Valve Announces Massive Steam Server Intrusion 434
SKYMTL writes "Valve has revealed that hackers have gained access to the Steam database and have pulled a variety of information. A statement from Gabe Newell reads in part: 'Dear Steam Users and Steam Forum Users, Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums. We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.
We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."
Hey gabe (Score:4, Interesting)
Re:Hey gabe (Score:5, Informative)
Origin looks mighty tempting right about now.. with BF3 and all...
Sure, if you don't mind handing over an inventory of everything on your PC and letting origin do what they want with the information... http://decryptedtech.com/index.php?option=com_k2&view=item&id=257:eas-origin-may-be-a-little-too-intrusive&Itemid=138 [decryptedtech.com]
Re:Hey gabe (Score:5, Insightful)
You're just being stupid for the sake of comedy right?
Amazon.com looks good right now.
Fuck, even Best Buy looks good right now.
Origin looks like the exact same crap, but with a much less trustworthy company in charge of it. EA would sell all that personal information straight to the hackers if it meant they could turn a profit.
Re:Hey gabe (Score:5, Insightful)
Even after this, I still trust Valve more than I trust EA. Hell Valve could kill kittens and use their blood to fuel their servers, and I'd still trust them more than EA. One only needs to look into the past and see how much EA has treated not only their customers as dirt, but their employees.
Re: (Score:3)
The could require a ritual human sacrifice every time I start a game and I would STILL trust them more than EA.
It would be better if they didn't have the database but encrypted info isn't much value as long as they didn't get the salt values or private keys with the data.
Re:Hey gabe (Score:5, Informative)
Yeah, so far Valve's credit card database has been stolen, but EA customers are the ones getting money stolen from their bank accounts [reddit.com].
Unencrypted passwords (Score:5, Interesting)
All you need to see about EA's security is how they deal with "lost passwords"
Last time I did a lost password request with EA, they happily sent me my password in email. No, not a "password reset request", but my actual password.
This tells me that:
a) They're dumb enough to send passwords in plaintext via email
b) They're dumb enough to store plaintext-retrievable passwords instead of doing a hash comparison.
FAIL!
Re:Hey gabe (Score:5, Funny)
Wait... are you saying kitteh sacrifices are NOT part of standard server administration? Shit, I'm not quite sure what my boss is going to say when he finds out how I run things...
Proper back end hashing and encryption? (Score:5, Insightful)
Awesome. Sounds like they were doing things right.
Re:Proper back end hashing and encryption? (Score:5, Funny)
Awesome. Sounds like they were doing things right.
Yeah, sounds like they did better than most businesses *cough* Sony *cough* who probably kept everything in a big ol' text file.
which was named readme.txt
Re:Proper back end hashing and encryption? (Score:5, Funny)
They called it 'dontreadme.txt'
Re: (Score:3)
Re: (Score:3)
yes, but with gabe you can use portals to fling him.
Re: (Score:3)
Re:Proper back end hashing and encryption? (Score:4, Informative)
Uh, no. Sony stored over 1M password in cleartext.
http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html [troyhunt.com]
Re:Proper back end hashing and encryption? (Score:4, Informative)
Don't forget the 12,700 credit card numbers stored in cleartext. But that's no biggie, because only a thousand of them were still active Sony customers.
Re:Proper back end hashing and encryption? (Score:5, Insightful)
Re: (Score:3)
All my cards already got compromised. Whee. I think some merchant somewhere was doing exactly what the PCI-DSS council [pcisecuritystandards.org] says not to do.
Fortunately they all have 'zero liability' - wonder how long that will last? In my case, the best the hackers got were deactivated card numbers and a password that just became useless.
Re: (Score:3)
Didn't have any trouble myself.
Sounds silly, but try changing your download location first in the settings, you might have better luck connecting via a different 'path'
Hilarity (Score:2, Insightful)
Valve gets hacked, account details likely stolen, account information hashed and salted, Gabe still praised.
Sony gets hacked, accounts details stolen, account information hashed and salted, Sony ran through the ringer.
Love to see the hivemind at work.
Re:Hilarity (Score:5, Insightful)
The difference is in part due to how the attacks were handled by the respective companies, and in part due to the fact that Sony is run by gigantic cocks while Valve isn't.
