<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
</style>
</head>
<body class='hmmessage'>
They SHOULD be able to hold on to them. It's the crooks that are the problem.<BR>
RS<BR><BR><BR>
<HR id=stopSpelling>
<BR>
From: jlkonn@hotmail.com<BR>To: nsrca-discussion@lists.nsrca.org<BR>Date: Wed, 19 Nov 2008 10:26:09 -0600<BR>Subject: Re: [NSRCA-discussion] FMA Database Compromised<BR><BR>
<STYLE>
.ExternalClass .EC_hmmessage P
{padding:0px;}
.ExternalClass body.EC_hmmessage
{font-size:10pt;font-family:Verdana;}
</STYLE>
Robert,<BR>I am often troubled by some of our suppliers.<BR>I've had them read my card and 3 digit security number back to me before I have given it to them.<BR>They've kept it from my last order! Needless to say I always express my extreme dissatisfaction.<BR>I'm sure it's like water off a duck's back. About the only thing we can do is "vote with our<BR>feet" and not do business with these types.<BR>JLK<BR><BR><BR><BR>
<HR id=EC_stopSpelling>
<BR>
<BR>Date: Wed, 19 Nov 2008 09:20:52 -0700<BR>From: rob@koolsoft.com<BR>To: nsrca-discussion@lists.nsrca.org<BR>Subject: Re: [NSRCA-discussion] FMA Database Compromised<BR><BR><BR><BR>
<STYLE>
.ExternalClass p.EC_MsoNormal, .ExternalClass li.EC_MsoNormal, .ExternalClass div.EC_MsoNormal
{margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman','serif';}
.ExternalClass a:link, .ExternalClass span.EC_MsoHyperlink
{color:blue;text-decoration:underline;}
.ExternalClass a:visited, .ExternalClass span.EC_MsoHyperlinkFollowed
{color:purple;text-decoration:underline;}
.ExternalClass p
{margin-right:0in;margin-left:0in;font-size:12.0pt;font-family:'Times New Roman','serif';}
.ExternalClass p.EC_normalweb1, .ExternalClass li.EC_normalweb1, .ExternalClass div.EC_normalweb1
{margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman','serif';}
.ExternalClass span.EC_emailstyle19
{font-family:'Arial','sans-serif';color:navy;}
.ExternalClass span.EC_EmailStyle20
{font-family:'Calibri','sans-serif';color:#1F497D;}
.ExternalClass span.EC_EmailStyle21
{font-family:'Calibri','sans-serif';color:#1F497D;}
.ExternalClass span.EC_EmailStyle22
{font-family:'Calibri','sans-serif';color:#1F497D;}
.ExternalClass .EC_MsoChpDefault
{font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;}
.ExternalClass div.EC_Section1
{page:Section1;}
</STYLE>
<DIV class=EC_EC_Section1>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">Its pretty stupid. There is no reason to store credit card numbers at all. I write software for online stores and such and the number is processed, and never saved. Only the transaction ID and the last 4 digits of the card for the customer benefit for future reference.</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"> </SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">Every year I have to fill out one of those PCI survey's for each of my customers that take credit cards and answer N/A to most of the questions because they deal with storage of card numbers. Why on earth would any company want to take on that kind of risk?</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"> </SPAN></P>
<DIV>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">- Robert Beaubien</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">- NSRCA, District 7 Webmaster</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">-</SPAN></P></DIV>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"> </SPAN></P>
<DIV>
<DIV style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none">
<P class=EC_EC_MsoNormal><B><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'"> nsrca-discussion-bounces@lists.nsrca.org [mailto:nsrca-discussion-bounces@lists.nsrca.org] <B>On Behalf Of </B>Dave Burton<BR><B>Sent:</B> Wednesday, November 19, 2008 9:16 AM<BR><B>To:</B> 'General pattern discussion'<BR><B>Subject:</B> Re: [NSRCA-discussion] FMA Database Compromised</SPAN></P></DIV></DIV>
<P class=EC_EC_MsoNormal> </P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">I’ll make you a bet that 95+% of small businesses don’t know about much less follow the standards.</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">The bad guys hit my account too but the bank fraud control unit called to alert me and resolved it with a new account number.</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">Dave Burton</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"> </SPAN></P>
<DIV>
<DIV style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none">
<P class=EC_EC_MsoNormal><B><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'"> nsrca-discussion-bounces@lists.nsrca.org [mailto:nsrca-discussion-bounces@lists.nsrca.org] <B>On Behalf Of </B>Gene Maurice<BR><B>Sent:</B> Wednesday, November 19, 2008 10:56 AM<BR><B>To:</B> 'General pattern discussion'<BR><B>Subject:</B> Re: [NSRCA-discussion] FMA Database Compromised</SPAN></P></DIV></DIV>
