Sidebar

E-payment Security Lacking in US Web Shops.

Log in

Forgot your password?

SmokingPipes.com Updates

Watch for Updates Twice a Week

PipesMagazine Approved Sponsor

Site Sponsors

Al Pascia
Blue Room Briars
Cigar World
Danish Pipe Shop
LePipe.it
Missouri Meerschaum
Pipes2Smoke.com
PipeStud.com
Seattle Pipe Club Tobaccos
SmokingPipes.com
Tabaccheria Corti
TinBids.com

PipesMagazine Approved Sponsor

PipesMagazine Approved Sponsor

PipesMagazine Approved Sponsor

PipesMagazine Approved Sponsor

Status
Not open for further replies.
Gecko

Gecko

Can't Leave
Dec 6, 2019
363
717
Sweden
Woke up this morning to find that someone had used my personal information and credit card information to start a PayPal account in my name, they also tried to withdraw money from the card.
Luckily my most excellent bank, Swedish Handelsbanken, had stopped the fraudulent transactions, locked the card and sent me a text message notifying me of the situation.
As the perpetrators had set up the PayPal account using my real phone number I could easily take control of it and change password, add two step verification, etc.

I'm not naming the vendor where my information got stolen as they are quite good in many aspects and this seems to be a problem more with american online payment security in general than with this specific vendor.

I've had this happen twice over 5 purchases with large well known and well reputable US online tobacco shops. But never with European online vendors where the information is protected by encryption and "Verified by VISA" system or "MasterCard SecureCode" system.

I was wondering why this seems to be a problem with us vendors only and if you, my fellow tobacco enthusiasts, have any good tips or strategens to protect oneself and ones information when shopping tobacco online from the USA.
 
jerseysam

jerseysam

Can't Leave
Mar 24, 2019
456
4,566
Liberty Township. OH
Gecko, did you have the trouble(s) with a large internet Tobacco retailer (like a SmokingPipes or Pipe and Cigars) or the on-line website of a Brick and Mortar shop? Don't have to name, but the type of retailer.

I have not heard or encountered a lot of issues with the larger retailers having large-scale security issues.....I would expect they are using similar transactional systems to vendors abroad. I have had my CC# stolen from shops, most recently LJ Peretti. In those cases, it's small shops using older/cheaper transaction systems that are vulnerable to intrusion. I've had that issue abroad (in Europe and Korea) with small shops as well.
 
  • Like
Reactions: Gecko
irishearl

irishearl

Lifer
Aug 2, 2016
2,164
3,820
Kansas
I've been getting purported PayPal e-mails claiming such has happened to me and "frozen" the PayPal account. Haven't heard from my bank and have been assuming it's just another scam. Had a bogus Amazon e-mail claiming that a #1200 laptop was being sent to some unknown person in another state. Called Amazon who said it was a phishing scam. Haven't used PayPal in years.
 
  • Like
Reactions: Gecko
cosmicfolklore

cosmicfolklore

Lifer
Aug 9, 2013
34,046
75,941
Between the Heart of Alabama and Hot Springs NC
I know... and to make matters worse, we have a large faction of people here in the US demanding we get rid of paper currency and going all digital, which doesn't make any sense at all to me. I don't have a single digital thing that has not come under attack or has not been hacked. So, why put faith in it at this moment in time?

Plus, once we go digital, paying the kid next door a few dollars to take my garbage to the road for me, or handing a fiver to the guy who helps me lift something into a my truck, or the chose to give my kids an allowance is taken away. Plus, do we really want Big Brother looking in on every transaction that we make and taking their share as they feel fit?
 
  • Like
  • Love
Reactions: LOREN, instymp, Richmond B. Funkenhouser and 6 others
gerryp

gerryp

Part of the Furniture Now
Oct 8, 2018
704
2,368
56
Arabi, LA
Btw...I don't know if you guys have had this issue, but the last time I checked PayPal gave me an error message every time I tried to reset my password. I think it's a fairly common issue.
 
  • Like
Reactions: BROBS
swilford

swilford

Starting to Get Obsessed
May 30, 2010
208
734
Longs, SC
corporate.laudisi.com
Gecko said:
I've had this happen twice over 5 purchases with large well known and well reputable US online tobacco shops. But never with European online vendors where the information is protected by encryption and "Verified by VISA" system or "MasterCard SecureCode" system.

I was wondering why this seems to be a problem with us vendors only and if you, my fellow tobacco enthusiasts, have any good tips or strategens to protect oneself and ones information when shopping tobacco online from the USA.
Click to expand...

