/+3ATM machines have been around...
    basic PIN number authentication...

    THIS POST WAS APPROVED BY APPROVAL OF THE REDUNDANCY DEPARTMENT OF REDUNDANCY
  • Spuy767, on 11/01/2007, -0/+3Basically they're saying, if you use unsecure POS systems, you won't be able to accept VISA, and it's good to see a company willing to lose money in lieu of a larger problem. I know that POS terminals are unsafe because me and a friend of mine once wrote some buffer overflow code that was injeted into POS terminals that he used to install. All that was necessary was a card whose mag stripe was formatted with certain data and you could take over a terminal. It was pretty crazy. We told the vendor and burned the card. I don't know if the vendor ever did anything about it.
  • tuxidomasx, on 11/01/2007, -2/+5fail #1
  • tablespork, on 11/01/2007, -1/+4Or people that are paying 30% more will choose to pay with their charge card. Correlation != causation. When I worked in retail I hated how management would try and push those "facts" on us.
  • CedEx, on 11/02/2007, -0/+3I believe they lose more money due to fraud than through loss of merchant fees. Otherwise, why bother with fraud?
  • bearsinthesea, on 11/01/2007, -0/+2Retailers are being sued for this now. Maybe you'll have to start your own lawsuit.
  • verifex, on 10/31/2007, -0/+2It always pissed me off that I needed the CVV code for purchases, and that many companies would actually STORE this info. I've worked for a payment processing company, and we had orders from on high (Visa Merchant Services) that said there was certain customer data that we would be prohibited from storing otherwise we would be in violation of the payment gateway contract. The CVV Code is one of those pieces of information that we could not store.

    It is difficult to get people to complete the checkout process, simply because many purchases are "whims" and if that feeling of wanting the item passes, so does that sale. So many online stores try to make the checkout process easier and easier, and one of those ways is by storing as much info as possible about the customer so that they don't have to enter in information more then once. Unfortunately, this lends itself to fraud. In many ways I'm not surprised that brick & mortar stores store this info as well, simply because they don't want to have to bother the customer with asking for this info more then once.

    I believe the battle between those who are actually trying to get people to enter that data in and make the final purchase and those who are liable for the money if something goes sideways (merchant banks) is only going to heat up as easier ways of paying for things emerge.
  • Firehed, on 10/31/2007, -0/+2Many of our cards have either a secondary chip or something to that effect, but most POS systems are still swipe-only.
  • Kitsune818, on 10/31/2007, -1/+3I went to a place that was using the sliding-carbon paper gizmo yesterday in New Hampshire.
  • TheLoneHoot, on 10/31/2007, -0/+2all that and buyer protection, no predetermined limit, little to no risk of getting stuck in revolving debt account issues.
  • aywwts4, on 11/01/2007, -0/+2I used to work at a business that I won't name, I was bored one day and poked around in the database, inside, in plain text, was hundreds of people's Name, Phone Number, Address, credit card number, and the Raw card data! I sent an email to the admin in charge of it, and got the reply "don't poke around the database" and I got locked out, (there were hundreds of other terminals that can access this same data)

    Hopefully this makes some changes to that.
  • tuxidomasx, on 11/01/2007, -3/+5fail #2
  • tuxidomasx, on 11/01/2007, -2/+4fail #3
  • noahw, on 10/31/2007, -0/+2Google got it: http://72.14.209.104/search?q=cache:http://www.bra ...
  • Fetching more discussions...
    Show 51 - 100 of 132 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.