They actually profit from fraud; and my theory is that that's why issuers have
mostly ceased allowing consumers to generate one time use card numbers via
portal or app, even though they claim it's simply because "you're not
responsible for fraud." When a stolen credit card is used, the consumer
disputes the resulting fraudulent charges. The dispute makes it to the
merchant account issuer, who then takes back the money their merchant had
collected, and generally adds insult to injury by charging the merchant a
chargeback fee for having to deal with the issue (Amex is notable for not doing
this). The fee is often as high as $20, so the merchant loses whatever
merchandise or service they sold, loses the money, and pays the merchant
account bank a fee on top of that.
Regarding CVV; PCI permits it being stored 'temporarily', but with specific
conditions on how that are far more restrictive than the card number. Suffice
it to say, it should not be possible for an intrusion to obtain it, and we know
how that goes....
These days javascript being inserted on the payment page of a compromised site,
to steal the card in real time, is becoming a more common occurrence than
actually breaching an application or database. Websites have so much third
party garbage loaded into them now, analytics, social media, PPC ads, etc. that
it's nearly impossible to know what should or shouldn't be present, or if a
given block of JS is sending the submitted card in parallel to some other
entity. There's technologies like subresource integrity to ensure the correct
code is served by a given page, but that doesn't stop someone from replacing
the page, etc.
On 10/10/18, 10:41 AM, "NANOG on behalf of Naslund, Steve"
<nanog-boun...@nanog.org on behalf of snasl...@medline.com> wrote:
Yet this data gets compromised again and again, and I know for a fact that
the CVV was compromised in at least four cases I personally am aware of. As
long as the processors are getting the money, do you really think they are
going to kick out someone like Macy's or Home Depot? After all, it is really
only an inconvenience to you and neither of them care much about that.
Steve
>It's been a while since I've had to professionally worry about this,
>but as I recall, compliance with PCI [Payment Card Industry] Data
>Security Standards prohibit EVER storing the CVV. Companies which
>do may find themselves banned from being able to process card
>payments if they're found out (which is unlikely).
> - Brian
