Community

I did try to make a donation via DataCell in case the door had not yet closed, but got a bland message "transaction declined".

Given the Visa Corporate Structure, I can't understand why Visa Europe, a separate entity to Visa USA, has also chosen to give in to US Government pressure and close down the Wikileaks account - I hope DataCell get them reinstated.

I just checked, and "Assange" or "Wikileaks" doesn't appear on the US Treasury Office of Foreign Assets Control (OFAC) List of Specially Designated Nationals and Blocked Persons ("SDN List") - so by what authority/request are PayPal, Amazon, Visa & MasterCard blocking him?

Does this mean that my previous Credit Card donations might now be subject to sub poena, and I might get a midnight knock on the door?

This all emanates from the crazy idea to allow the set up of Paperless Direct Debits. Organisations must be compliant with AUDDIS (Automated Direct Debit Instruction Service) and are responsible for verifying their customers' identity - but of course they don't bother - just like the sub-prime Mortgages not bothering to vet Income.

No-one has ever verified my identity, hence why I check my D/Ds quite religiously.

I notice that BACS made electronic rather than paper format mandatory from 1st January 2008 for all new service users.

So not rocket science to predict where this is going.

David : thanks you very much for this review.

At first pass through I thought you might be being unfair re definition of "sensitive authentication data and/or cardholder data", but what they should have done for new readers is refer them to page 5 of the PCI DSS.

I then read the (12 page) document for myself, and I agree with all your other points.

I've always been disappointed by the PCI Glossary. In this instance, it isn't even in alphabetic sequence, someone started out that way, then added some as an afterthought. Not every acronym used in the text is explained. A meaningful Glossary does not just expand the 3 letter acronym, but actually explains what it is. Usually means the author doesn't know and can't be bothered to find out.

In turn, as I've often seen with lazy people where I've been employed, so PCI is no different, there are Acronyms in the Glossary which simply do not appear anywhere else in the document, so why introduce them - eg SEPA?

Sloppy sloppy sloppy.

Only by watching the video can you appreciate where the pinhole camera is, and how to effectively mask the keyboard when entering your PIN.

I would recommend everyone reading this to take a look at the example in the link at the end of the article - very good example of how hard they are to detect.

I find it astonishing that staff would do such things - can it be due to a general dumbing down of skills, lack of apprenticeship or whaetever, that results in employees not understanding the seriousness of their actions?

I had it with programmers who used to be blase about miscalculations of interest charges on credit cards (its OK, when people phone in just say sorry) - until I threatened to miscalculate their wages so they couldn't pay their mortgages (but it was OK, I'd just say sorry).

I find a resurgence in blase attitude from the outtaskers in India.

I agree, I can remember years ago being very confused when presented with "UB Dartford" - I'd never been to Dartford - turned out it was United Biscuits (HQ in Dartford) central bank a/c - pertaining to their subsidiary "Pizza Hut".

Brititsh Airways is another one - a central bank a/c at Harmondsworth (Heathrow) irrespective of which Airport in the world you actually bought the ticket. Other multinationals like Hertz (Tulsa Oklahoma) are the same.

I'm not keen.

My own experience of biometric access control at my HQ in New York was that I had to register both thumb prints and yet my aggregate error rate was 20% - being blamed for not putting my thumb in the right position on the reader - which means to me the design of the reader is at fault for allowing me to place my thumb in the wrong position.

If my PIN is stolen (and I'm not a fan of CHIP n PIN either), then I can change it and ask for another one. If someone is able to present my biometrics as their own - then there's nothing I can do about - I can't change my fingerprints, blood, saliva, retina, veins, voice etc.

Like with DNA matching (see my separate blog on that topic in Aug 2009 - https://www.finextra.com/blogs/fullblog.aspx?blogid=3190), if the technology is just sampling my results, and coming up with a hash equivalent, then its not impossible for that to be impersonated / reproduced.

How much of that data is going to be transmitted around the world, via what routes, is it going to be secure in transit, how long is it going to be held in cached memory, and will it be secure at rest? Will it survive / detect a man-in-the-middle attack?

Whereby, falling back on the good old Signature, when I was transferring £125,000 yesterday via CHAPS, RBS called up my Signature on File, checked my Passport & Debit Card, and recorded me on CCTV. I was happy.

reading the original Swiss article, as I suspected the amounts were in Swiss Francs not US Dollars - I think the Wired correspondent just couldn't cope with doing a currency conversion.