Hacker News new | past | comments | ask | show | jobs | submit login

Pretty much this.

I ran into a local store taking credit cards awhile back, no TLS, weird, so I go to the store owner in person. I explain the problem and he insists that can't be the case, he's mad at me. "See! It's got a lock on the website!"... on the homepage. I direct him to the store and now it says Not Secure.

That did more to explain the situation than my attempt at TLS and HTTPS and Certs. He was able to call his web guy and say "It says not secure, Jerry! Fix it".

It was such a simple addition to (at least in Firefox) use the words Not Secure that it's crazy no one thought of it before.




If that doesn't work, there's also the argument that "credit card providers require it, and could stop you from taking credit cards until you fix it".


You're right, but didn't have to. This guy when he could get past being mad at me knew that was against the rules. Also even if it was allowed, no one wants to shop at a place that says Not Secure.

Side topic, but I've been trying to explain to our terrible CFO for years that PCI / PCI DSS is a real thing. He thinks that's the type of regulation that only giant companies have to deal with.


Feel free to report your org to your merchant processor if necessary if you're not meeting compliance requirements and think you can get away with it without compromising yourself.


Even if it says "secure", that doesn't mean it really is. I worked at a place in the 90's that hosted a some sites taking credit cards through HTTPS. You know what they did? They sent emails, in clear text, to people at the store that would enter / process the cards manually.


Even scalier than PCI compliance mumbo jumbo is customers not giving you any money.


this is what gave us the pay.reddit.com loophole back when reddit https was for people with gold only


did you check the url the form submits to for https? it was a somewhat common pattern once upon a time to load the form in http but submit it in https. not great, but better than nothing (nobody should do this nowadays btw).


I did it. And it wasn't.

Doesn't matter though, the reality for him was that customers saw a Not Secure and that was a problem. All the crypto, certs, forms, probability of issue, technical things didn't matter, just the perception.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: