The real cost is if you do things wrong and lose a credit card
number. IIRC its $50k/incident if you are not in compliance with the
ever changing PCI DSS standard. FWIW, I don't care if you're using
128 bit AES. I care that you are using it correctly, which is not a
trivial thing to do when you consider key storage, rotation, etc.
Very rarely do I find companies using encryption in a safe and secure
manner. Usually its magic pixie dust that is sprinkled liberally
into a system because it magically secures it -- at least in theory.
I'm not suggesting you're not doing it correctly, Derrick, just that
many people screw it up badly.
Security is about risk management. If I had a small business, the
risk of losing some credit card data and facing huge fines from the
card companies would be a good enough reason to offload this risk to
someone else. But, at some point you come to a business decision of
when you are big enough to accept the risk and save the extra fees,
etc. that come with some solutions.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
What is objectionable, what is dangerous about extremists is not
that they are extreme, but that they are intolerant.
-- Robert F. Kennedy, 1964
On Dec 14, 2006, at 8:29 AM, Derrick Peavy wrote:
{sigh}
Dean, thanks for bringing that up, but it's not an issue in this
question. And, not to diminish your expertise in any way, but it's
a little like asking have you figured in the cost of doing SSL
over TCP/IP into your business. Again, elementary analogy I know,
forgive please. I will explain further below.
Mike:
I've used this solution since 2000. As I stated in the email which
you reference from 2004, this is a solution which removes the
middle man (the gateway) and all associated fees. If by monthly
fees you mean a Visa/Mastercard required minimum, yes, no one
escapes that - no one! What this means is that if you don't do X
amount in combined V/MC transactions each month (whose resulting
fees equal $20), they will charge you $20 in place of the
percentage and transaction fees. If you do X amount, then your $20
min., is waived and you pay the transaction and percentage fees
instead.
Now, as for any other fees, monthly or other, no. The only fee you
pay in this set up is the per transaction fee assessed by V/MC/Amex
and Discover. Currently, my fees are:
V/MC 2.02% per trans, and .28 cents
Amex 3.25% per trans, and (I think) .10 cents
Discover 1.68% per trans, and .10 cents
This is from memory. But here is the number from my accounting ==
Of all sales income received by Credit Card, divided into total
(all, everything) processing fees, my overall cost for this year is
2.5%. For the cost of CFXNova, I think it's a dam* good deal. Show
me a lower number and I'll...
Now, let's talk about PCI DSS because Dean brings up a valid point,
if not (in my stupid, retarded and humble opinion) misguided. Here
are the PCI DSS, non enforced, difficult to prove, let's all feel
good about (insert standard here), compliance points:
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data -
been there done that.
2. Do not use vendor-supplied defaults for system passwords and
other security parameters - yeah, that was a no brainer
Protect Cardholder Data
3. Protect stored data - done
4. Encrypt transmission of cardholder data and sensitive
information across public networks - done (128 bit Rijndael
encryption)
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software - some argument
here, as it can cause more problems than it solves.
6. Develop and maintain secure systems and applications - done:
SSL, closed ports, per file/script/page security, required log ins,
multiple app checks
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know - Yes, because
Dave in the mail room needs card data?
8. Assign a unique ID to each person with computer access - right.
Or, no let's be stupid and use admin/admin
9. Restrict physical access to cardholder data - not hard to do
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and
cardholder data - yep
11. Regularly test security systems and processes - yep.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security - yep.
Let me add a few more
13. Only store data for as long as is necessary for your business,
balanced with the need for some level of customer support (i.e.:
don't bug the customer for their card when you need to refund
something 3 days later).
14. Use actual human readable log files generated by CFXNova and
store and review on a regular basis to look for fraud.
15. Review each and every transaction, looking for CVV2 and AVS
compliance, if it's suspicious, void, refund or delete it. In