Comments on: LastPass.com asks to store CVV2 code for Automatic Form Filling http://www.paymentsystemsblog.com/2008/12/02/lastpasscom-asks-to-store-cvv2-code-for-automatic-form-filling/ David D. Bergert Sun, 11 Apr 2010 04:11:23 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Brian http://www.paymentsystemsblog.com/2008/12/02/lastpasscom-asks-to-store-cvv2-code-for-automatic-form-filling/comment-page-1/#comment-867 Brian Sat, 24 Jan 2009 21:09:13 +0000 http://www.paymentsystemsblog.com/2008/12/02/lastpasscom-asks-to-store-cvv2-code-for-automatic-form-filling/#comment-867 Actually, it doesn't appear that LastPass is themselves a merchant. If that's the case, there is no obligation to comply with PCI DSS. PCI DSS is not a law, it's a burden you accept when you sign a merchant agreement via a contract. No contract, no obligation. If LastPass wants to collect money via paypal, as I understand it, there's nothing that Visa or Mastercard can say about storing anything, including the full magnetic strip of a card! What's prudent is another story, but we're talking about *required*... Actually, it doesn’t appear that LastPass is themselves a merchant. If that’s the case, there is no obligation to comply with PCI DSS. PCI DSS is not a law, it’s a burden you accept when you sign a merchant agreement via a contract. No contract, no obligation.

If LastPass wants to collect money via paypal, as I understand it, there’s nothing that Visa or Mastercard can say about storing anything, including the full magnetic strip of a card! What’s prudent is another story, but we’re talking about *required*…

]]> By: Andy O http://www.paymentsystemsblog.com/2008/12/02/lastpasscom-asks-to-store-cvv2-code-for-automatic-form-filling/comment-page-1/#comment-731 Andy O Thu, 04 Dec 2008 12:57:51 +0000 http://www.paymentsystemsblog.com/2008/12/02/lastpasscom-asks-to-store-cvv2-code-for-automatic-form-filling/#comment-731 "Do not Store sensitive authentication data after authorization (even if encrypted)." “Do not Store sensitive authentication data after authorization (even if encrypted).”

]]> By: Joe Siegrist http://www.paymentsystemsblog.com/2008/12/02/lastpasscom-asks-to-store-cvv2-code-for-automatic-form-filling/comment-page-1/#comment-728 Joe Siegrist Tue, 02 Dec 2008 18:22:15 +0000 http://www.paymentsystemsblog.com/2008/12/02/lastpasscom-asks-to-store-cvv2-code-for-automatic-form-filling/#comment-728 We at LastPass are quite familiar with the PCI processing regulations coming from the ecommerce space, but as you mentioned LastPass is very different than a company processing credit cards. The biggest difference might not be obvious though: LastPass _NEVER_ has access to your private data! Your typical ecommerce company has dozens if not hundreds of people that could see your encrypted data -- they have a KEY to the data! That's why it's so dangerous and why PCI regulations restrict it. LastPass on the other hand is specifically setup so no one at LastPass can see your sensitive data -- it's locally encrypted and we don't have the key. Because of this I'd say that LastPass doesn't violate the "spirit" of this regulation either. Joe We at LastPass are quite familiar with the PCI processing regulations coming from the ecommerce space, but as you mentioned LastPass is very different than a company processing credit cards.

The biggest difference might not be obvious though: LastPass _NEVER_ has access to your private data! Your typical ecommerce company has dozens if not hundreds of people that could see your encrypted data — they have a KEY to the data! That’s why it’s so dangerous and why PCI regulations restrict it. LastPass on the other hand is specifically setup so no one at LastPass can see your sensitive data — it’s locally encrypted and we don’t have the key.

Because of this I’d say that LastPass doesn’t violate the “spirit” of this regulation either.

Joe

]]>