Re: (Score:2, Insightful)
Re:Hilarity (Score:5, Insightful)
Re:Hilarity (Score:5, Interesting)
Re: (Score:2)
Re: (Score:3, Interesting)
Be warned, the following is only hearsay:
The CC info was encrypted in the database, and Sony used a separate internal-facing server to handle credit card transactions. The problem is, the transaction server wasn't configured properly; unencrypted credit card numbers and billing information were being recorded in Apache logs.
Re:Hilarity (Score:4, Informative)
One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link.
Re:Hilarity (Score:5, Informative)
Not entirely true - some credit card merchant gateways permit you to tokenize the credit card info and re-charge them without ever re-sending (or storing) the details. In these cases, the merchant only ever sees your details once - when they send them in to be tokenized. And the token is also usable only by the original merchant - so the worst a hacker could do with it is forcibly give your money to the merchant.
Re:Hilarity (Score:5, Informative)
Well, let's start with the fact that PSN intrusion was just one of 23 separate incidents for Sony within a time frame of just a couple of months.
Re: (Score:3)
in part due to the fact that Sony is run by gigantic cocks while Valve isn't.
So Valve is run by tiny cocks? I feel sorry for Gabe's wife.
Re:Hilarity (Score:5, Insightful)
Re: (Score:3, Insightful)
The guy has just admitted they stuffed up. they had a responsibility to protect your data that they force you to provide. This is the equivalent of being raped in a police station and then being happy that the cops admitted it happened and are very sorry about it.
If you think this situation is anything like being raped -you do not know what rape is...
Re:Hilarity (Score:4, Funny)
Yeah... it's more like getting roofied, and then being told about it 4 days later.
Re: (Score:3, Insightful)
Re: (Score:3)
Ignoring the rape comparison, I would be happy they admitted it. Would you prefer they pretend it didn't happen, and go "la la la la we didn't see it"?
Re:Hilarity (Score:5, Informative)
1. No-one told you you had to store credit card details in steam, they support paypal which prevents this being an issue.
2. At least they told their users in a prompt manner.
3. It sounds like the information was properly encrypted and stored, this did not sound true with Sony.
Re: (Score:2)
No-one told you you had to store credit card details in steam
Did somebody tell you to store your credit card details on PSN?
Re:Hilarity (Score:4, Informative)
Re:Hilarity (Score:5, Informative)
There was much miscommunication last time - a Sony executive said the credit card info was unencrypted. Which immediately launched a massive wave of "WTF?" from everyone with even a passing knowledge of security.
There's also the fact that the intrusion targeted the Steam forums, which have distinct accounts from Steam itself. People probably use the same password on both (I think I might've), but it's still slightly better.
And you can't forget the main difference - people can still play their games. During the Sony hacks, people were locked out of online play for quite some time. And people (being stupid) care more about getting their CoD on than not getting their credit cards stolen.
Still not unforgivable, but the fact that Valve is immediately going "we fucked up, we're trying to fix it, here's exactly what's going on" rather than Sony's "We are aware of outages but won't even say that we got hacked for several days". Honesty counts for a lot.
Re: (Score:2)
Re: (Score:3)
Yes - but some Sony exec stated otherwise, which caused no end of confusion even after they corrected the statement.
Re: (Score:2)
Re:Hilarity (Score:5, Informative)
So technically speaking the passwords _weren't_ encrypted. I remember when that bit of news came my friends and i were all very curious to know what kind of salt (if any) they were using, but we're all geeks at a software company so we're a bit more clued in about such things. In fact i don't remember if the salt question ever got answered.
As for why it keeps getting brought up, especially in this thread, it's because people keep asking why Sony was treated more harshly than Valve seems to be getting treated now. The answer is that Sony took forever to say anything about what was going on [wikipedia.org] and the made a habit of releasing partial bits of information, some of which were confusing or misleading. The encryption issue is just one of those bits the handling of which upset people.
PSN was hacked between April 17th and 19th. It took a day or three before they shut down the servers without saying a word. It was three more days [slashdot.org] before they admitted there had been a data intrusion, and another three days [slashdot.org] before they admitted that user data had been compromised and days more before they admitted that personally identifiable information had been compromised.
If Valve starts dribbling out more bits of previously unrevealed information over the next few weeks (not just details on the aspects they've already confirmed) then the amount of goodwill currently being displayed will erode very fast.
