Community

And once you've got the PIN verified, you don't need the Cardholder - unfortunately that means you can also dispose of them if you are so inclined.

I confess I'm not enamoured of the mobile phone being the silver bullet.

Unless I've got my BlackBerry clipped to my belt, I don't always have it on my person, and I have gone out for the day without it.

With the card-reader from my Bank (RBS), once when I had misplaced it I had to order a new one, and it took 2 weeks to arrive. In fact I even ordered a second replacement because I thought the 1st one had been lost in transit, and they arrived on the same day - so now I've got 3!

If I lost my designated Chip Card, then I'd be dead in the water again until that was replaced. But I need 24/7 access to Online Banking Services - or at least I can't imagine surviving longer than a 3-day outage - not if it I lost my Card at the end of month when I have to pay my Payroll! - I need the Card for 2 separate transactions for every new Starter or existing Employee who changes their Bank Account.

Yet the mobile phone isn't the answer at POS either; there are places in my local shopping mall, the recesses of stores just where the tills are, where my phones can't get a signal. If the POS experience entailed getting a one-time-code via the phone and putting it into the PINpad, then the stores need to reconfigure their layouts to ensure they have coverage.

Even if you've taken your phone with you, what happens if it doesn't work? Not just if you've not got coverage, nor running out of battery, but what if its been stored outside the normal operating temperatures? iPhone recommend 0-35C, and its been noted that they don't work at -14C (typical temperature in Norway) or +45C (typical temperature in Arizona) - you might have stored at either if you left it in the car whilst you went to the gym? Apparently the iPhone doesn't work over 3,000m / 10,000ft either?

Finally, if you're travelling and overspend your pre-approved limit, then as I found out with Virgin, without any warning, they suspended my BlackBerry mid-way through a holiday in Turkey. If I'd been unable to get the service re-instated (kept hanging on someone else's phone for 30 minutes), then in the brave new world I wouldn't have been able to check out of my hotel, and/or check in at the Airport.

We need solutions, but I don't think any of the one's proposed thus far are foolproof.

Reading various other reports, it does seem as if LUSH were rather laid back in watching this happen for a good few weeks/months rather than interceding immediately.

Also they appear to be in breach of PCI-DSS if the Cardnumbers weren't encrypted?

I did try to make a donation via DataCell in case the door had not yet closed, but got a bland message "transaction declined".

Given the Visa Corporate Structure, I can't understand why Visa Europe, a separate entity to Visa USA, has also chosen to give in to US Government pressure and close down the Wikileaks account - I hope DataCell get them reinstated.

I just checked, and "Assange" or "Wikileaks" doesn't appear on the US Treasury Office of Foreign Assets Control (OFAC) List of Specially Designated Nationals and Blocked Persons ("SDN List") - so by what authority/request are PayPal, Amazon, Visa & MasterCard blocking him?

Does this mean that my previous Credit Card donations might now be subject to sub poena, and I might get a midnight knock on the door?

This all emanates from the crazy idea to allow the set up of Paperless Direct Debits. Organisations must be compliant with AUDDIS (Automated Direct Debit Instruction Service) and are responsible for verifying their customers' identity - but of course they don't bother - just like the sub-prime Mortgages not bothering to vet Income.

No-one has ever verified my identity, hence why I check my D/Ds quite religiously.

I notice that BACS made electronic rather than paper format mandatory from 1st January 2008 for all new service users.

So not rocket science to predict where this is going.

David : thanks you very much for this review.

At first pass through I thought you might be being unfair re definition of "sensitive authentication data and/or cardholder data", but what they should have done for new readers is refer them to page 5 of the PCI DSS.

I then read the (12 page) document for myself, and I agree with all your other points.

I've always been disappointed by the PCI Glossary. In this instance, it isn't even in alphabetic sequence, someone started out that way, then added some as an afterthought. Not every acronym used in the text is explained. A meaningful Glossary does not just expand the 3 letter acronym, but actually explains what it is. Usually means the author doesn't know and can't be bothered to find out.

In turn, as I've often seen with lazy people where I've been employed, so PCI is no different, there are Acronyms in the Glossary which simply do not appear anywhere else in the document, so why introduce them - eg SEPA?

Sloppy sloppy sloppy.

Only by watching the video can you appreciate where the pinhole camera is, and how to effectively mask the keyboard when entering your PIN.

I would recommend everyone reading this to take a look at the example in the link at the end of the article - very good example of how hard they are to detect.

I find it astonishing that staff would do such things - can it be due to a general dumbing down of skills, lack of apprenticeship or whaetever, that results in employees not understanding the seriousness of their actions?

I had it with programmers who used to be blase about miscalculations of interest charges on credit cards (its OK, when people phone in just say sorry) - until I threatened to miscalculate their wages so they couldn't pay their mortgages (but it was OK, I'd just say sorry).

I find a resurgence in blase attitude from the outtaskers in India.