[thelist] Secure Site Expiration

[Keith]

At 02:45 PM Monday 5/6/02, Belinda wrote:

> >From their company:

Ok, it's time to get serious here.  The letter to you from BuySharpSigns
amounts to fraud, criminal and civil fraud. It doesn't matter if that fraud
was knowingly or intentionally perpetrated, he's still liable.   Visit

http://international.visa.com/fb/merchants/news/

half way down the page study the short paragraph entitled Data Security
Capabilities (and the sample security method statement). If you want more
depth continue by doing the site self-assessment with VISA's Global Data
Security Website.

Read for yourself the minimum requirements that VISA has for secure
transmission of private data. SSL (using the HTTPS protocol) and VISA's own
proprietary S.E.T. protocol are the only approved ways to secure data
transmission. The statement calls them "the best" but what that really
means it that VISA no longer recommends the old NCSA Secure-HTTP or EIT
Secure-HTTP protocols that predated SSL or MasterCard's earlier (and now
withdrawn) SET protocol.

Is VISA's opinion worth anything? Here's the bottom line Belinda, no on
else's opinion even counts.

VISA's first concern is to protect the cardholder. They do that by
controlling who gets, and looses, a merchant account. To put it gently, if
your client gets caught by VISA using anything other than SSL for
transmission of private data VISA can, and should, revoke your client's
merchant account. In fact, if VISA suspects that your client knowingly used
a fraudulent method like the one described, VISA has the authority (in the
fine print of your client's merchant contract) to seize all of your
client's personal and business assets, and to liquidate said assets as VISA
returns to the cardholders every single dime that has went through that
account.

As developers we argue with each other over how much freedom we have to
define how the web gets put together and how it evolves (whether we're the
horse or the carriage). But that discussion ends at the "enter your credit
card number" form field. From there on VISA is in control. And any
developer who's had a client get crosswise of VISA's standards can tell you
how much liability you have when the "seize assets first - ask questions
later" procedure kicks into gear. It's an experience you don't want Belinda.

Bottom line, it's not up to that guy (or you or me or anyone else) to
decide how security works, in the transmission phase and the storage phase.
He doesn't have the authority to invent something in his own little mind,
the cardholders never gave him that authority or freedom. But they DO give
it to VISA, and VISA (which is an association of member banks) sets the rules.

You originally ask for ideas on how to approach their company. And I for
one apologize, we all kind of got hung up on describing how security works.
The correct answer should have been something along the line of insisting
that he go to VISA's site and comply with their standards, simply on the
grounds that you cannot counsel your client to accept credit cards in
violation of VISA's rules.

In his comments to you he insinuates that Verisign has fraudulently
convinced the world that they and they alone can produce a secure
environment. Until Oct 2001 Verisign held the exclusive licence to the
patent for the only mathematical algorithm that can produce public/private
key encryption, which is the only way to accomplish encryption between a
browser and a server. In 2001 that patent expired and the algorithm is now
in public domain and you can buy a "trusted third party" certificate for as
little as $49 from dozens of Certificate Authorities. Verisign  tries to
convince people that their certificate is somehow superior and worth
hundreds of dollars more. The truth is, their certificate is exactly the
same as the $49 one. Verisign goes to great lengths to collect information
about the certificate applicant to prove to themselves (and no one else)
that they are selling it to the legal owner of the site. They take weeks to
checkout corporation papers etc to do this. Blows me away that one of the
founding companies on the internet insists on doing things the way you
would have done them in 1960, but hey, they're wealthy and I'm not. Anyhow,
other Certificate Authorities have discovered that they can get the same
proofs in less than a minute and charge accordingly. If you still can, shop
around, the Diffie-Hellman algorithm could care less. And as for the
veracity of the entity collecting that credit card info, it's none of
Verisign's business, that's VISA's business.


keith

cache at dowebscentral.com