In this paper, we investigate the value of Payment Card Industry Data Security Standard (PCI DSS) by examining popular implementations of hosted payment processing solutions. First, we will dive into CardConnect, a registered ISO of Wells Fargo Bank, and see how their client-side-dependent model allows for trivial manipulation. Then we look at CardConnect plugins for more widespread vulnerabilities. Lastly, we propose a sort of leaky bucket solution wherein the e-commerce platform must validate all of the assumptions previously made; albeit, tokenized credit card transactions are a technology that should be leveraged when resources allow. However, hiring a skilled software developer to implement a secure credit card processing system is out of reach for many small retail shops.

Published in: International Conference on Information Society (i-Society 2016)

• Date of Conference: 10-13 October 2016
• DOI: 10.2053/iSociety.2016.0012
• ISBN: 978-1-908320-62-9
• Conference Location: Dublin, Ireland