Half a croissant, on a plate, with a sign in front of it saying '50c'
h a l f b a k e r y
Superficial Intelligence

idea: add, search, annotate, link, view, overview, recent, by name, random

meta: news, help, about, links, report a problem

account: browse anonymously, or get an account and write.

user:
pass:
register,


       

Credit Card Certificate Authority

Detect E-commerce sites based on whether they are signed by PCI Industry
  (+1)
(+1)
  [vote for,
against]

At its core, the idea is to have e-commerce websites use a certificate authority that is tied to the PCI Industry, and for the browser to somehow indicate this (e.g., with a ($) icon, similar to the lock icon).

Existing approaches:

--DV Certificate: Validates your domain. Provides protection against man-in-the-middle attacks, but does nothing to protect against malicious endpoints..

--OV Certificate: A big fat lie. Same as DV.

--EV Certificate: DV and validates the company name of the end-point.

--PCI Banner: PCI Assessors often offer "Credit Card Safe" badges. However, scammers can trivially fake such badges. Browser indicators in the address bar are harder to fake (though not quite impossible).

Proposed Approach: PCI/DV or PCI/EV Certificate: Validates that you are PCI complaint.

Pre-emptive rebuttals:

--1. Won't this increase barrier to entry?

Mom and Pop shops have 3 choices: A) Don't bother. Maybe the lock icon will be enough. B) Use an interstitial payment gateway. C) Their payment processor can validate their site for e- commerce.

--2. Won't it be a huge mess to force companies to comply with requirements from both PCI-DSS and the CA/Browser forum?

Yes. This can be simplified by having PCI validated processors countersign the certificate, possibly as an extra property attached to standard certificates. This signing hash could be provided to standard authorities, who would bolt it onto certificates that they generated.

--3. Why should sites be forced to use PCI-DSS signing?

PCI-DSS is already enforced by contract with credit card processors. The only extra work this adds is that processors will need to validate payment sites (or those sites can be seen, deservedly, as being less trustworthy).

--4. This proposal is very US-centric.

True

aguydude, Aug 02 2017


Please log in.
If you're not logged in, you can see what this page looks like, but you will not be able to add anything.



Annotation:







       Peripherial Component Interconnect?   

       Pulse of Commerce Index?   

       Presbyterian Church in Ireland?
RayfordSteele, Aug 02 2017
  

       PCI stands for Payment Card Industry. The PCI Security Standards Council was founded by American Express, Discover, Mastercard, Visa, and the Japan Credit Bureau in order to establish/maintain the PCI DSS (DSS stands for Data Security Standard). Any merchant working with credit cards is required by contract (and possibly by law, in some US states) to be PCI DSS compliant.   

       The credit card brands will only process payments for merchants who have signed a contract to remain PCI DSS compliant.   

       In general, there is value in websites providing some sort of certification that they follow good security practices. In the specific case of the above credit cards, there is an official standard. Normally validating compliance with a 3rd party standard is not really the job of a browser, especially since doing so means making value judgments about which standard is appropriate. However, in this case the standard is enforced by the credit card brands, so explicitly detecting standards compliance does not add a new compliance burden on website operators.
aguydude, Aug 02 2017
  

       But will Good Housekeeping put their seal of approval on it?
RayfordSteele, Aug 03 2017
  


 

back: main index

business  computer  culture  fashion  food  halfbakery  home  other  product  public  science  sport  vehicle