- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Edit Admin
If the PCI-DSS folks get wind of this arrangement, it will end up being a down-and-going(-away) firm that formerly developed and managed eCommerce websites for their clients.
Edit Admin
I worked at a financial services company that (2000s) decided that protecting credit card data meant encryption of the hard drive the database ran on, and nothing else. Of course, the data was easily in the clear in every application server, extractable by sql query, etc. Also, there were no firewalls in the network, where 600 employees existed in the same network as all the servers. See, protecting credit card information is easy and cheap!
Admin
I'm not in that market but I'm not so sure. technically thay are not processing the card information. Sharon is.
Edit Admin
I've written an eloquent and insightful comment which I have sent by mail.
Edit Admin
Well yes they are. FTFA
In the UK both Sharon and the "up and coming firm" will be in breach of GDPR. The credit card companies will probably also have something to say.
Edit Admin
To add a little detail to jeremy.pnet's comment: the PCI association defines "processing" to include not only applying charges, but also storing or transmitting payment card data.
Without naming any names, a DBA coworker in a previous life at a Fortune 100 company discovered that credit cards were stored in the database in the clear, including her own data. She raised a flag, and a project ensued.
No, she was not punished for it. That was one of the few shining moments at that company.
Admin
Reminds me of when I first learned tech stuff. I wanted to make a forum but the only thing I knew was HTML
But I remembered! Some forums when you submit a post you get a message that an administrator has to approve it before it'll show up. So the plan was simple, use a mailto form and I'll manually add each post into the HTML
Edit Admin
Not just the PCI association, but also the GDPR, in (therefore) the entire EU and EEA.
But in respect to Sharon being in breach of data protection rules: maybe. In the highly improbable case that she is correctly handling her role as a data processor, with someone taking the role of Data Protection Officer (and doing it right), she might get away with it. Of course, the chances of her actually doing all that is one of those extremely small numbers best categorised as "infinitesimal" or even just plain "zero".
Carmen, before she went elsewhere, would be mega-screwed in the case of a data protection audit.
Of course, the billing is in dollars, which indicates that these events don't take place in either the EU or the EEA, so I couldn't say whether any of the above (aside from the PCI-DSS side of things) would apply.
Edit Admin
Seems incredibly unlikely. It's possible that Sharon has some email implementation that handles the data in a manner compliant with all applicable regulations. However, if the web host doesn't use that same implementation and the connection between the two aren't properly secured, then Sharon has made choices that cause the data to be handled improperly (she chose to get the card data via email), so she is at fault. The odds of all of this being done in a project with a few hundred dollar budget are essentially zero.
Admin
Perhaps she should've written a description of the project, including that there would be no encryption, and asked her boss to confirm it in writing. If he asked why, she could tell him that she wanted to protect herself from the legal problems.
Admin
Cover yourself--drop a dime immediately.
Admin
I wonder if Carmen ever talked to the client. Would she have suggest a "pay via Paypal" option.
Edit Admin
I actually know of several small e-commerce sites that do that. What happens is they get the email, then they run it through their credit card machine at the physical store by typing in the card number (you don't need to tap/swipe/insert your card - you can just enter it on the keypad). It's not treated the same since it's marked as card-not-present transaction.
But I can tell you a LOT of smaller companies do this, especially if it's a site that is really a physical store first, e-commerce site second. And if they happened to come online before the likes of Shopify and such (but those sites take a huge chunk of the transaction fee).
Edit Admin
"Well, Sharon, I'm afraid you're gonna have to find someone else to make your site" would have been the correct answer.
Seriously, what company accepts contracts to make a website with CC payments for just a few hundred bucks?
Admin
I actually got one better - I came across an American B2B company that, for "cash" transactions (which in their parlance meant "walk into their site, walk out with a part") would write down your credit card details on a piece of paper, then punch them into the system later for a card-not-present transaction. This failed dramatically with my foreign credit card - their system couldn't handle a non-American billing address. I think we eventually got them their money via PayPal or somesuch (they weren't a typical vendor; it was an emergency thing).
Admin
a dev with a conscience would refuse to implement that
Admin
How much of that few hundred dollars will you keep in reserve for legal fees when we're sued for incompetence, neglect and malice? would have been the correct response.
Admin
I'm not surpised by the boss, nor mad. I'm mad at the developer in question. You know you're breaking laws by doing this, it's your damn duty to be responsible and deny this kind of task. YOU are the domain expert here. The few 100 bucks isn't even close to the shitheap this behaviour causes. And if your boss threatens to fire you: