![](https://secure.gravatar.com/avatar/417b5c0a10d74a7d3dc065cae9aeda3d.jpg?s=120&d=mm&r=g)
On June 9, 2012 at 16:25 mysidia@gmail.com (Jimmy Hess) wrote:
I bet there is at least one small retailer out there who takes phone orders and gathers CVV2, and at least one POS software developer out there who is unaware of, has ignored, or has...
Yes, but there are also penalties, including loss of merchant account and, I believe, fines, in the contract.
In other words CVV2 is a "weak" physical "proof" mechanism that only works if all parties involved obey the rules perfectly without error,
Not at all, even if someone does store CVV2s in violation of their contract they would ALSO have to be revealed to an evildoer to cause any harm. And even then the evildoer has to leap any other security barriers. Probabilities, all about probabilities, and percentages. You're making the best the enemy of the good. We aren't dealing with military secrets here where one leak can undo all tactical advantage. We're dealing with fraudulent credit card charges where some amount of loss is considered acceptable and one just tries to minimize those losses. The goal is cost/benefit analysis, minimize losses while allowing the overall system to function as friction-free as possible, and doing that within a reasonable cost framework of around 1%-3% per transaction. No different than router bugs etc, if one packet in a billion (whatever) is dropped purely due to a software bug that may be acceptable for a $10K router if the other alternative is to hand-verify every line of code making the router cost $100K. I think this all may be more operationally relevant than some might protest, some here seem to have funny ideas about cost-benefits and security which maybe can at least be shaken loose a bit. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*