Thursday, February 16, 2012

SSL is for goyim

Following Pomegranate's example, they were smart enough to take the form down, Mountain Fruit now has an online order form, with a credit card section, all being submitted without SSL.
I'm guessing that they decided that SSL is a goyish meshugas and that all you need is faith in Hashem who will personally protect their customers' credit cards.
Now, I'm guessing that besides the lack of SSL, all of the credit card information is either being emailed to someone or stored, unencrypted, in an easily accessible database.
On the other hand, someone stupid enough to submit credit card info online without taking the bother to notice whether the page is secure or not, deserves what they get.

I emailed Mountain Fruit regarding the "oversite" at 11:16am, let's see what happens next.


  1. Welcome to the world of Jewish "websites"

    Even "secure" sites store CC numbers unencrypted on their server (took under 5 min to get in)
    I contacted them, but they did nothing.

  2. Of course they'd do nothing. They don't really care.

    1. When PCI becomes the requirement (almost is), 90% of jewish stores will stop accepting CC's..

    2. No they won't. Mountain Fruit, for one, can use their in store computers and credit card machines to manually enter and charge credit cards. And the rest will do the same.

    3. You still need a processor.
      If you are required to have PCI (even offline),
      Data transmission storage and digital/physical access must
      be secured.

    4. Many ways around it, especially for these wuss wuss companies.

  3. Like process under someone else?
    If you lie on the assessment and there is a breach
    MS VI AE and DI will sue you to kingdom come...

    1. I know some who share a processor for online sales.
      Got screwed by one of those companies actually.
      Some change company name every year.
      And any store can get a credit card machine and after make a website and enter numbers manually.

  4. Generally it is not illegal to use the same MID for multiple DBA's, so it is possible that those companies are either DBA's are sisters.
    PCI compliance regulates both online and physical processing, so if you cannot get a CC machine without complying (Need-To-Know only access, secure storage, not storing sensitive stuff - like cvv's etc.) it would make the market a much more friendly place.

    I remember when many restaurants in Brooklyn (only a couple of years ago) printed the entire CC number and expiry on the receipt.

    All the thief needed to do is stand next to the garbage can outside....

    1. I'm talking about the small credit card machines which small stores use and which are just connected to a phone line to dial out, no integration. You can manually enter a credit card and there's no PCI compliance issue. After getting one of those, the company can start accepting credit cards online and charging them manually.

    2. "there's no PCI compliance issue" - Yet.
      My point precisely.

    3. P.S. if you google "pci compliance POS" ,
      you'll see that indeed, PCI does apply to POS systems (point of sale -- small credit card machines).