Credit Card was cloned, and i think i know where

Forums › Off topic › Credit Card was cloned, and i think i know where

1 | 2

Inphinity

2780 posts

Uber Geek

#2691100 11-Apr-2021 21:38

Lias:

I'd love to know how many places are actually fully PCI DSS compliant (by way of independent audit, not self reporrting). To quote my former manager at a mutli-billion turnover retailer "Have you SEEN those requirements.. we will NEVER be compliant"

I bet the banks and card providers would love to know who isn't, too. It is far lower percent than it needs to be, but I think it's at least moving in the right direction. And honestly, the requirements aren't that onerous, the problem is so many places just have legacy implementations and systems that didn't consider security at all.

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

richms

27955 posts

Uber Geek

Trusted

Lifetime subscriber

#2691114 12-Apr-2021 00:49

Inphinity:

I bet the banks and card providers would love to know who isn't, too. It is far lower percent than it needs to be, but I think it's at least moving in the right direction. And honestly, the requirements aren't that onerous, the problem is so many places just have legacy implementations and systems that didn't consider security at all.

Banks need to stop allowing non PCI compliant sites to iframe payment gateways, and their own insecurity first before finding these small outlying cases.

Richard rich.ms

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#2691116 12-Apr-2021 01:22

richms:

Banks need to stop allowing non PCI compliant sites to iframe payment gateways, and their own insecurity first before finding these small outlying cases.

I'm afraid that doesn't make sense. If the website does not accept card details, then it is PCI compliant by definition. An iframe does not give control of the framed site to the framing site (barring either an egregiously bad browser or an egregiously critical bug).

Now, Stripe JS - that's bad. It puts a PAN collecting form on a not-necessarily-PCI-compliant website, which potentially could let the website compromise it.

richms

27955 posts

Uber Geek

Trusted

Lifetime subscriber

#2691193 12-Apr-2021 09:42

Kyanar:

I'm afraid that doesn't make sense. If the website does not accept card details, then it is PCI compliant by definition. An iframe does not give control of the framed site to the framing site (barring either an egregiously bad browser or an egregiously critical bug).

Now, Stripe JS - that's bad. It puts a PAN collecting form on a not-necessarily-PCI-compliant website, which potentially could let the website compromise it.

I have no way to know that the iframe is infact coming from any legit payment processor without messing about with developer tools inspecting elements etc. It basically looks like I am entering it into the random website and the iframe could be redirected because of lax security on the site host or maintainers part and there would be no clues at all. All that has to happen to farm card details would be for the site to be compromised, the URL for the ifram changed to a malicous site that on the first go returns a "sorry failed" response, and then sends to the real processor for the second go.

Leaving the merchants site to go to paystation or windcave or wherever, I get all the browser stuff telling me who is getting my details so I know I am not being phished with "secure-site.whatever" type scammy stuff.

Oh, and they need to can that verified by visa stuff that uses a non bank domain that looks sketchy AF.

Richard rich.ms

afe66

3181 posts

Uber Geek

Lifetime subscriber

#2691323 12-Apr-2021 11:34

Reminds me why I have a card with 1k limit which is default for all online purchases...vrs the other one with big limit

sud0

282 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#2691438 12-Apr-2021 14:08

Kyanar:

sud0:

where are the fiscals, then?

I'm afraid your question doesn't make sense.

You said The merchant is forbidden by PCI DSS to actually store the CVV. But, how is PCI making sure the merchants are PCI compliant? Are they being inspected? Plus, I'm talking about a small neighbourhood bed shop, not Bed4You. They are not PCI compliant.

Like mentioned on this thread before, they probably took notes of the CC information and someone else found it.

Lucas

lpossamai.me

freitasm

BDFL - Memuneh
78986 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2691442 12-Apr-2021 14:13

sud0:

You said The merchant is forbidden by PCI DSS to actually store the CVV. But, how is PCI making sure the merchants are PCI compliant? Are they being inspected? Plus, I'm talking about a small neighbourhood bed shop, not Bed4You. They are not PCI compliant.

Like mentioned on this thread before, they probably took notes of the CC information and someone else found it.

I think in this context it should be "who is enforcing it?" or "who are the watchers?".

"Fiscal" relates government revenue and policy.

My technology disclosure

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#2691638 12-Apr-2021 18:11

sud0:

You said The merchant is forbidden by PCI DSS to actually store the CVV. But, how is PCI making sure the merchants are PCI compliant? Are they being inspected? Plus, I'm talking about a small neighbourhood bed shop, not Bed4You. They are not PCI compliant.

Like mentioned on this thread before, they probably took notes of the CC information and someone else found it.

Ok, now that I know you're not actually talking about money (fiscal is definitely the wrong word) - PCI DSS is the "Payments Card Industry Data Security Standards", not some group that can go around doing anything.

A merchant violating PCI-DSS is answerable to their acquirer. An acquirer violating PCI-DSS is answerable to their scheme. The schemes are Visa, MasterCard, American Express, Discover.

