<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:"Brush Script MT";
        panose-1:3 6 8 2 4 4 6 7 3 4;}
@font-face
        {font-family:SymbolMT;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.normalweb1, li.normalweb1, div.normalweb1
        {mso-style-name:normalweb1;
        mso-style-priority:99;
        margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.emailstyle19
        {mso-style-name:emailstyle19;
        font-family:"Arial","sans-serif";
        color:navy;}
span.EmailStyle20
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle21
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle22
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page Section1
        {size:8.5in 11.0in;
        margin:.2in .25in 33.1pt .25in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Its pretty stupid. There is no reason to store credit card
numbers at all. I write software for online stores and such and the number is
processed, and never saved. Only the transaction ID and the last 4 digits of
the card for the customer benefit for future reference.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Every year I have to fill out one of those PCI survey's for each
of my customers that take credit cards and answer N/A to most of the questions
because they deal with storage of card numbers. Why on earth would any company
want to take on that kind of risk?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>- Robert Beaubien<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>- NSRCA, District 7 Webmaster<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>-<o:p></o:p></span></p>
</div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
nsrca-discussion-bounces@lists.nsrca.org
[mailto:nsrca-discussion-bounces@lists.nsrca.org] <b>On Behalf Of </b>Dave
Burton<br>
<b>Sent:</b> Wednesday, November 19, 2008 9:16 AM<br>
<b>To:</b> 'General pattern discussion'<br>
<b>Subject:</b> Re: [NSRCA-discussion] FMA Database Compromised<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I’ll make you a bet that 95+% of small businesses don’t know
about much less follow the standards.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The bad guys hit my account too but the bank fraud control unit
called to alert me and resolved it with a new account number.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Dave Burton<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
nsrca-discussion-bounces@lists.nsrca.org
[mailto:nsrca-discussion-bounces@lists.nsrca.org] <b>On Behalf Of </b>Gene
Maurice<br>
<b>Sent:</b> Wednesday, November 19, 2008 10:56 AM<br>
<b>To:</b> 'General pattern discussion'<br>
<b>Subject:</b> Re: [NSRCA-discussion] FMA Database Compromised<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Credit card information is suppose to be encrypted and secured.
There is an organization PCI (Payment Card Industry) who has issued a Data
Security Standard that “mandates” certain security measures be implemented if
you deal with CC payments. <o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'>Quote: </span><span
style='font-size:10.0pt;font-family:"Arial","sans-serif"'>PCI DSS requirements
are applicable if a Primary Account Number (PAN) is stored, processed, or<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>transmitted.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The
standards further states, quote:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> Do
not store sensitive authentication data subsequent to authorization (even if
encrypted).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>And,
quote: <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Render
PAN, at minimum, unreadable anywhere it is stored (including data on portable
digital<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>media, backup media, in logs, and data
received from or stored by wireless networks) by using<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>any of the following approaches:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;
font-family:SymbolMT'>• </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Strong
one-way hash functions (hashed indexes)<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;
font-family:SymbolMT'>• </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Truncation<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;
font-family:SymbolMT'>• </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Index
tokens and pads (pads must be securely stored)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:SymbolMT'>• </span><span
style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Strong cryptography
with associated key management processes and procedures.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Sounds
like FMA ain’t following the standard…………..<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Gene Maurice<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Plano, TX<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>AMA 3408 NSRCA 877<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>PACSS.sgmservice.com<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>gene.maurice@sgmservice.com<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
nsrca-discussion-bounces@lists.nsrca.org
[mailto:nsrca-discussion-bounces@lists.nsrca.org] <b>On Behalf Of </b>Jay Marshall<br>
<b>Sent:</b> Wednesday, November 19, 2008 7:42 AM<br>
<b>To:</b> 'General pattern discussion'<br>
<b>Subject:</b> Re: [NSRCA-discussion] FMA Database Compromised<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:navy'>This is the reason I use “one time” credit card numbers from Shop
Safe where you specify the max amount and a valid period. I have never
understood why credit card numbers must remain on a database after they have
cleared. They ought to be encoded also!</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:navy'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:navy'> </span><o:p></o:p></p>
<div>
<p><b><i><span style='font-size:13.5pt;font-family:"Brush Script MT";
color:navy'>Jay Marshall</span></i></b><span style='color:navy'> </span><o:p></o:p></p>
</div>
<p class=MsoNormal style='margin-left:.5in'><span style='font-size:100.0pt;
font-family:"Tahoma","sans-serif"'>-----Original Message-----<br>
<b>From:</b> nsrca-discussion-bounces@lists.nsrca.org [mailto:nsrca-discussion-bounces@lists.nsrca.org]
<b>On Behalf Of </b>MKMSG<br>
<b>Sent:</b> Wednesday, November 19, 2008 12:15 AM<br>
<b>To:</b> NSRCA Discussion List<br>
<b>Subject:</b> [NSRCA-discussion] FMA Database Compromised</span><o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'> <o:p></o:p></p>
<div>
<p class=MsoNormal style='margin-left:.5in'><span style='font-size:100.0pt;
font-family:"Arial","sans-serif"'>If any of you have recently bought products
on line from FMA Direct using a credit card, check your credit card
account. FMA's database has been compromised/hacked and whoever has the
information is making charges against the credit cards. I read this in
the electric forum on Ezonemag.com. Sure enough, when I brought
up my VISA account, there was a NAPSTER charge there so I cancelled the
card. You might want to check yours if you've done business on line with
FMA recently.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='margin-left:.5in'><span style='font-size:100.0pt;
font-family:"Verdana","sans-serif"'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='margin-left:.5in'><span style='font-size:100.0pt;
font-family:"Arial","sans-serif"'>Mike</span><o:p></o:p></p>
</div>
<blockquote style='border:none;border-left:solid black 1.5pt;padding:0in 0in 0in 3.0pt;
margin-left:3.0pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'>
<p class=MsoNormal style='margin-left:.5in'><span style='font-size:100.0pt;
font-family:"Verdana","sans-serif"'> </span><o:p></o:p></p>
</blockquote>
</div>
</body>
</html>