Gecko,

I'm writing in generalities about US and EU data security and PCI compliance, having done this sort of work in both a US and an EU environment. Obviously, I know no specifics of your situation so can't advise.

Step 1: Check your premises:

Compliance for credit card security is governed by PCI DSS, which is a global standard. Data security practices differ little on either side of the Atlantic.

I think you're thinking of 3D-S 2.0 and EU's requirement, under PSD2, that transition to 3D-S 2.0 be completed by the end of 2020. It remains to be seen whether that deadline will be met as implementation deadlines have been pushed back a couple of times because banks and merchant service providers have in many cases not been ready.

There are serious problems with 3D-S 2.0 in terms of usability (for the consumer) / transaction friction, so it's not irrational for different people to have different opinions on its implementation.

The US tends not to codify industry standards into law the way that the EU does, so there is no legally mandated analog in the US. It's sometimes hard for people accustomed to the EU regulatory environment to intuitively grasp that just because something isn't law doesn't make it a requirement. In the US, you can't process credit cards without adhering to PCI compliance. In the EU you can't process credit cards without PCI compliance and breaking EU regulation: it gets you the same place.

The big difference really comes down to how you want to nudge behavior, which the EU does in certain places with certain things and the US does in other places with other things.

And without getting into the weeds on this: I've done PCI compliance in both an EU and a US context. It's the same thing until 3D-S 2.0 gets fully implemented in the EU, and even then it's unclear that the differing standards will yield much difference in data theft outcomes (though 3D-S 2.0 will likely cut down on fraud rates since it will be pretty good at preventing the fraudulent use of payment information that has already been stolen).

Step 2: Consider other ways that your card information could have been compromised:

I'm not saying you're wrong about it being at a US retailer (that would, for me, be unknowable), but if you're jumping there because you've erroneously decided that US card security is lax, you might be overlooking another way by which your card information was compromised.

Keep in mind that an awful lot of data loss--bad people having access to your information--happens through physical retail or in places you may not expect it. Does a local baker keep your credit card details because she drops off bread? Did you stop at a slightly shady service station?

Again, I don't know your specific situation or how you use your card (or what retailers you suspect or anything else specifically pertinent), but jumping in with the premise that the US is somehow deficient when the protocols and standards are identical may be coloring your detective work in trying to figure out how this happened.

Sykes
 
  • Like
Reactions: hawky454, Elric, Richmond B. Funkenhouser and 7 others
cosmicfolklore

cosmicfolklore

Lifer
Aug 9, 2013
34,046
75,941
Between the Heart of Alabama and Hot Springs NC
swilford said:
Did you stop at a slightly shady service station?
Click to expand...
My bank has told me to only ever use credit cards to buy gas, because if you use a debit card and you get compromised, you will lose access to all of your money while it is investigated, whereas you can probably live without access to you credit cards for a few days.

And, my bank deems all gas stations with access to the interstate as "shady" and suspect.
 
  • Like
Reactions: hawky454, instymp, Richmond B. Funkenhouser and 3 others
Gecko

Gecko

Can't Leave
Dec 6, 2019
363
717
Sweden
jerseysam said:
Gecko, did you have the trouble(s) with a large internet Tobacco retailer (like a SmokingPipes or Pipe and Cigars) or the on-line website of a Brick and Mortar shop? Don't have to name, but the type of retailer.

I have not heard or encountered a lot of issues with the larger retailers having large-scale security issues.....I would expect they are using similar transactional systems to vendors abroad. I have had my CC# stolen from shops, most recently LJ Peretti. In those cases, it's small shops using older/cheaper transaction systems that are vulnerable to intrusion. I've had that issue abroad (in Europe and Korea) with small shops as well.
Click to expand...

Large Internet retailers, this time with a large pipe tobacco retailer, last time it happened with large cigar retailer.

In the EU online credit card purchases now requires two step validation, often with active link to your bank.

Perhaps it's that I'm purchasing with European credit cards in us web shops that is somehow putting part of the security measures out of play?
 
scloyd

scloyd

Lifer
May 23, 2018
5,953
12,088
I get a scam email a few times a week from Pay Pal, Amazon and Netflix, always the same thing...I need to update my payment information or my account is frozen.

Also, I get a phone call a couple of times a week about extending my car warranty. I'll block that number and in a few days they call again with a different number...I block that number...they call again...I block that number...they call again. The numbers always look like they're local numbers too.

Aggravates the hell out of me. ?
 
  • Like
Reactions: LOREN and Gecko
BROBS

BROBS

Lifer
Nov 13, 2019
11,765
40,030
IA
Gecko said:
Large Internet retailers, this time with a large pipe tobacco retailer, last time it happened with large cigar retailer.

