Comments on: remote payment security https://blog.yhuang.org/?p=5 here. Tue, 14 Oct 2025 11:10:14 +0000 hourly 1 http://wordpress.org/?v=3.1.1 By: Payment Applications https://blog.yhuang.org/?p=5&cpage=1#comment-8364 Payment Applications Fri, 15 Aug 2008 05:05:55 +0000 http://scripts.mit.edu/~zong/wpress/?p=5#comment-8364 You have very good points about data security and specifically personal data, not limited to credit cards. Credit card security and payment security in general can be mitigated, at best, by adhering to PCI DSS requirements and PABP compliance mandates by merchants, acquirers and software companies. Personal data on a large scale (think OpenID with all logins for all sites) being breached leaves one target. You can supplement that with tokenization, you touched on this briefly in your original post, where the data breach of tokenization (where the tokens would be rendered useless) limits the damage. I look forward to your further thoughts on this topic in the future. You have very good points about data security and specifically personal data, not limited to credit cards. Credit card security and payment security in general can be mitigated, at best, by adhering to PCI DSS requirements and PABP compliance mandates by merchants, acquirers and software companies.
Personal data on a large scale (think OpenID with all logins for all sites) being breached leaves one target. You can supplement that with tokenization, you touched on this briefly in your original post, where the data breach of tokenization (where the tokens would be rendered useless) limits the damage.
I look forward to your further thoughts on this topic in the future.

]]> By: me https://blog.yhuang.org/?p=5&cpage=1#comment-2242 me Mon, 26 May 2008 07:42:56 +0000 http://scripts.mit.edu/~zong/wpress/?p=5#comment-2242 Since this post, I've been in a discussion about this and there are some important additional remarks: 1. While I said that most PGP users are indeed paranoid about protecting useless bits, some institutions like businesses do have important information that they would never want revealed. 2. A good rebuttal was brought up that information, once revealed, is irrevocable, whereas a stolen credit card can be revoked and the damage limited. Well, this isn't exactly a rebuttal. The compromised key that reveals information can be revoked, too. But it's true that massive information compromise can happen more quickly and on a more public scale than money fraud involving credit cards. The latter (usually) involves exactly one victim and one beneficiary. Therefore it makes sense that more effort is put into securing valuable information than securing a credit card. Since this post, I’ve been in a discussion about this and there are some important additional remarks:

1. While I said that most PGP users are indeed paranoid about protecting useless bits, some institutions like businesses do have important information that they would never want revealed.

2. A good rebuttal was brought up that information, once revealed, is irrevocable, whereas a stolen credit card can be revoked and the damage limited. Well, this isn’t exactly a rebuttal. The compromised key that reveals information can be revoked, too. But it’s true that massive information compromise can happen more quickly and on a more public scale than money fraud involving credit cards. The latter (usually) involves exactly one victim and one beneficiary. Therefore it makes sense that more effort is put into securing valuable information than securing a credit card.

]]>