He guesses VMWare stores credit cards based on them using the last 4 digits to help identify orders. Actually, it is probably Digital River, not VMWare. VMWare uses Digital River to handle actually process orders. (That's why the site he went to for order lookup was findmyorder.com, not vmware.com. Findmyorder.com is a Digital River site).
You can't really infer credit card storage from them keeping the last 4. Merchants need to keep the first 6 and last 4 in order to process chargebacks and refunds. When a customer charges back all the bank tells the merchant is first 6, last 4, and amount of charge back (oh, and the date of the charge back). Furthermore, the amount does not always match an amount the merchant charged. So, the merchant needs to be able to look up orders by first 6/last 4, approximate amount, and date-that-it-must-have-been-before.
PCI allows first 6 and last 4 to be stored unencrypted and kept as part of general customer information. The strict security requirements (encryption, kept off of networks not involved with actually using the card, and so on) only apply to the rest of the digits.
I know the first 6/last 4 rule, but Digital River requested the last five. I actually thought that was pretty explicitly in violation of PCI. Am I wrong, or maybe misunderstanding the rules?
You can comply with PCI DSS by storing NO MORE THAN the first 6 and last 4 digits.
You can also by-pass the requirements by storing a (somewhat non-reversible) hash of the entire card (or last x digits, in this case 5)... As long as the hashing and the storing is done on two separate systems.
Yes, it definitely sounds like a typical Digital River experience. They're really a mess. Microsoft uses them to fulfill online Microsoft Office orders, and it takes so many steps you want to scream.
If there are no other reasons, this is why I want a solid App Store on Windows that has every app I'd want to buy. Seriously; it's just too much trouble to give companies money sometimes!
The solution isn't necessarily an App Store on Windows, it's to build better purchasing experiences. You're reasoning is sort of like: "I have serious issues with all GM cars due to shoddy quality, therefore all cars must be manufactured by Toyota because I like them."
I think his reasoning is more like "I see a fundamental design flaw in all other cars which Toyota has recognized and addressed in a way that I like, and wish other manufacturers would adopt that solution or one similar to it."
You don't have to agree, but don't poo-poo his desire for a unified, simple application purchasing experience in his OS of choice. That's a customer talking about what they want out of a product.
My point was more along the lines of "unified purchasing experience" != "good purchasing experience." You could have all apps unify on a horrible purchasing experience, no?
Big, huge upvote to your Digital River comments. Dealing with their shopping cart sites is maddening at best. They're ripe to get picked off by a capable startup.
You can't really infer credit card storage from them keeping the last 4. Merchants need to keep the first 6 and last 4 in order to process chargebacks and refunds. When a customer charges back all the bank tells the merchant is first 6, last 4, and amount of charge back (oh, and the date of the charge back). Furthermore, the amount does not always match an amount the merchant charged. So, the merchant needs to be able to look up orders by first 6/last 4, approximate amount, and date-that-it-must-have-been-before.
PCI allows first 6 and last 4 to be stored unencrypted and kept as part of general customer information. The strict security requirements (encryption, kept off of networks not involved with actually using the card, and so on) only apply to the rest of the digits.