@clively said:
So, here's a question for the people here: Do systems you work with/on store credit card details? If so, why? I have yet to see anyone with a valid reason for it.
I don't even get the card number. I simply package up the transaction details, forward the user to my gateway with an encrypted message containing the necessary details, then I get back the first 4 numbers and the last 2 of the card number (enough to assist with looking up the transaction with the customer's assistance and indicate to them what card they used to pay me) and a pass or fail response. If it's a recurring payment, I also get back a token that I can submit to charge the card for future transactions in place of the card number, and the gateway provider stores the card number instead. As a clearinghouse, I expect they have top notch security.
@Snooder said:
You know, that's actually a pretty
interesting solution to the problem and I wonder why nobody thought of
it before. Just have the credit card company require a password to
validate the transaction. The password wouldn't be saved by the vendor,
so you don't have to worry about security breaches on that side, and if
we have a security breach at the credit card company, stealing your
password is the least of your trouble.
It would mess with real
world transactions a bit (I'm thinking restaurants here), but these
days, I don't see why the credit card company couldn't issue a portable
password reader for a reasonable cost.You'd still have an issue
with man-in-the-middle attacks on the password reader, or just outright
fraud and theft, but the consumer would be much less vulnerable.
You realise you just described 3DSecure (Mastercard SecureCode
and Verified by Visa) right? That's exactly how it works - though the
password is stored and presented by the card issuer (bank), not the card netwok (Visa/Mastercard).