Meanwhile, Hawaiian taxpayers face a $1.2 billion budget
deficit, which is being addressed in part with deferred
state tax refunds and deferred Medicaid reimbursements.
Hawaii doesn't have a sales tax. It's a tourist destination without sales tax. How silly is that? I get so tired of these "but that's a regressive tax!" wails and nashings of teeth.
For any tourist destination, a sales tax is beautiful, because you get to tax people who don't live there. There is a danger that given two tourist destinations of equal attractiveness, the one without the sales tax may draw more tourists, but this isn't a problem for Hawaii. Where are you going to go, if you want beaches and sun and live on the west coast? Hawaii or Mexico, and there's a lot of people who go to Hawaii that wouldn't be comfortable with Mexico, so it's off the table. For Hawaii to tax their own people but not tourists seems like a strategically poor move.
A homeless program that cost $2M was not nearly as interesting to me as the fact they, of all states, had a budget deficit.
Don't we? Because every time I buy something, I pay an extra 4%. (Apparently, it's called a General Excise Tax.) An additional 6% is levied on hotel rooms as well.
You don't have a sales tax, in that the consumer is not taxed. Instead, you have an excise tax, where the business is taxed. Many businesses will show how much they inflated their prices in order to pay their excise tax, and show this as a line item on the receipt. That's their choice. That doesn't make it a sales tax.
Again, Hawaii is taxing it's own people, instead of it's tourists. In self-defense, many of those businesses pass that tax on to the tourists and itemize it on their receipts, but many don't.
I got frightened by all the PCI DSS fear that permeates this board. I assumed you guys had it all figured out, and to a man, you seem to all be of the same mind on this issue. Fear, fear, fear.
When I actual Read the F----ing Manual about this ...., actually read that what was required was peanuts compared to the thousands of posts and comments I've read here pontificating on how to safely store a freaking password to a dating site, I am perplexed. How can a group of people who can talk your arm off for two hours about salts, rainbow tables, hashes, and password entropy, be frightened of PCI? https://www.pcisecuritystandards.org/security_standards/pci_...
I store my own credit card info. Exactly how I do it is none of your business, as, while I don't rely on obscurity for my security, I'd be foolish to deny myself it's added protection. I don't just meet PCI standards, which are easy, I greatly, greatly, exceed them. Why anybody would use a third party billing company is not mysterious, but why somebody who reads HN would do so, is strange to me.
I already know the comments I'll get for uttering such blasphemy. I would respectfully request that you actually spend 10 minutes reading actual PCI DSS guidelines before doing so, however.
Funny. I have a friend in the 'business', he does a very substantial amount of volume every year. I've helped a bit coding the now mandatory 'VBV' component for their system.
The spec was about 400 pages, it took weeks to read it and digest it to find out that it was relatively simple to implement.
This work gave me some insight in what goes on behind the scenes to get those deceptively simple rules from that page that you link put in to practice.
On paper, it's very easy to be PCI compliant. The problem is that in practice it really isn't all that easy. The auditing firms that will verify that you are indeed PCI compliant (you did request an audit?) are not going to sign off on this on a lark, they want really hard proof.
The nasty ones are requirement '9', anything short of a cage at a provider with biometric access protection and a whole host of other measure simply isn't going to do. That alone will outweigh the costs for most small time merchants of doing this by themselves.
Requirement '6', '7', '10', '11' and '12' are beyond the capabilities of most small business to implement anyway.
A guy like cperciva (and you, by your moniker) could probably do it in their sleep but I think you're the exception, not the rule.
It's fairly easy to miss a trick or two, the consequences would be pretty grave, the cost of outsourcing it is actually not that bad so that's the way most people will choose to go.
There were a pile of supporting document as well regarding all the different encryption protocols that you have to support because the various banks could not agree on a single one.
Also, that's not the VBV documentation but an entirely different thing you are linking to there.
PCI compliance and VBV have little to do with each other, you could be PCI compliant without implementing VBV, but if you implement VBV you probably should be PCI compliant otherwise you will not be using it.
I respectfully suggest that you undergo a 3rd party Type 1 PCI audit....
The amount of legal and policy documentation you are required to have is by itself a massive undertaking. The 3rd party audit will cost $150,000-$300,000 and a huge amount of man hours.
One what? One person who's actually undergone multiple type 1 PCI audits? :)
Encrypting the credit card is the smallest part of it (although the number of people who actually pull off the encrypted key, key pieces kept by different people/systems, etc... is low). The networking, server, secure audit/logging to a dedicated server, patch within 90 days, policy documents, and so on are the hard parts.
I note you sidestepped the question that you had been audited by (as they put it so nicely) a "Qualified Security Assessor" to complete your "Report On Compliance" ?
Well, I have to admit, I am certainly not a 6,000,000 transaction per year merchant, which is when I would need a level 1 audit that you and your friend so gleefully salivate over. I wish I was! If I was, I think it very reasonable to audit your processes to insure security.
