louponne - 5:39 am on Feb 21, 2010 (gmt 0)
Thanks to both of you for extremely interesting answers.
"PCI compliant" is a new term to me and after just a minimum of Googling I see its not only importance but indispensibilty. It governs all when it comes to cc transacions! Though I have read through info on what looks like the "official" site, I can't figure out how to prove that what these folks are doing is _not_ PCI compliant?
and could also be a breach of TOS if they are using an offline card-present terminal to run card-not-present transactions on a routine systematic basis.
Very good point also, but mustn't pretty much all merchants who take cc card over the phone be doing this?
It is illegal in France ..and AFAIK in the UK and Eire
A large percentage of the merchants i'm working with are in just those countries. Do you know where I could find legal resources to prove they're illegal?
AS it being a really dumb idea, I have already told them that though in perhaps in slightly more diplomatic terms ;) and in any case have categorically refused to do it. Total stupidity. As a hacker, all I need to do is break into the database and then star sniffing the (non-secure) emails that are going out. Problem is, some of them tell us, "our current system has been doing that for years, and it works fine" ... That's always an argument that's tough to beat even if their current system is crap!