And as for dealing with SSL certs… don’t forget that they’re more than just for encryption. Most implementations, I’ve found, don’t even do the verification that a cert is valid according to a trusted CA, or that the data matches the request.

*sigh* Working in the info security industry really makes me sad about the state of the industry. Makes me feel good about my career and job security though.

Alex

There is no absolute protection against fraud. But there are ways to mitigate and reduce the chances and impact. Sure, if a company stores the CC number (which is required to be stored encrypted, by the way, by VISA regulations… I would recommend AES 128bit, and secure your keys) they may need to do recurring billing. They don’t NEED to use the CVV2. In fact, it is a direct violation of regulations to store the CVV2, encrypted or not. However, when they first collect the credit card from the customer, they can verify with added ensurance that the card collected is more likely the actual person. Once verified the first time (after which you throw away the CVV2), you know the card HAD a valid CVV2 when collected. This greatly reduces the pool of stolen cards that you may end up enabling fraud with.

Perfect? No. But it cuts down the amount of fraud by a lot. Sure, phishing attacks are collecting CVV2s as well. Those people are more likely to be victims. But at least if you properly use the CVV2 you can do YOUR part at protecting a large portion of people who have had their CC number stolen.

Do merhcants violate regulations? Yes. If YOU violate the regulations, I hope you fix things before you’re caught. There are more efforts being put in motion that can put business violating the regs out of business. So… CVV2 use is not useless. Nor does it “not work”. It doesn’t work absolutely, but it DOES work, and for a large portion. There is no absolute solution.

I mean… does wearing a seat belt or having air bags ALWAYS protect you from being seriously injurred or killed in an accident? No. But most of us use them because more often it WILL.

For REAL information about good secure development practices, keep an eye on sites like OWASP (http://www.owasp.org/) and Threats&Countermeasures (http://www.threatsandcountermeasures.com/).

So, in my opinion, I’m not feeling safer with the comments of this blog entry. It just says that DreamHost (if these are the practices in place) is enabling a higher potential of fraud through their systems by not recognizing the proper reasoning for security implementations of CC use and processing. I mean really… I’m all for challenging the “security recommendations” of regulatory groups, but only to a point of recognizing the flaw and actually identifying an improvement layer that can be applied to minimize the risk of their own flaws… not for rejecting the ideas entirely.

Defense in depth!

Alex

or else they also have to store your CSC code… so it’ll get stolen too!

Yeah well merchants can store the CSC codes anyway so it doesn’t really protect you.

False. Merchants are not allowed to store the CSC code, not even in an encrypted form.

The Payment Card Industry (PCI) data security standard prohibits the storage of the card-validation code. See section 3.2.2 of the PCI standard. Visa’s Card Information Security Program (CISP) and Mastercard’s equivalent program use the PCI standard and forbid the storage of CSC codes.

Storing the CSC code in any manner may result in large fines from Visa, Mastercard, and others, and is probably a violation of your merchant account agreement.

See the PCI standard and Visa’s CISP for more information.