nanog mailing list archives
Re: CVV numbers
From: Barry Shein <bzs () world std com>
Date: Sun, 10 Jun 2012 13:49:08 -0400
On June 9, 2012 at 16:25 mysidia () gmail com (Jimmy Hess) wrote:
I bet there is at least one small retailer out there who takes phone orders and gathers CVV2, and at least one POS software developer out there who is unaware of, has ignored, or has...
Yes, but there are also penalties, including loss of merchant account and, I believe, fines, in the contract.
In other words CVV2 is a "weak" physical "proof" mechanism that only works if all parties involved obey the rules perfectly without error,
Not at all, even if someone does store CVV2s in violation of their contract they would ALSO have to be revealed to an evildoer to cause any harm. And even then the evildoer has to leap any other security barriers. Probabilities, all about probabilities, and percentages. You're making the best the enemy of the good. We aren't dealing with military secrets here where one leak can undo all tactical advantage. We're dealing with fraudulent credit card charges where some amount of loss is considered acceptable and one just tries to minimize those losses. The goal is cost/benefit analysis, minimize losses while allowing the overall system to function as friction-free as possible, and doing that within a reasonable cost framework of around 1%-3% per transaction. No different than router bugs etc, if one packet in a billion (whatever) is dropped purely due to a software bug that may be acceptable for a $10K router if the other alternative is to hand-verify every line of code making the router cost $100K. I think this all may be more operationally relevant than some might protest, some here seem to have funny ideas about cost-benefits and security which maybe can at least be shaken loose a bit. -- -Barry Shein The World | bzs () TheWorld com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Current thread:
- Re: CVV numbers, (continued)
- Re: CVV numbers Owen DeLong (Jun 09)
- Re: CVV numbers Alexandre Carmel-Veilleux (Jun 09)
- Re: CVV numbers Wayne E Bouchard (Jun 09)
- Re: CVV numbers Barry Shein (Jun 09)
- Re: CVV numbers John Adams (Jun 09)
- Re: CVV numbers Scott Howard (Jun 09)
- Re: CVV numbers Matthew Palmer (Jun 09)
- Re: CVV numbers Owen DeLong (Jun 09)
- Re: CVV numbers Jimmy Hess (Jun 09)
- Re: CVV numbers Scott Howard (Jun 09)
- Re: CVV numbers Aled Morris (Jun 09)
- Re: CVV numbers Barry Shein (Jun 10)
- Re: CVV numbers Barry Shein (Jun 10)
- Re: CVV numbers Jay Ashworth (Jun 09)
- Re: CVV numbers Owen DeLong (Jun 10)
- Re: CVV numbers Gary Buhrmaster (Jun 10)
- Re: CVV numbers Stephen Sprunk (Jun 09)
- Re: CVV numbers Scott Howard (Jun 09)