Comments on: LastPass.com asks to store CVV2 code for Automatic Form Filling

By: Merchant Services Online

Merchant Services Online — Sun, 06 Feb 2011 00:46:28 +0000

So, from what I understand if a merchant is using LastPass to store the passwords from their computer the would pass a PCI Audit right? Since they still have to log into the encrypted online service before it will auto fill the data. I personally love the tool even better now that they have acquired Xmarks so not only do you have all of your Passwords in a Password vault you also have a backup incase you loose the computer or it is destroyed in a fire or such.. The same goes for all your business related bookmarks such as important sites for day to day tasks. I have seen the credit card feature in the software I have not yet trusted to enter that data in just yet. My only other concerns would be if a cookie was collected in a coffee shop and then replayed by a hacker would they get into LastPass that has been my only fear about these types of solutions however I have been told that they have some type of encryption to protect against that too, where as other have not figured out how to protect the cookie passed through IP.

By: Brian

Brian — Sat, 24 Jan 2009 21:09:13 +0000

Actually, it doesn’t appear that LastPass is themselves a merchant. If that’s the case, there is no obligation to comply with PCI DSS. PCI DSS is not a law, it’s a burden you accept when you sign a merchant agreement via a contract. No contract, no obligation.

If LastPass wants to collect money via paypal, as I understand it, there’s nothing that Visa or Mastercard can say about storing anything, including the full magnetic strip of a card! What’s prudent is another story, but we’re talking about *required*…

By: Andy O

Andy O — Thu, 04 Dec 2008 12:57:51 +0000

“Do not Store sensitive authentication data after authorization (even if encrypted).”

By: Joe Siegrist

Joe Siegrist — Tue, 02 Dec 2008 18:22:15 +0000

We at LastPass are quite familiar with the PCI processing regulations coming from the ecommerce space, but as you mentioned LastPass is very different than a company processing credit cards.

The biggest difference might not be obvious though: LastPass _NEVER_ has access to your private data! Your typical ecommerce company has dozens if not hundreds of people that could see your encrypted data — they have a KEY to the data! That’s why it’s so dangerous and why PCI regulations restrict it. LastPass on the other hand is specifically setup so no one at LastPass can see your sensitive data — it’s locally encrypted and we don’t have the key.

Because of this I’d say that LastPass doesn’t violate the “spirit” of this regulation either.

Joe