Rpgnow creditcard information stolen

[Festivus]

This is very bad news for RPGNow. If Visa/Mastercard gets wind of this they'll be revoking RPGNow's merchant id number until he coughs up a fine that will be in the thousands of dollars. They take this crap seriously these days, anyone who stores credit card numbers on their site in any form is liable for ALL FRAUDULENT CHARGES on the card if their database can be proved to have been comprimised.

I thought I read somewhere in the PCI 1.1 compliance documentation that it's actually something along the lines of $50,000.00 for the first incident, and they revoke your merchant ID on the second one. There is a logo program for PCI compliance that you should be looking for... I just have never seen one, but it shows that the merchant complies with a strict data security practice that is externally audited by a third party. Compliance with PCI 1.1 is expensive, which is why I bet you will eventually see many smaller online retailers go out of business or turn to a third party company that specializes in credit card transactions (like Paypal) for all their payment needs.

You can read about PCI here.

 

[Swack-Iron]

Update on the Google front -- the one cached copy that was brought to my attention has been deleted. If there are any others any of you are aware of, please see my instructions in an earlier post in this thread for reporting it.

 

[jaerdaph]

I just want to commend James and the RPGNow/RPGShop staff for how quickly and straightforwardly they dealt with this unfortunate incident.

I had pretty much switched over to PayPal for all online purchases last year as well, but I forgot I had an active credit card at RPGShop. I've cancelled that card and there were no fraudulent charges made on it. (I couldn't remember if I saved the CC info or not, so I decided to err on the side of caution).

 

[molonel]

You don't have to apparently. If your CC info was vulnerable to swiping by a hacker you should have gotten an email already telling you so. Not all who made purchases with a credit card there were vulnerable, only those who chose to store their credit card data at the online store...I'm one who was less than prudent and chose to. I got my email this morning telling me my data was among those swiped.

No, everyone should have gotten an email. We already know that there are people who did have their credit card information stolen who received no notice whatsoever. That is simply inexcusable and unprofessional.

And pardon me if I am not entirely confident of their ability to determine who was affected and who wasn't since they weren't able to protect our confidential data in the first place.

Just because our data was NOT posted on the internet does not mean that we were not affected. I have three credit cards, and now I'm going to have to dig back through my credit card bills for last September to see which one I used.

Thanks.

 

[AdmundfortGeographer]

We already know that there are people who did have their credit card information stolen who received no notice whatsoever. That is simply inexcusable and unprofessional.

Unless it was caught in a spam filter, then that is simply unfortunate.

 

[molonel]

Unless it was caught in a spam filter, then that is simply unfortunate.

Ahem ...

Given that my CC# and info was on the google cache copy, I know my information was gathered. I never received and email from RPGNow, and I've kept an eye on my spam filtered email as well. So, there is a flaw in this somewhere.

... you may stop making excuses, now.

 

[rpghost]

Given that my CC# and info was on the google cache copy, I know my information was gathered. I never received and email from RPGNow, and I've kept an eye on my spam filtered email as well. So, there is a flaw in this somewhere.

Email me and I'll see if we sent one. A lot of times people forget the update their email address with us.

James
webmaster@rpgnow.com

 

[rpghost]

I would be very surprised if RPGNow will be able to continue to be able to accept major cards after this. The credit card industry implemented a data security standard known as PCI DSS in 2004, this mandates what security measures merchants need to use to secure credit card information. All stored credit card numbers are supposed to be encrypted so that if there is a breach of data, the data is not useful without cracking the encryption.

Thats news to me as almost every shopping cart software that I've seen doesn't encrypt the card. I know for a fact the current version of OSCommerse and all previous versions didn't and that's the most common out there. I would be very surprised if any of our competitors even encrypt the cards.

At least we only stored them when someone requested us to. That's the only data that was at risk. That being less then 1% of our customers. Of them the vast majority had invalid/expired cards on file. We've alerted those that were at risk... why alarm the other 60,000 customers for no reason? You want us to go out of business?

Also, to be clear, we only found out about this the same time you all did. THe hacking was done last summer. We're just trying our best to clean up.

James

 

[rpghost]

Check around. A lot of publishers (including Ronin Arts) have their own PDF stores now. I know that my own Ronin Arts store never sees your credit card information.

There was a thread somewhere here that listed publishers with their own PDF stores. If I can find it I'll give you the link.

Wrong... if it uses Linux and OSCommerse which it does, it has the same vaunerabilities as we did. You're fooling yourself if you think you can't be hacked in a minute too.

JAmes

 

[rpghost]

This sort of incident makes me glad that the Dreamscarred Press storefront has always used Paypal instead of a vendor account.

Again, very short sited comment... Paypal is worse the credit cards for customer security by far. They arbitrarly seize accounts. Hackers or phishing for accounts there all the time. WHen your account is stolen the chance of you getting your money back are very low. They are not a real bank and do not follow the same laws.

On the other hand, we've been stuck with lots of fraud at RPGShop from people making purchaes. There is very little we can actually do to prevent a chargeback there. 99% of the time the customer wins a dispute and we're out merchandise and money even when they really did get the delivery.

So taking paypal only isn't the cure all. It's just another evil.

James