On Thu, Feb 16, 2012 at 09:06:18PM -0800, [email protected] spake thusly: > If you think about it, any company that bills your credit card > number repeatedly needs to store the number so it doesn't ask you > for it each time.
I haven't seen this involve a third party. That would involve the third party doing the billing to the card processor and taking their cut. To encourage PCI compliance and cut their own losses card processors often provide their own tokenization. Some companies (including companies for whom I consult as a security person in charge of implementing their PCI compliance) tokenize the card data: They get the card data from the customer the first time then send it to the card processor who in exchange gives the merchant a token/reference number. Next time the merchant wants to charge that customer they just provide the token/reference number. The big downside is the merchant is now tied to this payment processor unless they want to hit up their customers for card data again. Many customers, especially those on recurring subscriptions, don't even remember that they are being charged and once they are made aware of it will cancel. Huge losses are inevitable. > If you are a big enough business, it may make sense to do this > internally instead of using a third party. Yep. PCI compliance for storing card data (SAQ-D) is quite expensive. You have to have some serious economy of scale to make it worth it. -- Tracy Reed
pgpvvpIOYwmBu.pgp
Description: PGP signature
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
