<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
I just spoke with FMA and was told they are going to release a
statement about what happened later today on their web site.<br>
<br>
Chris<br>
<br>
Robert L. Beaubien wrote:
<blockquote
cite="mid:F078987D4F08C3429D64F81264554EB2010AD488@mail2.koolsoftmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Brush Script MT";
panose-1:3 6 8 2 4 4 6 7 3 4;}
@font-face
{font-family:SymbolMT;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.normalweb1, li.normalweb1, div.normalweb1
{mso-style-name:normalweb1;
mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.emailstyle19
{mso-style-name:emailstyle19;
font-family:"Arial","sans-serif";
color:navy;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:.2in .25in 33.1pt .25in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="Section1">
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">Its
pretty stupid. There is no reason to store credit card
numbers at all. I write software for online stores and such and the
number is
processed, and never saved. Only the transaction ID and the last 4
digits of
the card for the customer benefit for future reference.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">Every
year I have to fill out one of those PCI survey's for each
of my customers that take credit cards and answer N/A to most of the
questions
because they deal with storage of card numbers. Why on earth would any
company
want to take on that kind of risk?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">-
Robert Beaubien<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">-
NSRCA, District 7 Webmaster<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">-<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<div>
<div
style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";">From:</span></b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";">
<a class="moz-txt-link-abbreviated" href="mailto:nsrca-discussion-bounces@lists.nsrca.org">nsrca-discussion-bounces@lists.nsrca.org</a>
[<a class="moz-txt-link-freetext" href="mailto:nsrca-discussion-bounces@lists.nsrca.org">mailto:nsrca-discussion-bounces@lists.nsrca.org</a>] <b>On Behalf Of </b>Dave
Burton<br>
<b>Sent:</b> Wednesday, November 19, 2008 9:16 AM<br>
<b>To:</b> 'General pattern discussion'<br>
<b>Subject:</b> Re: [NSRCA-discussion] FMA Database Compromised<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">I’ll
make you a bet that 95+% of small businesses don’t know
about much less follow the standards.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">The
bad guys hit my account too but the bank fraud control unit
called to alert me and resolved it with a new account number.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">Dave
Burton<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<div>
<div
style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";">From:</span></b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";">
<a class="moz-txt-link-abbreviated" href="mailto:nsrca-discussion-bounces@lists.nsrca.org">nsrca-discussion-bounces@lists.nsrca.org</a>
[<a class="moz-txt-link-freetext" href="mailto:nsrca-discussion-bounces@lists.nsrca.org">mailto:nsrca-discussion-bounces@lists.nsrca.org</a>] <b>On Behalf Of </b>Gene
Maurice<br>
<b>Sent:</b> Wednesday, November 19, 2008 10:56 AM<br>
<b>To:</b> 'General pattern discussion'<br>
<b>Subject:</b> Re: [NSRCA-discussion] FMA Database Compromised<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">Credit
card information is suppose to be encrypted and secured.
