I have family member who sells stuff online. As part of his checkout experience he asks for CC info as well as SSN info on a HTTP website. I am trying to explain to him why this is bad, but he doesn't really care. What can I say to him factually that might help him make the investment in SSL (and not storing PII in SQL db) for that matter.
I would focus his attention on the possibility that his card processor will cut him off for violations of their agreement. This would result in large-scale loss of business and it may not be easy to arrange for a new processor on short notice. Keep his eyes on the money.<p>I would not bother with a technical explanation of any of this stuff. He doesn't care, and bluntly it's not particularly easy to point to major compromises in which the lack of SSL played a key role. Most of the time, data is siphoned out of "PCI-compliant" shops that do use SSL, and they get it through database compromises and/or compromised POS terminals. MITM doesn't seem to be worth the effort, if only because the other stuff is so easy and yields so much data.<p>Nor would I bother talking about PCI. Most of their requirements are silly and do little or nothing to prevent exposure of PII or fraud. What matters to him is the agreement with his processor, not some 4000-page document that wants to tell you how to take a piss.<p>Eyes on the money. No processor, no business, no money. Keep it simple. If that doesn't do it, you've done your part and should walk away. It's not your problem.
Unless he is a government, insurance, credit card, bank, real estate organization he should not be asking for a SSN online or storing it unless they are for his employees or the transactions being conducted requires notification to the IRS or the transaction is subject to the customer identification program rules. Either way PII like this should be securely stored offline.<p>For Credit Card information it has to all be transmitted and stored in an securely in accordance to the credit card merchant agreement he has agreed too.<p>The HTTP protocol is not secure, when your family member is hacked or audited they may be liable for many civil and criminal charges.<p>Have them read all the information for PCI DSS compliance - <a href="https://www.pcisecuritystandards.org/merchants/" rel="nofollow">https://www.pcisecuritystandards.org/merchants/</a><p>You have done your part by advising him about the risks, privacy concerns and how bad it really is. Either way it is ultimately a risk he is accepting for himself and the business which he will have to deal with the consequences when something bad occurs in the future.<p>If he needs proof of how bad the decisions he has made can be, point him to many of the recent credit card and government organization breaches.
I'd say an even bigger question is, why is he even doing it that way at all, and not using a service like Stripe, Braintree, Shopify or similar? They've invested in polished checkout experiences, it's what they do, and it moves the burden of PCI compliance, PII storage, SSL etc to the service. When Stripe exists, why would you even go down the merchant account route anymore?<p>Scaring them with the bad stuff might not be effective, people don't react well to being told they're doing everything wrong. Perhaps showing them an easier solution that reduces their admin hassles & could potentially increase their sales is a better way to approach this.
Beside the point, but why in the world is he collecting SSN numbers? That in itself is more concerning to me than not having SSL. But that's just me. I have had my identity stolen and know first hand how difficult, to almost impossible, it is to clean up.<p>With that said, I do know that many states have strict laws regarding the collection/use of SSN numbers via websites and/or for the sale of goods.<p>As for the credit card info, I believe most processors have in their terms that SSL is required for live transactions. I was also going to point to PCI compliance, but I am not sure how aggressive they are at going after the "little guy". Although with credit card theft in the US being a hot topic right now, I am sure anyone that is non-compliant will be a target for violations.<p>EDIT: To add link, starting at Page 12 talks about various state laws regarding SSN collection: <a href="http://www.gao.gov/new.items/d051016t.pdf" rel="nofollow">http://www.gao.gov/new.items/d051016t.pdf</a>
The first thing I'd think of with a site asking for SSN is an active intent to commit fraud: ID theft, or fraud. That's before SSL (which is obsolete anyway, only TLS should be considered now).<p>The second thing, the fact it's http and not https suggests he's collecting and storing this information, which is almost certainly a violation of his credit card agreement with his bank. Credit card information is not supposed to be stored, he passes that off through a secure connection with his processing service, who will only do that through a secure connection, and he gets a transaction ID and authorization and that's all he references from that point on.<p>So this is less about SSL/TLS as it is, he's doing it all wrong. And it's depressing that he's in business, only made possible by the ignorance of his customers who actually agree to give him all of this information, and on an insecure connection no less.
If a storefront on the web asked me for an SSN, HTTPS or HTTP, I'd probably file a police report for the attempted identity theft. There's literally no other plausible reason to collect that information, unless he/she is a registered financial institution extending credit to people.
There is also the case for a potential increase in his conversion rates as a result of adding SSL.<p>Online shoppers I've observed in usability sessions often scour sites looking for evidence of security measures (e.g., green EV certs in the browser, various icons in the footer). This is especially true when you're asking for something like SSN info...<p>If appealing to the desire for security of user info doesn't work (unfortunately), appeal to his desire for more customers...
>I am trying to explain to him why this is bad, but he doesn't really care.<p>"You are losing sales. People look for the lock icon on the address bar."<p>Also, he can get SSL on his site for FREE in < 5 minutes using Cloudflare.
So I dived in a bit more while I wait for him to call me back. It's a Magento build using Autorize.net I haven't worked with Magento in years, but should be really simple right. Set up some forwarding rules in Cloudflare to always to go the HTTPS and of course the cert.<p>At least it isn't some guys backyard CMS.
<a href="http://www.pcistandard.com/card-association-fines/" rel="nofollow">http://www.pcistandard.com/card-association-fines/</a> might be a starting point? (I don't know if it actually applies in this case though).
Seriously? Do cc vendors allow any random home hacker to create collection forms for credit cards. If I were visa I would at minimum have a checklist that must be fulfilled otherwise the store get their license withdrawn.