Most of us don't feel that it's possible to prevent all security intrusions, but it is possible for companies to be responsible and forthright about it when it happens.
Re: (Score:2)
Re: (Score:3, Informative)
Re:Hilarity (Score:5, Interesting)
Re: (Score:3)
Re:Hilarity (Score:5, Interesting)
Couple of big differences in this case and the Sony case, though. So far, Valve is far ahead of Sony. In order to be on Sony's level, Valve would have to:
1. Completely shut down the service for a week with no explanation.
2. Keep the service offline for an additional month after admitting that they had been compromised.
3. Claim that passwords were stored unencrypted, then when called on that, claim that they meant hashed. But not salted.
4. Allow unencrypted credit card data to be stolen. (PSN users reported suspicious activity on their cards, and I know my bank sent me a new card due to the breech.)
5. In order to make up for the outage, offer a "free month" of "premium" service that A) is a limited time offer and B) requires a subscription fee to continue to use any content accessed during that time.
6. Later have it determined that the vulnerability was caused by an Apache server that was left unpatched for over two years.
I think that about covers the differences.
Re:Hilarity (Score:5, Insightful)
Yes, but Sony stored customer data as PLAIN TEXT. Their security was a joke and they deserved all the bad press they got.
Valve on the other hand had all sensitive data encrypted. Which means that the hackers likely got nothing but useless gobbledygook.
Re:Hilarity (Score:5, Insightful)
Do unto others... (Score:3)
Valve gets hacked, account details likely stolen, account information hashed and salted, Gabe still praised.
Sony gets hacked, accounts details stolen, account information hashed and salted, Sony ran through the ringer.
Valve = Valuable contributor to healthy, competitive market. Cares about customers.
Sony = Anticompetitive lockdown ensures that a great many games are unplayable as they take a month to sort out the problem. Doesn't give a shit about customers.
Why is the concept that people will treat companies in the same way that those companies treat them such a strange and unusual concept to some people?
DRM rocks! (Score:4, Insightful)
Thank god I had to sign up to STEAM and give out my personal information to play a game I had already purchased otherwise I might never have become a victim of identity theft...
Re:DRM rocks! (Score:5, Insightful)
As opposed to Xbox Live? GFWL? The Rockstar Social Club? Origin? Any MMO ever? Any website you've ever purchased anything from? etc.
Let's face it, there's no shortage of places that have some, part or all of your personal information these days; Steam is just one of many.
Re: (Score:3)
Re:DRM rocks! (Score:4, Informative)
Liar. If you try to start Steam without an internet connection, it pops up a window with two options "Retry" and "Start in Offline Mode". You absolutely do not need to go into offline mode ahead of time. Did you really think no one would catch that lie?
Re:DRM rocks! (Score:4, Informative)
No he's probably not lying. I've had the exact same problem. I'll explain it as best I can (I don't know why it happens):
Your computer is connected to the 'net with steam running. You shut down steam, disconnect from the internet completely, then restart steam. Then steam does all kinds of weird shit like it claims it's updating itself or "connecting"... after a while it finally pops up and says I can't connect to to a steam server what would you like to do? 1) Retry 2) Start in Offline Mode. Select option 2 (obviously) then steam says it's "connecting" (sigh) again, then it says something like could not connect to a steam server at this time. The only option is to close the window.
As far as I can tell the workaround to play in offline depends on the game. For all games this was required: start steam with a working internet connection, select go/restart into offline mode while connected to the internet, then quit steam, then disconnect from the internet completely, then start steam in offline mode normally at your leisure. That worked for most games but it was also incredibly annoying; the buddies I LAN with don't have a 'net connection and I forgot to go through this process before going over once or twice.
For some games (The Orange Box falls into this category) I had to have the game updated, then start the game while connected to the internet IF it had been updated since it was last played, then go through all the normal stuff I listed above. If I didn't do all of this the game would not start in offline mode even if steam would. Yet more games completely refused to start and I never figured out how to workaround that (none of the above worked.)
For the GPs sake: I managed to fix the issue by uninstalling steam then nuking the contents of the steam folder on the drive. But it still does some weird shit but w/e. Also I haven't bothered reporting or complaining because I have heard that Valve ignores complaints about offline mode not working so...
