<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Brush Script MT";
panose-1:3 6 8 2 4 4 6 7 3 4;}
@font-face
{font-family:SymbolMT;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.normalweb1, li.normalweb1, div.normalweb1
{mso-style-name:normalweb1;
mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.emailstyle19
{mso-style-name:emailstyle19;
font-family:"Arial","sans-serif";
color:navy;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:.2in .25in 33.1pt .25in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Whoever they are processing the payments thru, Payment Processor,
Payment Clearinghouse, etc., SHOULD be informing them of the standard and
have them verify that they meet the standard. If found in violation the
CC companies could go back thru the food chain, Clearinghouse – Processor
– Merchant, to recoup any losses. In this day, any business storing a
clients CC data, or any other secure personal data, on an internal system is
asking for trouble. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Gene Maurice<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Plano, TX<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>AMA 3408 NSRCA 877<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>PACSS.sgmservice.com<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>gene.maurice@sgmservice.com<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
nsrca-discussion-bounces@lists.nsrca.org
[mailto:nsrca-discussion-bounces@lists.nsrca.org] <b>On Behalf Of </b>Dave
Burton<br>
<b>Sent:</b> Wednesday, November 19, 2008 10:16 AM<br>
<b>To:</b> 'General pattern discussion'<br>
<b>Subject:</b> Re: [NSRCA-discussion] FMA Database Compromised<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I’ll make you a bet that 95+% of small businesses
don’t know about much less follow the standards.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The bad guys hit my account too but the bank fraud control unit
called to alert me and resolved it with a new account number.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Dave Burton<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> nsrca-discussion-bounces@lists.nsrca.org
[mailto:nsrca-discussion-bounces@lists.nsrca.org] <b>On Behalf Of </b>Gene
Maurice<br>
<b>Sent:</b> Wednesday, November 19, 2008 10:56 AM<br>
<b>To:</b> 'General pattern discussion'<br>
<b>Subject:</b> Re: [NSRCA-discussion] FMA Database Compromised<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Credit card information is suppose to be encrypted and secured.
There is an organization PCI (Payment Card Industry) who has issued a Data
Security Standard that “mandates” certain security measures be
implemented if you deal with CC payments. <o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'>Quote: </span><span
style='font-size:10.0pt;font-family:"Arial","sans-serif"'>PCI DSS requirements
are applicable if a Primary Account Number (PAN) is stored, processed, or<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>transmitted.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The
standards further states, quote:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> Do
not store sensitive authentication data subsequent to authorization (even if
encrypted).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>And,
quote: <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Render
PAN, at minimum, unreadable anywhere it is stored (including data on portable
digital<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>media, backup media, in logs, and data
received from or stored by wireless networks) by using<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>any of the following approaches:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;
font-family:SymbolMT'>• </span><span style='font-size:10.0pt;font-family:
"Arial","sans-serif"'>Strong one-way hash functions (hashed indexes)<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;
font-family:SymbolMT'>• </span><span style='font-size:10.0pt;font-family:
"Arial","sans-serif"'>Truncation<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;
font-family:SymbolMT'>• </span><span style='font-size:10.0pt;font-family:
"Arial","sans-serif"'>Index tokens and pads (pads must be securely stored)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:SymbolMT'>• </span><span
style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Strong cryptography
with associated key management processes and procedures.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Sounds
like FMA ain’t following the standard…………..<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Gene Maurice<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Plano, TX<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>AMA 3408 NSRCA 877<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>PACSS.sgmservice.com<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>gene.maurice@sgmservice.com<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
nsrca-discussion-bounces@lists.nsrca.org
[mailto:nsrca-discussion-bounces@lists.nsrca.org] <b>On Behalf Of </b>Jay
Marshall<br>
<b>Sent:</b> Wednesday, November 19, 2008 7:42 AM<br>
<b>To:</b> 'General pattern discussion'<br>
<b>Subject:</b> Re: [NSRCA-discussion] FMA Database Compromised<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:navy'>This is the reason I use “one time” credit card numbers
from Shop Safe where you specify the max amount and a valid period. I have
never understood why credit card numbers must remain on a database after they
have cleared. They ought to be encoded also!</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:navy'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:navy'> </span><o:p></o:p></p>
<div>
<p><b><i><span style='font-size:13.5pt;font-family:"Brush Script MT";
color:navy'>Jay Marshall</span></i></b><span style='color:navy'> </span><o:p></o:p></p>
</div>
<p class=MsoNormal style='margin-left:.5in'><span style='font-size:100.0pt;
font-family:"Tahoma","sans-serif"'>-----Original Message-----<br>
<b>From:</b> nsrca-discussion-bounces@lists.nsrca.org
[mailto:nsrca-discussion-bounces@lists.nsrca.org] <b>On Behalf Of </b>MKMSG<br>
<b>Sent:</b> Wednesday, November 19, 2008 12:15 AM<br>
<b>To:</b> NSRCA Discussion List<br>
<b>Subject:</b> [NSRCA-discussion] FMA Database Compromised</span><o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'> <o:p></o:p></p>
<div>
<p class=MsoNormal style='margin-left:.5in'><span style='font-size:100.0pt;
font-family:"Arial","sans-serif"'>If any of you have recently bought products
on line from FMA Direct using a credit card, check your credit card
account. FMA's database has been compromised/hacked and whoever has the
information is making charges against the credit cards. I read this in
the electric forum on Ezonemag.com. Sure enough, when I
brought up my VISA account, there was a NAPSTER charge there so I cancelled the
card. You might want to check yours if you've done business on line with
FMA recently.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='margin-left:.5in'><span style='font-size:100.0pt;
font-family:"Verdana","sans-serif"'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='margin-left:.5in'><span style='font-size:100.0pt;
font-family:"Arial","sans-serif"'>Mike</span><o:p></o:p></p>
</div>
<blockquote style='border:none;border-left:solid black 1.5pt;padding:0in 0in 0in 3.0pt;
margin-left:3.0pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'>
<p class=MsoNormal style='margin-left:.5in'><span style='font-size:100.0pt;
font-family:"Verdana","sans-serif"'> </span><o:p></o:p></p>
</blockquote>
</div>
</body>
</html>