A small neighbourhood shop would be DSS Level 3 or 4 most likely (level 3 is 20,000 to 1 million transactions, 4 is less than 20,000 - calculated over a one year rolling). These types would have to complete what's called a Self-Assessment Questionnaire - running through the flowchart, most likely either an SAQ-C or SAQ-C-VT - though it's also possible they'd be SAQ-D. A Level 1 or 2 merchant needs to actually have their compliance assessed by a Qualified Security Assessor.

If they're writing down the CVV, they would have to have lied on their SAQ, or not have filled it out - both of which the acquirer would fine them heavily for. Here is BNZ's page which tells you how much Visa and Mastercard bill them if you're compromised - which they pass straight onto you.

Yes, that's $25,000 US dollars. Per day.

Handle9

11140 posts

Uber Geek

Trusted

Lifetime subscriber

#2691647 12-Apr-2021 18:44

It'd be interesting to see how they tried to make those fines stick. The general principle of LDs is that they must be proportionate to the actual loss, not just an arbitrary number.

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#2691934 13-Apr-2021 11:01

Handle9:

It'd be interesting to see how they tried to make those fines stick. The general principle of LDs is that they must be proportionate to the actual loss, not just an arbitrary number.

In many countries, PCI compliance is a legal requirement. NZ and Australia have decided preventing credit card fraud isn't important.

However, an actual breach of a PCI-noncompliant merchant could very well result in losses up to that amount. Direct fraud losses, plus consequential losses (identity fraud, etc), consumer compensation, it gets expensive. You'll notice they quote it as up to $25,000 per day. The scale of the breach would be the determining factor behind how much is charged.

Also remember that the fees are levied by Visa Inc, MasterCard Inc, American Express Inc and Discover Inc - the US entities, and the contracts with the acquirers will be governed by US law. Any challenge from the acquirers would have to be heard somewhere in the land of the free - a merchant challenge would be governed by local laws.

sud0

282 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#2692317 13-Apr-2021 20:55

Kyanar:

sud0:

You said The merchant is forbidden by PCI DSS to actually store the CVV. But, how is PCI making sure the merchants are PCI compliant? Are they being inspected? Plus, I'm talking about a small neighbourhood bed shop, not Bed4You. They are not PCI compliant.

Like mentioned on this thread before, they probably took notes of the CC information and someone else found it.

Ok, now that I know you're not actually talking about money (fiscal is definitely the wrong word) - PCI DSS is the "Payments Card Industry Data Security Standards", not some group that can go around doing anything.

A merchant violating PCI-DSS is answerable to their acquirer. An acquirer violating PCI-DSS is answerable to their scheme. The schemes are Visa, MasterCard, American Express, Discover.

A small neighbourhood shop would be DSS Level 3 or 4 most likely (level 3 is 20,000 to 1 million transactions, 4 is less than 20,000 - calculated over a one year rolling). These types would have to complete what's called a Self-Assessment Questionnaire - running through the flowchart, most likely either an SAQ-C or SAQ-C-VT - though it's also possible they'd be SAQ-D. A Level 1 or 2 merchant needs to actually have their compliance assessed by a Qualified Security Assessor.

If they're writing down the CVV, they would have to have lied on their SAQ, or not have filled it out - both of which the acquirer would fine them heavily for. Here is BNZ's page which tells you how much Visa and Mastercard bill them if you're compromised - which they pass straight onto you.

Yes, that's $25,000 US dollars. Per day.

Thanks for the explanation and sorry for the wrong word. Too bad I cannot prove that it was actually the small bed shop that leaked my credit card details... let's hope Kiwibank understands it wasn't me and release back the credit (They asked for a police report, which I've done).

Cheers!

Lucas

lpossamai.me

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#2692497 14-Apr-2021 10:32

sud0:

Thanks for the explanation and sorry for the wrong word. Too bad I cannot prove that it was actually the small bed shop that leaked my credit card details... let's hope Kiwibank understands it wasn't me and release back the credit (They asked for a police report, which I've done).

Cheers!

No worries. In my experience (with Westpac, not Kiwibank, but most banks are fairly consistent with this) you should be safe if you've provided a police report. Investigation usually only takes a week or two if it's as straightforward as that. Might be more complex if you have to separate your legit transactions from the crim's dodgy ones.

It is unfortunate though that all those merchants the crim purchased from will be out of pocket (the bank doesn't take liability for a dodgy transaction unless it was a card not present with 3dsecure - what you know as Verified by Visa or MasterCard SecureCode).

sud0

282 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#2692598 14-Apr-2021 12:31

Kyanar:

No worries. In my experience (with Westpac, not Kiwibank, but most banks are fairly consistent with this) you should be safe if you've provided a police report. Investigation usually only takes a week or two if it's as straightforward as that. Might be more complex if you have to separate your legit transactions from the crim's dodgy ones.

It is unfortunate though that all those merchants the crim purchased from will be out of pocket (the bank doesn't take liability for a dodgy transaction unless it was a card not present with 3dsecure - what you know as Verified by Visa or MasterCard SecureCode).

Interesting.. so who ends up paying the bill is actually the merchants where the CC was used at. Yeah, that sucks for them! :(

Lucas

lpossamai.me

sud0

282 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#2692724 14-Apr-2021 14:55

Just got the refund, BTW. And an email from the police saying they approved the refund.

Lucas

lpossamai.me

1 | 2