In the EU online credit card purchases now requires two step validation, often with active link to your bank.

Perhaps it's that I'm purchasing with European credit cards in us web shops that is somehow putting part of the security measures out of play?
Click to expand...
No. It was compromised in some other way IMO.
I've had my card stolen from EU transactions more than US transactions.
 
  • Like
Reactions: Gecko
swilford

swilford

Starting to Get Obsessed
May 30, 2010
208
734
Longs, SC
corporate.laudisi.com
Gecko said:
Large Internet retailers, this time with a large pipe tobacco retailer, last time it happened with large cigar retailer.

In the EU online credit card purchases now requires two step validation, often with active link to your bank.

Perhaps it's that I'm purchasing with European credit cards in us web shops that is somehow putting part of the security measures out of play?
Click to expand...

To answer your last question, there are features that don't cross borders well, like Address Verification Service, but that's fraud prevention that protects the third-party merchant against the use of stolen card details, not anything that protects your card information.
 
  • Like
Reactions: Gecko and BROBS
Tommy Boy

Tommy Boy

Part of the Furniture Now
Mar 28, 2020
810
1,235
Michigan
Relentlessly hunt down and SHOOT anyone found to be guilty of stealing credit card or personal information without exception. It is a real pain to get stuff fixed and can never be truly undone. A card can be changed but your info whatever part they stole will always be available to someone. Put a real penalty to the crime. Right now they really dont bother with most of them just chalk it up to doing business. No wonder criminals KEEP doing it.
 
  • Love
Reactions: Gecko
BROBS

BROBS

Lifer
Nov 13, 2019
11,765
40,030
IA
Tommy Boy said:
Relentlessly hunt down and SHOOT anyone found to be guilty of stealing credit card or personal information without exception. It is a real pain to get stuff fixed and can never be truly undone. A card can be changed but your info whatever part they stole will always be available to someone. Put a real penalty to the crime. Right now they really dont bother with most of them just chalk it up to doing business. No wonder criminals KEEP doing it.
Click to expand...
yeah who enforces that?
 
  • Like
Reactions: olkofri
mingc

mingc

Lifer
Jun 20, 2019
4,003
11,139
The Big Rock Candy Mountains
swilford said:
Gecko,

I'm writing in generalities about US and EU data security and PCI compliance, having done this sort of work in both a US and an EU environment. Obviously, I know no specifics of your situation so can't advise.

Step 1: Check your premises:

Compliance for credit card security is governed by PCI DSS, which is a global standard. Data security practices differ little on either side of the Atlantic.

I think you're thinking of 3D-S 2.0 and EU's requirement, under PSD2, that transition to 3D-S 2.0 be completed by the end of 2020. It remains to be seen whether that deadline will be met as implementation deadlines have been pushed back a couple of times because banks and merchant service providers have in many cases not been ready.

There are serious problems with 3D-S 2.0 in terms of usability (for the consumer) / transaction friction, so it's not irrational for different people to have different opinions on its implementation.

The US tends not to codify industry standards into law the way that the EU does, so there is no legally mandated analog in the US. It's sometimes hard for people accustomed to the EU regulatory environment to intuitively grasp that just because something isn't law doesn't make it a requirement. In the US, you can't process credit cards without adhering to PCI compliance. In the EU you can't process credit cards without PCI compliance and breaking EU regulation: it gets you the same place.

The big difference really comes down to how you want to nudge behavior, which the EU does in certain places with certain things and the US does in other places with other things.

And without getting into the weeds on this: I've done PCI compliance in both an EU and a US context. It's the same thing until 3D-S 2.0 gets fully implemented in the EU, and even then it's unclear that the differing standards will yield much difference in data theft outcomes (though 3D-S 2.0 will likely cut down on fraud rates since it will be pretty good at preventing the fraudulent use of payment information that has already been stolen).

Step 2: Consider other ways that your card information could have been compromised:

I'm not saying you're wrong about it being at a US retailer (that would, for me, be unknowable), but if you're jumping there because you've erroneously decided that US card security is lax, you might be overlooking another way by which your card information was compromised.

Keep in mind that an awful lot of data loss--bad people having access to your information--happens through physical retail or in places you may not expect it. Does a local baker keep your credit card details because she drops off bread? Did you stop at a slightly shady service station?

Again, I don't know your specific situation or how you use your card (or what retailers you suspect or anything else specifically pertinent), but jumping in with the premise that the US is somehow deficient when the protocols and standards are identical may be coloring your detective work in trying to figure out how this happened.

Sykes
Click to expand...
What's the PCI compliance rate in the US versus Europe these days? I realize there are levels of compliance and there are nuances, but the sense I get is that it's rather low, and that Asia has higher compliance rates than Europe and the US.
 