In fact, I am a level 4 merchant, to my shame, so I have not spent money having an expensive "Certified QSA Security Consultant" audit my systems. I would remind everybody, that, sadly, they are probably level 4 merchants as well, unless they do over 20K transactions a year. Even if you do more than 20K,you're not in the scary big leagues till you get to 6M transactions.
Finally, I'd like to note that we hear a lot about these "possible fines", in theory, but have you heard of any in real life? I assume they must exist, but I invite you to read about the Heartland data breach, which exposed over 130 million credit card numbers. You'll note they still haven't been fined, but they "may be fined over $150K".
One thing at the time here. Lennart, my buddy does indeed do well over 6M transactions per year, so a level 1 audit is his lot. Technically his company (vxsbill.com) is an IPSP, not a merchant. But because he has the requirement anyway all the merchants that he works with and for benefit from the secure facility that he offers.
If you are a level 4 merchant, so less than 20K transactions per year (which sounds like a lot but really is only about 55 transactions per day, which I've already crossed over all by myself) then you could theoretically roll your own, but you are setting yourself up for a big fall if there ever would be a breach of security involving your site. And you'll still be paying access fees to a gateway, or have you found a way around that?
As for your 'theoretical fines', the two biggest instances that I remember wrecked the companies involved, the first one involved a company called Dacotah Marketing and Research, one of the largest internet billing companies during the .com boom, the second involved iBill.com, which you could probably qualify as their successor.
Both of these companies offered 'third party billing', which is one thing you are at least staying away from.
But if VISA doesn't care about blowing 10K+ merchants to kingdom come by fining an IPSP that does not abide by their rules out of existence, you certainly are not going to be felt any more than a gnat would be felt if a car ran over it.
They really don't care about individual merchants at VISA or MC, and to work with a large to mid sized IPSP will have a significant advantage in that effectively you are bundling your negotiation powers against the card issuers.
This will help during acceptance, charge back issues, merchant account revocation for some imaginary sleight and so on (you did check if you have permission to run those logos, did you get it in writing?).
Last but not least, working through an IPSP rather than 'rolling your own', no matter how satisfying is that you get the benefit of a large pool of knowledge on scrubbing and pre-authorization checks to make sure that your customer is legit. But of course you've never had a fraudulent charge.
I don't know much about the Heartland data breach, other than what I read in the media so I'll decline to comment on that.
Let me close this bit with that 100 days ago you didn't know about PCI at all (http://news.ycombinator.com/item?id=1092224) and now you are the expert in the field and will tell people that they should just roll their own because you slapped something together and it worked - so far.
Me, I'll be leaning on a decade+ of experience and a couple of very dedicated employees to make sure that my money keeps rolling in, and that my customers data does not get compromised. There is only so much time.
I also don't make my own computer chips, circuit boards, and so on. I've found it to be un-economical to do so and the same logic is what stops me from rolling my own billing solution.
Incidentally, I'm the original author of 'webpay', the software that powered the first major IPSP, so it's not as though I wouldn't have an idea where to start, but some things require a whole lot more dedication than I'm willing to spend on it to do it right.
edit: afterthought, you may be talking cross purposes when you compare the $150K that Hearland might be fined to the most common kind of fine, the chargeback penalty. If you haven't had a chargeback yet then I urge you to read up on this and why scrubbing is so important, especially if your volume is low a single group of unfortunately timed chargebacks can kill your merchant account, depending on your contract the permissable percentages can be as low as 0.7% of the volume in the running month, the latter is a real problem is there is a temporary change in volume on your website. I'll leave it up to you to figure out why that is a problem.
I hate that google is so "text focused". Obviously, for 90% of the web, that's just fine, but I do web apps that "do things".
For example, if I have a web app that converts numbers between bases (just an example, OK?), Google would ignore me, since my home page is just a couple of text fields and a submit button. (If it's ajax, I don't even have a submit button)
So, I say, "OK, fine, Google, you want text, I'll give you text", and I add a blog, saying some stuff about converting numbers between bases. That works a bit, but really, I don't have that much to say about converting numbers between bases. I have this app, it works well, what's to say? So, I rapidly run out of things to say in this blog I was forced to write. Google sees my site as never having new content, and down I go.
Of course, if I had a bunch of incoming links, no worries, but I won't get them if nobody can find me in the first place.
The Audio Spotlight was introduced around the same time as HSS (~2000-2001 IIRC). The LRAD was introduced earlier, but that uses a different tech (it's just a large two-dimensional array).
Slaughtered or not, it's an awkward word to say "properly", and awkward words get changed.
I find Kilometer much easier to say the American way "kill-ah-meter", rather than the correct way of "kill-Oh-meter". I suspect people will pronounce these things in a way that isn't painful to the tongue, and memri-stor is that way.