<P class=EC_EC_MsoNormal> </P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">Credit card information is suppose to be encrypted and secured. There is an organization PCI (Payment Card Industry) who has issued a Data Security Standard that “mandates” certain security measures be implemented if you deal with CC payments. </SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">Quote: </SPAN><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">transmitted.</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> </SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">The standards further states, quote:</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> Do not store sensitive authentication data subsequent to authorization (even if encrypted).</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> </SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">And, quote: </SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Render PAN, at minimum, unreadable anywhere it is stored (including data on portable digital</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">media, backup media, in logs, and data received from or stored by wireless networks) by using</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">any of the following approaches:</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: SymbolMT">• </SPAN><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Strong one-way hash functions (hashed indexes)</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: SymbolMT">• </SPAN><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Truncation</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: SymbolMT">• </SPAN><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Index tokens and pads (pads must be securely stored)</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: SymbolMT">• </SPAN><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Strong cryptography with associated key management processes and procedures.</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> </SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Sounds like FMA ain’t following the standard…………..</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"> </SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">Gene Maurice</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">Plano, TX</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">AMA 3408 NSRCA 877</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">PACSS.sgmservice.com</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">gene.maurice@sgmservice.com</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"> </SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"> </SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"> </SPAN></P>
<DIV>
<DIV style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none">
<P class=EC_EC_MsoNormal><B><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'"> nsrca-discussion-bounces@lists.nsrca.org [mailto:nsrca-discussion-bounces@lists.nsrca.org] <B>On Behalf Of </B>Jay Marshall<BR><B>Sent:</B> Wednesday, November 19, 2008 7:42 AM<BR><B>To:</B> 'General pattern discussion'<BR><B>Subject:</B> Re: [NSRCA-discussion] FMA Database Compromised</SPAN></P></DIV></DIV>
<P class=EC_EC_MsoNormal> </P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'">This is the reason I use “one time” credit card numbers from Shop Safe where you specify the max amount and a valid period. I have never understood why credit card numbers must remain on a database after they have cleared. They ought to be encoded also!</SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"> </SPAN></P>
<P class=EC_EC_MsoNormal><SPAN style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"> </SPAN></P>
<DIV><B><I><SPAN style="FONT-SIZE: 13.5pt; COLOR: navy; FONT-FAMILY: 'Brush Script MT'">Jay Marshall</SPAN></I></B><SPAN style="COLOR: navy"> </SPAN><BR></DIV>
<P class=EC_EC_MsoNormal style="MARGIN-LEFT: 0.5in"><SPAN style="FONT-SIZE: 100pt; FONT-FAMILY: 'Tahoma','sans-serif'">-----Original Message-----<BR><B>From:</B> nsrca-discussion-bounces@lists.nsrca.org [mailto:nsrca-discussion-bounces@lists.nsrca.org] <B>On Behalf Of </B>MKMSG<BR><B>Sent:</B> Wednesday, November 19, 2008 12:15 AM<BR><B>To:</B> NSRCA Discussion List<BR><B>Subject:</B> [NSRCA-discussion] FMA Database Compromised</SPAN></P>
<P class=EC_EC_MsoNormal style="MARGIN-LEFT: 0.5in"> </P>
<DIV>
<P class=EC_EC_MsoNormal style="MARGIN-LEFT: 0.5in"><SPAN style="FONT-SIZE: 100pt; FONT-FAMILY: 'Arial','sans-serif'">If any of you have recently bought products on line from FMA Direct using a credit card, check your credit card account. FMA's database has been compromised/hacked and whoever has the information is making charges against the credit cards. I read this in the electric forum on Ezonemag.com. Sure enough, when I brought up my VISA account, there was a NAPSTER charge there so I cancelled the card. You might want to check yours if you've done business on line with FMA recently.</SPAN></P></DIV>
<DIV>
<P class=EC_EC_MsoNormal style="MARGIN-LEFT: 0.5in"><SPAN style="FONT-SIZE: 100pt; FONT-FAMILY: 'Verdana','sans-serif'"> </SPAN></P></DIV>
<DIV>
<P class=EC_EC_MsoNormal style="MARGIN-LEFT: 0.5in"><SPAN style="FONT-SIZE: 100pt; FONT-FAMILY: 'Arial','sans-serif'">Mike</SPAN></P></DIV>
<BLOCKQUOTE style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: medium none; PADDING-LEFT: 3pt; MARGIN-BOTTOM: 5pt; PADDING-BOTTOM: 0in; MARGIN-LEFT: 3pt; BORDER-LEFT: black 1.5pt solid; MARGIN-RIGHT: 0in; PADDING-TOP: 0in; BORDER-BOTTOM: medium none">
<P class=EC_EC_MsoNormal style="MARGIN-LEFT: 0.5in"><SPAN style="FONT-SIZE: 100pt; FONT-FAMILY: 'Verdana','sans-serif'"> </SPAN></P></BLOCKQUOTE></DIV><br /><hr />Access your email online and on the go with Windows Live Hotmail. <a href='http://windowslive.com/Explore/Hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_access_112008' target='_new'>Sign up today.</a></body>
</html>