20 comments

[ 4.8 ms ] story [ 50.5 ms ] thread
Meanwhile, outside their data centre, they do very little to ensure customer card security and enforce heavy-handed policies that put most of the risk on merchants and downstream processors.

--- obDisclosure: I am a merchant who has been defrauded hundreds of thousands of dollars and have no love for the credit card companies.

"This is Visa's OCE, or Operations Center East, the biggest, newest, and most advanced of its U.S. data centers. It is a data-security heaven--and Visa's acknowledgment that hackers are increasingly savvy, that data is an ever-desirable black-market commodity, and that the best way to keep Visa (and its 150 million daily transactions) safe is to ensconce its network inside a heavily fortified castle that instantly responds to threats. The OCE's 130 workers have two jobs: Keep hackers out and keep the network up, no matter what. That's why rule No. 1 for visitors is: Never reveal its location. "On the eastern seaboard" is as specific as Visa will allow."

uhh, right. two articles from the 90s put it in mclean, va: http://www.recordnet.com/apps/pbcs.dll/article?AID=/19940101...

http://news.google.com/newspapers?nid=1298&dat=19931218&...

the mantraps and hand scanners sound insane to I guess all normal people, but in my experience that is a pretty standard level of security. I have a few 1U servers co-located and I have to pass through multiple mantraps with palm readers to access them.
Agreed. Was reading through their "measures" and pretty much everything is standard process/equipment for your typical medium to high end data center. Man traps, batteries, generators, water cooling, avoid corrosion (uhh duh).

The only things I think they have I haven't seen before:

1) The concrete barrier and hair pin turn. Most data centers don't fear James Bond.

2) The air lifted mailroom.

This really doesn't sound like Visa protecting my data. It sounds more like Visa having enough horsepower and backups so that they can keep their company continuously running.

Not that that's a bad thing, but I really don't believe they care about protecting our data. From personal experience, they seem to let any type of fraud occur on your credit card, and then if you protest, then they might reverse the charges. And then they issue you a new credit card number. They would prefer to fix the problem before, putting the onus on us to determine if fraud occurred, rather than actually prevent the fraud and protect our data.

Even when fraud occurs they are not interested in going after the source unless that dollar amounts are high enough. I know this from personal experience on an e-commerce site. We detected blatant fraud happening, and the banks/card companies/processors don't care because the scale is too small. (lots of ~$100 purchases on many, many credit cards all to the same two or 3 addresses)
That's cool. But after just returning from a month long road trip across USA (I'm from Slovenia), I'm simply baffled by the lack of security when I'm paying with my Visa card. In 97% of times I just swiped my card and the transaction was done. 1% of the time the cashier bothered to check my ID, 1% of the time I had to sign the check, and in 1% of the time I had to enter my PIN number. What the hell? I'm surprised any of you yanks still have any money left, considering how easy one can take all your money, if one comes into possession of your card.

Here you always have to at least sign the card (and the cashier checks the signature against the one on the card), but in most cases you have to enter your PIN number. And I live in fricking Slovenia who was, just 5 minutes ago, a part of a communist union ...

Anybody has an explanation for this lack of security in the states?

Can't explain this, other than what do you expect from a country that's still using checks? FWIW, Germany is similar to your country in this regard - entirely impossible to pay with your credit card anywhere without at least a signature.
I live in Canada, and practices are all over the place here as well. Sometimes its chip & PIN, other times its swipe & run. Some places require a signature, some don't. These are just some of the basic pitfalls in the security model I referred to in another comment on this article and its crazy how VISA forces the costs back onto customers and merchants...
For small transactions you often don't have to sign anything or enter a PIN. I think the rational is that it would be fairly hard for someone to drain all your funds with < $20 transactions. Hopefully I'd realize fairly soon that my card was stolen/missing, and would call to cancel it.

Also, Visa tracks your purchasing habits to an insane degree. More than once I've gotten a phone call asking if I actually bought some item. Finally, I likely wouldn't be liable for much if any of the goods purchased with a stolen card. So, all in all, I'm not terribly worried about that end of the security.

It's actually a violation of the VISA merchant agreement to require ID for purchase unless the signature doesn't match.
Given that most of the people involved in the checking of your signature aren't exactly trained in forensic document analysis, it'd be pretty easy to claim 'mismatch' in a very large number of cases.

In practice, they're barely even looked at. There are various signature-trolling stories around the net (signing as mickey mouse, Hitler, random pictograms, etc) demonstrating this.

When I worked (thankfully briefly) in retail, I'd give every one at least a cursory check, and maybe a bit more detail and less tolerance of differences if it was a big-ticket item. I actually got chewed out by my boss occasionally for checking, since few of the other staff did, and it might "upset the customer".

> I'm surprised any of you yanks still have any money left, considering how easy one can take all your money, if one comes into possession of your card.

In most cases, at least for Americans, if your credit card gets stolen, you aren't responsible for any of the fraudulent charges. I've had a credit card number stolen several times (about half travelling outside the US and half while in the US). I never lost a dime to any of the fraudulent charges, just several minutes of my time telling the credit card company.

CWIZO never mentioned a credit card. He only referred to a "VISA card", which in my experience is usually a debit card in Europe. (My limited perspective has taught me that VISA cards are debit and Mastercard is credit. Then I came back to the US and my situation is the opposite. Go figure.)
Speed. Some merchants pay a slightly higher processing fee to the credit card companies in return for not taking a signature or PIN.

For businesses like quick-service restaurants, the increased revenue is worth more to them than the potential losses to fraud.

Does anyone know if the Fire Code specifies that "mantraps" have to open in a fire alarm?

You should have to have an open path out in that type of a situation.