![\"user-pic\"](\"/css/images/default.gif\")
either install a firewall in front of all Web-facing applications or submit custom application code to an outside security firm for a vulnerability review.
@KernelM: The requirement is to install an application firewall, not a network firewall. A proper network firewall would have caught this issue.
Well, it's fortunate that only 5 or 6 people were affected. Get it? Who cares about soccer. This is 'Merica!
Give me my Outback Ranch Explosion Sauce Fries.
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-13552-100x100.png\")
but are they now taking it seriously?
@matt1978: There's a lot to be said for a game that doesn't let the network call time-outs for commercial breaks.
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-25844-100x100.png\")
@KernelM: Yeah, it scares me a lot that companies like Visa and MC are \"protecting\" us with things like firewall requirements (which may not do any good) and \"credit monitoring\". It shows that they are neither technically or financially astute, since neither will stop identity theft.
![\"user-pic\"](\"/mt-static/support/assets_c/userpics/userpic-59206-100x100.png\")
@humphrmi: If you're interested, you can read all 12 of the requirements in the Payment Card Industry Data Security Standard here. They go into a great deal more depth than that in other docs, but suffice it to say Visa, MC, and the other CC companies get pretty specific when it comes to the regulations they place on companies that store, process, or transmit credit card data. That's not to say they're always successful, or anywhere close--but they can and do fine the shit out of people who aren't compliant.
If a company does everything the PCI DSS says to do, they'll be in pretty good shape security-wise. It's never perfect, of course. From a business perspective, it's far better to conform to the standard so that in case of a breach the business can show it's done its due diligence.
PCI actually specifies a list of software vendors that are approved for use under the standard. I've seen this list (we're working on this where I work) but I'm not sure I could lay my hands on it. Having read through the standard quite a few times and witnessed the consequences of non-compliance, I'm kind of amazed that people even use custom shopping cart apps any more. Any time the code changes, it has to be audited. That's expensive. Combine that with the expense of quarterly vulnerability scans and annual pen tests and the cost of a pre-fabbed PCI-approved software looks a lot more cost-effective all of a sudden.
It's crap. Monitoring is an outright scam and they only offer it to look like they're doing something about the problem when they're really not.
Credit freezes are the only way to actually protect your credit. Relevant links:
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-55114-100x100.png\")
You should be supporting the MLB or NFL instead of them. Anyone who buys MLS gear is getting what they deserve.
/end obligatory \"my product/service/company/credit union is better than your product/service/company/bank comment.
10 posts before someone ragged on the OP's choice? Needed to be done.
@FitJulie: Excellent post.
I cases as this, it's NOT Visa/MC that screwed up, it was the merchant and their poor/incomplete security procedures in their own charge-card processing.
This is the consumers opportunity to rag big-time on the merchant (e-mail blast, snail mail, etc) on their failure to protect \"their customer's\" data; EECB them when needed or warranted, and vote with your feet when appropriate.
@aikoto: I agree that paying for credit monitoring is a giant waste of money. I actually dumped my old bank for trying to sell monitoring services to me! In this case, however, MLSGear.com is footing the bill, so I'm going to take advantage of it.
I'm also taking other actions; I plan to file fraud alerts on my credit reports and file a complaint with the FTC. I'll file a police report if anyone actually uses the information they stole as well.
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-186777-100x100.png\")
@FitJulie: Footing the bill! Brilliant! You know, because you play soccer with your foot! I like what you did there!
We had fraud on our credit card after making a purchase at two internet sites in July 2006; one of these was mlsgear.com. In December 2006 we had another instance of credit card fraud but this time the only site we had recently made a purchase was mlsgear.com. I called them immediately because both cases must have been due to them. I was told by customer service that it was impossible because \"they are a secure site\". I demanded to speak to a supervisor which I eventually got. She finally believed me because another customer had called the same day. Now, 14 months later they are finally recognizing that they have a problem?
![\"user-pic\"](\"/mt-static/support/assets_c/userpics/userpic-99654-100x100.png\")
This one got me too. I bought a pair of socks there about a year and a half ago. Fortunately, the CC I used has since expired, but I went ahead and took advantage of the credit monitoring offer anyway. Now I'm beginning to wonder if this breach wasn't the reason someone changed my billing address for me on that card a couple months after I bought the socks...