Re: (Score:3)
Way to keep us informed? (Score:5, Insightful)
Re: (Score:2)
Re:Way to keep us informed? (Score:5, Informative)
They did? I never got that one myself.
I did. I had completely forgotten about it until I read The MAZZTer's comment. I kind of shrugged it off as the usual email spoofing, but it still seemed odd at the time that it made it through Google's spam filter.
The email, with redactions by me:
Subject: Come join [redacted], a gaming resource community
From: webmaster@steampowered.com
Ever wanted to dominate the servers you play on with guaranteed results, but you were too afraid to cheat because of ban risks? Visit [redacted]. It's safe, secure and undetected.
Along with hacks, we've also got some general discussion sections, hacking tutorials and tools, porn, free giveaways and much more. This site has been conditioned to meet all your needs in terms of resources so be sure to take a look and tell us what you think.
Thanks again,
the [redacted] team.
Re: (Score:2)
Re: (Score:3)
Re:Way to keep us informed? (Score:4, Interesting)
They HAD to do so eventually, but the point is they went into denial mode for weeks before admitting the fuckup.
Re:Way to keep us informed? (Score:5, Informative)
Sony was quite public about it, what are you talking about?
They may have been public about the fact that there was a breach, but they were incompetent in their handling of it. And based on my e-mail archives, they never fully informed their customers of the extent to which the intruders compromised their servers. Specifically, Sony only sent out two e-mails related to the PSN outage to all of their customers: one on April 28th to say that accounts had been compromised, but that there was no evidence of credit cards having been compromised at that time, and another on June 5th to announce the Welcome Back package. From what I can tell, there was NEVER a mass e-mail to inform their PSN customers that credit card information had, in fact, been stolen, nor did they ever send out a mass e-mail to announce their identity theft protection program (or maybe I just didn't get it because I signed up for it before they sent it?).
Here's a complete timeline including other announcements besides e-mails:
January or February 2011 - Sony is told by security experts specifically why their server security sucks [slashdot.org]
Early April - Various PSN outages, some because of planned Anonymous DDoS attacks
April 17th-19th - PSN compromised (source: Sony's April 28th e-mail)
April 21st - PSN goes down as Sony realizes something is up
April 23rd - Sony blames outage on external intrusion [slashdot.org]; makes no mention of compromised accounts
April 24th - Sony starts "rebuilding" PSN after attack [slashdot.org]; still no mention of compromised accounts
April 26th - Sony admits that someone may have some account information for their 77M accounts [slashdot.org]
April 27th - Sony confirms that some data was stolen [slashdot.org]
April 28th - First e-mail to customers gets sent; says there is no evidence yet of credit cards having been compromised
May 1st - Sony confirms that 10M users had credit cards compromised [slashdot.org]; promises PSN up by week's end [slashdot.org] (spoiler: it didn't happen); doesn't send an e-mail
May 2nd - SOE goes down after they realized it was compromised too [slashdot.org]
May 3rd - Sony admits 24.6M SOE accounts were compromised [slashdot.org]
May - Lots more drama as Sony makes promises to have PSN up but then reneges on them repeatedly
June 2nd - PSN finally comes back up [latimes.com]
June 5th - Second e-mail to customers gets sent; tells them that the Welcome Back package is now available; makes no mention of credit cards, identity theft, or how to sign up for their free identity theft protection program
I'd hardly call it a model to follow, and I'm still hoping that Valve will make a point of e-mailing their users in the next few days. It's fine to take a few days for something like this while you track down the details, but it does need to get done properly at some point. Sony never did it properly.
Re: (Score:3)
Re: (Score:2, Interesting)
Funny you should say that - I just logged into steam and had that message pop up as the first thing it did, good luck getting any cash out of my account though - I max it the day I get paid :-D
Re: (Score:3)
Re:Way to keep us informed? (Score:5, Insightful)
It sounds like they are. The article says "...below is the full email from Gabe Newell to Steam members."
Keep in mind Steam has a hell of a lot of members. It can easily take several hours to send out that many emails.
Re: (Score:2)
Steam has the ability to push out news to everyone, as well as updates. I am well aware of this as every time I close out a Steam game I am bombarded with a multi-page post of the latest deals and new releases. I'm also notified when the client has to update.
