From: Brian Dunning

> My merchant provider levies monthly fines based on
> how many of their security restrictions you fail to
> follow. I follow as many as are reasonably practical,
> but I think it's virtually impossible to follow them
> all, such as absurdly expensive (and probably unnecessary)
> hardware. IMHO, some of the restrictions are based less
> on reality and more on their security consulting firm's
> ability to frighten them. Their consulting firm's
> disclosed commissions on the fines creates an inherent
> conflict of interest. 
> Goofily, my provider's fine structure does not
> differentiate between transactions that are merely
> processed on my server with no storage, and
> transactions originating from a card number stored
> on my server. 
> So I have to constantly weigh the monthly fines vs.
> the cost of the upgrades vs. the amount of money that
> my various services bring in. There is no perfect
> solution.
> Nevertheless, I'm very open to any suggestions
> people have for transactions requiring that I
> keep the card number (in this case, recurring
> monthly charges where the customers choose not to
> use PayPal etc. and where too many customers would
> flake or get frustrated if forced to re-enter their
> card info every month for an annoyingly small
> transaction).
> Sorry this is getting a little off-topic for PHP.

Seems to me we have had similar discussions in the past, and not
necessarily on Friday.

First of all, you probably want to talk to your lawyer about the
potential conflict of interest. That may need to be forwarded to a
regulatory office or Attorney General for investigation.

Second, do their rules conform to the OWASP recommendations and standard
PCI guidelines? If they are deviating from those, or adding ridiculous
requirements simply to squeeze a few extra pesos out of you, you might
also want to ask your lawyer about them.

Next, do they have a storage vault for credit card numbers that you can
access. There shouldn't be any need for you to store them. We put
numbers in our processor's vault and they give us a hash index to access
them in the future. We use that for recurring charges and as a
convenience so customers don't have to enter them every time they make a

And finally, even if they do follow the PCI regulations, you have to
remember that the primary purpose of those regulations is to deflect
liability from them to you when there is a problem. All they need to do
is document one instance where you don't follow the rules and they are
off the hook for damages. Guess where that puts you.

Bob McConnell

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to