The merchant is in violation of his terms of service with VISA and Mastercard, so yes, there is wrong doing.
As for PCI compliance, encrypting card numbers isn't good enough. PCI compliance covers not only data encryption but also physical access to the machines (which is where the shared host db fails), auditing requirements, backup requirements, etc...a whole lot more than simple data encryption, which is why most companies do their processing through someone like Authorize.net and let Authorize.net deal with the PCI compliance. And regarding the ethical consideration, I'm going to go the opposite route and say that, yes, you do have an obligation to report him if he won't remedy the matter. Not because he's a bad guy or anything but because actions (or inactions as the case may be) such as his undermine the confidence in electronic commerce. As a consumer, I sure as hell don't want my credit card information stored in a random shared database, unencrypted, and there for the taking by unscrupulous folks. By reporting the violation, you are protecting consumers who don't have any way of knowing that their financial data is at risk due to the guys inactions. Judah On Tue, Jun 22, 2010 at 7:06 AM, Medic <[email protected]> wrote: > > What exactly would you be reporting him for? At this point there's no wrong > doing. > > > On Tue, Jun 22, 2010 at 9:46 AM, Scott Stroz <[email protected]> wrote: > >> >> Cam - that is what I am doing. I am not pursuing the payment - it was >> not a whole lot of time anyway. >> >> I just was nto sure if there was any obligation (even a perceived one) >> for me to report the situation. >> >> On Tue, Jun 22, 2010 at 9:37 AM, Cameron Childress <[email protected]> >> wrote: >> > >> > On Tue, Jun 22, 2010 at 8:41 AM, Scott Stroz <[email protected]> wrote: >> >> He sends me an email late Friday afternoon asking me to not start >> >> working as it will cost more than he wants to pay (I had already put >> >> in a few hours which he already said he will nto pay me for). >> >> >> >> My question is, I know the credit card information this guy's >> >> customers are supplying to him is not secure, do I have an ethical >> >> obligation to report him? >> > >> > No. ...and doing so invites bad karma. I ran into a situation like >> > this about 10 months ago and walked, no RAN away... >> > >> > I would even suggest that you not pursue payment for any initial >> > services rendered since it leaves a paper trail that can be followed >> > back to you in the event that he does have a massive card theft or >> > identity theft problem in the future. >> > >> > Alot of small companies, particularly ones that are run by >> > non-technical people, are in a situation right now where their >> > business model does not pay enough to be able to afford to upgrade to >> > PCI compliance. The owners simply have no ability to become PCI >> > compliant. They can't afford it, period. Their only real choice is >> > to go out of business, which they also don't want to do. Most of them >> > are going to keep limping along till they get caught, at which point >> > they will go out of business. >> > >> > In the meantime they are desperately looking for someone to help them >> > become PCI compliant within their budget. I would stay away from >> > anyone in this situation. There is a high likelihood that the owner >> > has no idea what is involved in PCI compliance, doesn't want to know, >> > and has their head in the sand. They are also at increased risk of >> > non-payment. >> > >> > Bad Mojo all around. >> > >> > -Cameron >> > >> > ... >> > >> > >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-community/message.cfm/messageid:321692 Subscription: http://www.houseoffusion.com/groups/cf-community/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-community/unsubscribe.cfm