I'm pretty sure that they have a way to push out a notice to everyone - I'm just wondering why they haven't done it yet.
Re:Way to keep us informed? (Score:5, Informative)
as every time I close out a Steam game I am bombarded with a multi-page post of the latest deals and new releases.
Sounds like you don't like this.
1. Steam Menu
2. Settings
3. Interface Tab
4. Uncheck the "Notify me..." box near the bottom
Re:Way to keep us informed? (Score:5, Informative)
The announcement also pops up after you stop playing a Steam game. Normally there's some ads when you do that, but currently the first thing that shows up is the text that Slashdot posted here. It's actually quite effective, because normally you get pictures and ads and things instead of a wall of text, so it stands out.
Re: (Score:3)
It is also interesting to note that the daily deal on Steam today is "Day of Defeat." Coincidence or message?
How hard are the passwords to crack? (Score:3)
I'm not worried about my Steam password, I can go change it when I get home, it was fairly complex, and it's not a reused password anywhere else, but how hard would it be to crack these?
For those of us who aren't cryptography experts, does cracking one of the easy passwords (love, password, money) then help crack the more complex ones (m4sT3rm!nd)? I'm guessing this is crypto 101 stuff.
I am glad I no longer store credit card information with steam, and only used PayPal (and have an authentication card attached to my PP account.)
Re:How hard are the passwords to crack? (Score:5, Informative)
No, each one is an independent problem.
None of the weaknesses that have been discovered in common hashes allow reversing them (which is in general impossible anyway since an infinite number of inputs could lead to the same hash, it's just infeasible to find them).
The "crack" is just high-speed testing of possible passwords. Modern cracking software is actually fairly sophisticated about trying substitutions on dictionary words.
Use a passphrase unless there's some stupid limit on password length.
Re: (Score:2)
General rules are: Mixed case/numbers/symbols all make them hard to crack but not as much as making them longer.
Cracking simple encrypted passwords will not help you crack any more complex ones unless Valve have done something horribly wrong in terms of encrypting them.
Re: (Score:3)
Knowing one password does not materially help attacks on other passwords. However, depending on the algorithm used, it may be possible to brute force the password. For example, if the old Unix crypt(3c) algorithm is used, then most passwords can be brute forced in reasonable time now. Recent advances have led to use of the graphics card on your system to perform those attacks.
Longer hashes like MD-5 are significantly harder as they support a much longer search space, but few people use a password over tw
hah (Score:5, Funny)
Secretly stabbed in the back, huh Valve? See Spies are overpowered and DO indeed, SUCK. Jerkwads.
Re:hah (Score:4, Funny)
Secretly stabbed in the back, huh Valve? See Spies are overpowered and DO indeed, SUCK. Jerkwads.
You're just upset *backstab* because you have difficulty *MEDIC!!!! backstab* spy-checking as a *backstab, cloak* pyro. Perhaps if you stopped standing in one place *backstab, backstab, miss, backstab* and developed your pyro techniques, you would find spies to be *sapper, backstab, die from being on fire* easy prey.
This is Valve's fault (Score:2)
I'm a fan of Steam but I am a mad as hell that they let this happen. It is not as if they weren't an obvious target given the number of game companies that have been hit before.This is Valve's fault. They screwed up big time and a limp apology from Gabe Newell doesn't make me feel any better.
Re: (Score:2)
To be fair, they could be the best company in the world and it would still take time for them to figure out what exactly happened and how they are going to remedy it. Give them some time. Accidents happen, mistakes happen, and there's really no way of knowing what the end result will be until they've had time to investigate further and decide on a solution. The fact that Steam got this information out so quickly is a good sign in my eyes.
Re:This is Valve's fault (Score:5, Insightful)
Until we have real information about how they were hit, it's difficult to make any assumptions about how badly Valve may have screwed up.
Accidental irony (Score:5, Funny)
Today's daily deal on Steam is: Day of Defeat.
Couldn't have made a better choice myself.
Whew! (Score:5, Funny)
Steaming pile (Score:3, Insightful)
Re:Steaming pile (Score:5, Insightful)
You don't need to give up your CC number (or any personal information) unless you are buying a game with your CC. How, exactly, do you think they should handle credit card purchases?
Re: (Score:3)
Re: (Score:3)
20 years from now there is a good chance that such an old game would be incapable with what ever computer your running it on.
