[NSRCA-discussion] FMA Database Compromised

Jay Marshall lightfoot at sc.rr.com
Wed Nov 19 07:04:14 AKST 2008


Agree. I suspect that they, and many others, are using home-brewed or
out-dated software that doesn't meet the standards.

 

Jay Marshall 

-----Original Message-----
From: nsrca-discussion-bounces at lists.nsrca.org
[mailto:nsrca-discussion-bounces at lists.nsrca.org] On Behalf Of Gene Maurice
Sent: Wednesday, November 19, 2008 10:56 AM
To: 'General pattern discussion'
Subject: Re: [NSRCA-discussion] FMA Database Compromised

 

Credit card information is suppose to be encrypted and secured. There is an
organization PCI (Payment Card Industry) who has issued a Data Security
Standard that "mandates" certain security measures be implemented if you
deal with CC payments.  

Quote: PCI DSS requirements are applicable if a Primary Account Number (PAN)
is stored, processed, or

transmitted.

 

The standards further states, quote:

 Do not store sensitive authentication data subsequent to authorization
(even if encrypted).

 

And, quote: 

Render PAN, at minimum, unreadable anywhere it is stored (including data on
portable digital

media, backup media, in logs, and data received from or stored by wireless
networks) by using

any of the following approaches:

. Strong one-way hash functions (hashed indexes)

. Truncation

. Index tokens and pads (pads must be securely stored)

. Strong cryptography with associated key management processes and
procedures.

 

Sounds like FMA ain't following the standard......

 

Gene Maurice

Plano, TX

AMA 3408 NSRCA 877

PACSS.sgmservice.com

gene.maurice at sgmservice.com

 

 

 

From: nsrca-discussion-bounces at lists.nsrca.org
[mailto:nsrca-discussion-bounces at lists.nsrca.org] On Behalf Of Jay Marshall
Sent: Wednesday, November 19, 2008 7:42 AM
To: 'General pattern discussion'
Subject: Re: [NSRCA-discussion] FMA Database Compromised

 

This is the reason I use "one time" credit card numbers from Shop Safe where
you specify the max amount and a valid period. I have never understood why
credit card numbers must remain on a database after they have cleared. They
ought to be encoded also!

 

 

Jay Marshall 

-----Original Message-----
From: nsrca-discussion-bounces at lists.nsrca.org
[mailto:nsrca-discussion-bounces at lists.nsrca.org] On Behalf Of MKMSG
Sent: Wednesday, November 19, 2008 12:15 AM
To: NSRCA Discussion List
Subject: [NSRCA-discussion] FMA Database Compromised

 

If any of you have recently bought products on line from FMA Direct using a
credit card, check your credit card account.  FMA's database has been
compromised/hacked and whoever has the information is making charges against
the credit cards.  I read this in the electric forum on Ezonemag.com.
Sure enough, when I brought up my VISA account, there was a NAPSTER charge
there so I cancelled the card.  You might want to check yours if you've done
business on line with FMA recently.

 

Mike

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nsrca.org/pipermail/nsrca-discussion/attachments/20081119/8427b20f/attachment.html>


More information about the NSRCA-discussion mailing list