There is an organization PCI (Payment Card Industry) who has issued a
Data
Security Standard that “mandates” certain security measures be
implemented if
you deal with CC payments. <o:p></o:p></span></p>
<p class="MsoNormal" style=""><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">Quote:
</span><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">PCI DSS
requirements
are applicable if a Primary Account Number (PAN) is stored, processed,
or<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">transmitted.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">The
standards further states, quote:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";"> Do
not store sensitive authentication data subsequent to authorization
(even if
encrypted).<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">And,
quote: <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">Render
PAN, at minimum, unreadable anywhere it is stored (including data on
portable
digital<o:p></o:p></span></p>
<p class="MsoNormal" style=""><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">media,
backup media, in logs, and data
received from or stored by wireless networks) by using<o:p></o:p></span></p>
<p class="MsoNormal" style=""><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">any of the
following approaches:<o:p></o:p></span></p>
<p class="MsoNormal" style=""><span
style="font-size: 10pt; font-family: SymbolMT;">• </span><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">Strong
one-way hash functions (hashed indexes)<o:p></o:p></span></p>
<p class="MsoNormal" style=""><span
style="font-size: 10pt; font-family: SymbolMT;">• </span><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">Truncation<o:p></o:p></span></p>
<p class="MsoNormal" style=""><span
style="font-size: 10pt; font-family: SymbolMT;">• </span><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">Index
tokens and pads (pads must be securely stored)<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: SymbolMT;">• </span><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">Strong
cryptography
with associated key management processes and procedures.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">Sounds
like FMA ain’t following the standard…………..<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">Gene
Maurice<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">Plano,
TX<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">AMA
3408 NSRCA 877<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">PACSS.sgmservice.com<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><a class="moz-txt-link-abbreviated" href="mailto:gene.maurice@sgmservice.com">gene.maurice@sgmservice.com</a><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<div>
<div
style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";">From:</span></b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";">
<a class="moz-txt-link-abbreviated" href="mailto:nsrca-discussion-bounces@lists.nsrca.org">nsrca-discussion-bounces@lists.nsrca.org</a>
[<a class="moz-txt-link-freetext" href="mailto:nsrca-discussion-bounces@lists.nsrca.org">mailto:nsrca-discussion-bounces@lists.nsrca.org</a>] <b>On Behalf Of </b>Jay
Marshall<br>
<b>Sent:</b> Wednesday, November 19, 2008 7:42 AM<br>
<b>To:</b> 'General pattern discussion'<br>
<b>Subject:</b> Re: [NSRCA-discussion] FMA Database Compromised<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: navy;">This
is the reason I use “one time” credit card numbers from Shop
Safe where you specify the max amount and a valid period. I have never
understood why credit card numbers must remain on a database after they
have
cleared. They ought to be encoded also!</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: navy;"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: navy;"> </span><o:p></o:p></p>
<div>
<p><b><i><span
style="font-size: 13.5pt; font-family: "Brush Script MT"; color: navy;">Jay
Marshall</span></i></b><span style="color: navy;"> </span><o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 100pt; font-family: "Tahoma","sans-serif";">-----Original
Message-----<br>
<b>From:</b> <a class="moz-txt-link-abbreviated" href="mailto:nsrca-discussion-bounces@lists.nsrca.org">nsrca-discussion-bounces@lists.nsrca.org</a>
[<a class="moz-txt-link-freetext" href="mailto:nsrca-discussion-bounces@lists.nsrca.org">mailto:nsrca-discussion-bounces@lists.nsrca.org</a>]
<b>On Behalf Of </b>MKMSG<br>
<b>Sent:</b> Wednesday, November 19, 2008 12:15 AM<br>
<b>To:</b> NSRCA Discussion List<br>
<b>Subject:</b> [NSRCA-discussion] FMA Database Compromised</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left: 0.5in;"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 100pt; font-family: "Arial","sans-serif";">If any of
you have recently bought products
on line from FMA Direct using a credit card, check your credit card
account. FMA's database has been compromised/hacked and whoever has
the
information is making charges against the credit cards. I read this in
the electric forum on Ezonemag.com. Sure enough, when I brought
up my VISA account, there was a NAPSTER charge there so I cancelled the
card. You might want to check yours if you've done business on line
with
FMA recently.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 100pt; font-family: "Verdana","sans-serif";"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 100pt; font-family: "Arial","sans-serif";">Mike</span><o:p></o:p></p>
</div>
<blockquote
style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color black; border-width: medium medium medium 1.5pt; margin: 5pt 0in 5pt 3pt; padding: 0in 0in 0in 3pt;">
<p class="MsoNormal" style="margin-left: 0.5in;"><span
style="font-size: 100pt; font-family: "Verdana","sans-serif";"> </span><o:p></o:p></p>
</blockquote>
</div>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
NSRCA-discussion mailing list
<a class="moz-txt-link-abbreviated" href="mailto:NSRCA-discussion@lists.nsrca.org">NSRCA-discussion@lists.nsrca.org</a>
<a class="moz-txt-link-freetext" href="http://lists.nsrca.org/mailman/listinfo/nsrca-discussion">http://lists.nsrca.org/mailman/listinfo/nsrca-discussion</a></pre>
</blockquote>
</body>
</html>