I can run a full emulator on current hardware that I still need to slow down for older games. Twenty years from now, I'm betting it will be similar.
Re: (Score:3)
Do you spend your time today playing 20 year old games?
More time than I spend playing 2 year old or younger games, yes.
Currently replaying the original Final Fantasy using the "Duane and Brand0" party.
Hat? (Score:5, Funny)
Do I get a hat for having to go through this?
Oblig Half-Life 3 delay... (Score:5, Funny)
/oblig game delay post
Hmm, thats alot of 3 games Valve could be working on....
My account was among those compromised. (Score:5, Interesting)
Got hit with this one!
On the morning of Nov 7th I started getting e-mails from Steam Support with confirmation codes when someone was trying to change my password and e-mail. Reinstalled Steam after a year or more of non-usage only to find that someone has been playing TeamFortress 2 on it, the same day. Changed my passwords. That evening received a number of angry e-mails from a Russian guy ( [www.crazy_denis@mail.ru]) demanding that I put the passwords back so he can use the account he bought and paid for. Used Google Translate into Russian sometimes Ukrainian to string him along through 12 short e-mails and got him to reveal and confirm that he actually had my username and password in clear text. Opened up a support case with Steam and forwarded the entire e-mail chain to them to start investigating. Got a form letter back, replied again asking them to check their systems for intrusion... today Slashdot story breaks about Steam being compromised. I wasn't the only one I guess!
PasswordMaker - Storage-less and per-site unique hash based password scheme
Changing all my passwords now to a PasswordMaker [passwordmaker.org] scheme for unique passwords for every single site based on a storege-less system that uses a master password + URL + other info you choose -> MD5 sum -> alpha-numeric symbols -> length limit to generate a unique password for every site and account based off your own single or multiple master passwords. You have to remember your own password and the settings you used and generate the same password every time that is unique and there is no secret data file to steal from you or for you to lose on a USB disk or upload to the net. This way your password is already hashed when you submit it to a site, it is unique per site, you don't have to store a list of passwords in any file, and you can regenerate your password on any browser, mobile phone, programming language since this app has been ported to practically everything.
I was thinking of something simpler such as "echo MyPassword69! slashdot.org|md5sum" and then "aaa53a64cbb02f01d79e6aa05f0027ba" using that as my password since many sites will take 32-character long passwords or they will truncate for you. More generalized than PasswordMaker and easier to access but no alpha-num+symbol translation and only (32) 0-9af characters but that should be random enough, or you can do sha1sum instead for a little longer hash string.
Here's the conversation for all of you.
Fraudulent transaction on my credit card (Score:5, Informative)
I've been wondering... (Score:3)
Re: (Score:2)
Cause the encryption key would also have to be on the server?
Re: (Score:2)
Re: (Score:2)
Because it's highly impractical if you want your audit logs to be in any way useful (also if you don't want your key rotation to take months). It's also pointless overhead when it comes to non-sensitive data. Get a name and city, and there's a good chances you can get phone number, full street address, and more from whitepages.com (and similar sites). Several years ago, people got this same info from things called phone books.
I'm disappointed to hear this happened, but assuming they're correct in their beli
Re: (Score:2)
You could learn about bias confirmation and statistics,. Then you would realize that the vast majority won't do something like that.
Re: (Score:2)
I (no sarcasm) love Steam, and didn't expect a large-scale intrusion like this, but after the fun and games around the PSN intrusions, I removed my CC details from my Steam account.
It was so easy to buy games with a couple of clicks, and I do miss that, but I must admit a little smugness now over my decision...
I just hope Paypal is on top of their security, because by design they're more heavily linked into people's finance.
Re: (Score:3)
Yep. That's called a reference transaction. Someone needs to go do some homework [pcisecuritystandards.org] before continuing to accept credit cards.
Re: (Score:3)
PCI DSS does not prohibit storing the full payment account number (PAN) electronically, as long as it is encrypted. The note on PCI DSS 3.2.1 specifically talks about retaining the PAN in the normal course of business. PCI DSS 3.2.2 does prohibit storing the security code printed on the back, or the full magnetic track data. PCI DSS 3.4's requirement to render the PAN unreadable when stored makes it clear that storing that credit card number is permitted, if it is properly protected. The definition of p