
Argos email receipts contain your Card No. CCV, Name and Address - Roridge
http://www.pcpro.co.uk/news/security/356077/argos-credit-card-scandal-worsens
======
ig1
How can this possibly be within PCI DSS compliance rules ? - do they not apply
to everyone taking Mastercard/visa ?

~~~
leftnode
No, PCI/DSS is similar to the Better Business Bureau: many people think its an
official (i.e., government mandated agency/law) but it's not. Many merchant
account companies require it, but it's entirely possible to find a merchant
account that does not require you to be PCI/DSS compliant.

Some people say PCI/DSS compliance is a scam, because you generally have to
pay someone to say you're PCI/DSS compliant, officially, if I remember
correctly.

~~~
tbgvi
It all depends on your transaction volume. If you don't run that many
transactions then all you have to do is fill out a form saying you're
complying.

If your transaction volume is high, for example let's say Walmart, then the
level of scrutiny goes way up. There is the option of not complying with PCI,
but Visa and MasterCard wouldn't authorize transactions for them anymore. In a
case like that there's a pretty big monetary incentive to comply.

PCI isn't perfect, that's for sure, but its probably better than nothing.

~~~
leftnode
Definitely. I also believe you get a discount per transaction if you're
compliant.

We had to become compliant for the merchant we use, and because we don't do a
lot of transactions, it was only $80 a year. Small price to pay, I think, to
keep my ass covered somewhat.

I suppose I came off as not liking PCI/DSS. I do like it, just wanted to
clarify some things about it.

------
jaxc
"Now it's emerged that those very same confirmation emails contain a web link
- ironically intended to direct customers to Argos's security page - which
contains the customer's full name, address and credit-card details in the URL
itself."

I'm speechless... I may not understand PCI compliance fully but surely anyone
with any brains could see that is a bad idea. I mean why would you reveal
someone's credit card details in the URL. Not to mention emailing it. This
beggars belief.

Edited for typos and readibility.

------
acg
Perhaps there's a role for a site that names-and-shames poorly implemented
ecommerce sites. I've recently been asked to enter my visa into a site without
https.

There shouldn't be any excuse for this sort of thing now.

~~~
leftnode
I really enjoy ecommerce development and have spent the last 4 years
professionally doing something related to it.

It's flat out amazing the poor security standards in the industry.

"Hey just email me an Excel spreadsheet of customer's credit card numbers, I
need to charge them all," is not unheard of.

I know there are places where security is of high importance, but I've seen
some places where it's really poor.

One of the problems is ease of entrance. In an afternoon, you can get a
website set up, sell products, and take credit cards (along with other
personal information) with absolutely no knowledge of how to do anything
properly. In all honesty, that barrier for entry needs to be much much higher.

~~~
acg
What amazes me is that there are services like paypal, google checkout and
others that can handle all this for the vendor. If someone wanted to set up in
an afternoon they could: just use a pre-developed card and protect yourself
from fraud too.

Even quick time-to-market is not an excuse any more.

------
DougWebb
Some developer has clearly mis-understood the 'stateless' part of HTTP. The
protocol is stateless, but the resources are NOT stateless. You don't have to
and shouldn't send all of the information your service needs through the
protocol; all you need to send is sufficient information to fully identify the
resource you're working with. In this case, that would be the customer id
number, which is your key into a database that has the real customer
information.

Oh, and DON'T STORE UNENCRYPTED CC NUMBERS, AND NEVER STORE THE SECURITY CODE.
That should be so obvious. If I were building a system like this, and I was
required to store the CC number at all (which I'd prefer not too but many
retailers do it) I'd encrypt it using the security code, and I'd modify my
http logs to filter those codes out of the log. That way I couldn't decrypt
the CC number without asking for the code, and I'd never have the code stored
anyplace on my system.

~~~
mseebach
> filter those codes out of the log

Why would there be creditcard data in you HTTP log?

~~~
DougWebb
At some point the user has to fill out a form and provide the CCV. I happen to
log form fields in addition to GET urls, so the CCV would wind up in my log if
I didn't filter it out.

------
nfnaaron
In the US, isn't this exactly the sort of data that, when a bank or other
entity exposes it in a "breach" (lost employee laptop), is required to be
reported to the government? My understanding of this law is common knowledge,
not lawyerly and knowledgeable.

Maybe if you dribble it out, on purpose, it's not considered a breach.

------
mootothemax
Wrr, websites that do this irritate the living hell out of me. It's only after
you've ordered or signed up that you discover that they've decided to pollute
your inbox and history like this, leaving you with the job of cleaning up
properly.

------
wendroid
> Argos said that it "takes the security of its customers’ data extremely
> seriously

The straightness of face or otherwise was not reported