  • Like
Reactions: BROBS
Gecko

Gecko

Can't Leave
Dec 6, 2019
363
717
Sweden
cosmicfolklore said:
I know... and to make matters worse, we have a large faction of people here in the US demanding we get rid of paper currency and going all digital, which doesn't make any sense at all to me. I don't have a single digital thing that has not come under attack or has not been hacked. So, why put faith in it at this moment in time?

Plus, once we go digital, paying the kid next door a few dollars to take my garbage to the road for me, or handing a fiver to the guy who helps me lift something into a my truck, or the chose to give my kids an allowance is taken away. Plus, do we really want Big Brother looking in on every transaction that we make and taking their share as they feel fit?
Click to expand...

I feel you, Cosmic. Over here we are almost there, hard cash is very seldom used. And small everyday payments to friends etc have been solved with an app allowing you to send small sums of money to peoples telephone number. It's convenient, but sure feels like you are working for the machine and not the other way around.
 
  • Like
Reactions: canucklehead and BROBS
cosmicfolklore

cosmicfolklore

Lifer
Aug 9, 2013
34,046
75,941
Between the Heart of Alabama and Hot Springs NC
Gecko said:
It's convenient, but sure feels like you are working for the machine and not the other way around.
Click to expand...
I have never found anything about apps to be more convenient. They sold us the idea that computers would save more time, but I've never found that to be the case. Talking is quicker than texts or email, and just peeling a five off a roll in my pocket takes less time than even opening my phone. I think that if we ever do go cashless, it will be the nail in the coffin for freedom and the American way.

It also kills me that people that are afraid the government will put microchips in the vaccines are quite ok with cashless societies.
 
  • Like
  • Love
Reactions: instymp, PaulTheScandinavian, Gecko and 2 others
Gecko

Gecko

Can't Leave
Dec 6, 2019
363
717
Sweden
swilford said:
Gecko,

I'm writing in generalities about US and EU data security and PCI compliance, having done this sort of work in both a US and an EU environment. Obviously, I know no specifics of your situation so can't advise.

Step 1: Check your premises:

Compliance for credit card security is governed by PCI DSS, which is a global standard. Data security practices differ little on either side of the Atlantic.

I think you're thinking of 3D-S 2.0 and EU's requirement, under PSD2, that transition to 3D-S 2.0 be completed by the end of 2020. It remains to be seen whether that deadline will be met as implementation deadlines have been pushed back a couple of times because banks and merchant service providers have in many cases not been ready.

There are serious problems with 3D-S 2.0 in terms of usability (for the consumer) / transaction friction, so it's not irrational for different people to have different opinions on its implementation.

The US tends not to codify industry standards into law the way that the EU does, so there is no legally mandated analog in the US. It's sometimes hard for people accustomed to the EU regulatory environment to intuitively grasp that just because something isn't law doesn't make it a requirement. In the US, you can't process credit cards without adhering to PCI compliance. In the EU you can't process credit cards without PCI compliance and breaking EU regulation: it gets you the same place.

The big difference really comes down to how you want to nudge behavior, which the EU does in certain places with certain things and the US does in other places with other things.

And without getting into the weeds on this: I've done PCI compliance in both an EU and a US context. It's the same thing until 3D-S 2.0 gets fully implemented in the EU, and even then it's unclear that the differing standards will yield much difference in data theft outcomes (though 3D-S 2.0 will likely cut down on fraud rates since it will be pretty good at preventing the fraudulent use of payment information that has already been stolen).

Step 2: Consider other ways that your card information could have been compromised:

I'm not saying you're wrong about it being at a US retailer (that would, for me, be unknowable), but if you're jumping there because you've erroneously decided that US card security is lax, you might be overlooking another way by which your card information was compromised.

Keep in mind that an awful lot of data loss--bad people having access to your information--happens through physical retail or in places you may not expect it. Does a local baker keep your credit card details because she drops off bread? Did you stop at a slightly shady service station?

Again, I don't know your specific situation or how you use your card (or what retailers you suspect or anything else specifically pertinent), but jumping in with the premise that the US is somehow deficient when the protocols and standards are identical may be coloring your detective work in trying to figure out how this happened.

Sykes
Click to expand...

Great answer, thank you!

The 3D-S 2.0 must be the new two step verification that's now commonplace with Swedish e-vendors. I like the added safety but there has been critique.

Perhaps it's not the payment process itself that is where the theft occurred but how the e-vendor then stores your information.
 
  • Like
Reactions: BROBS
Status
Not open for further replies.
Top Bottom