undefined | Better HN

0 pointsyjftsjthsd-h4y ago0 comments

> That's a weird generalization. Yes there are terrible, insecure e-commerce sites in India, the same as there are in the USA and everywhere else on the planet.

I don't have the experience to know if this is actually the case, but it seems completely plausible that different countries have different regulations (or enforcement thereof) such that US companies have to care about PCI more than Indian companies.

> These $100B in annual sales aren't processed by script kiddies, it's a very large and mature industry.

Those are less connected than you think; loads of companies run obscenely large monetary transactions and essential business processes with horrifying hacked-up systems (50k LoC files, 20-year-old Perl scripts that nobody understands, Solaris 2.x desktop in the maintenance closet...); utility and good code are less correlated than we wish.

0 comments

5 comments · 3 top-level

dewey4y ago· 2 in thread

"such that US companies have to care about PCI more than Indian companies."

If you think about the social security number system, paper checks or credit cards with magnet strips I think you'll notice that other countries sometimes have stricter and more advanced security regulations.

yjftsjthsd-hOP4y ago

Yes, of course. I would expect the US to be ahead of some countries in some places, and behind some countries in some places. My point is that it's perfectly plausible that in this very particular area India could be worse than the US just as, say, the EU is generally ahead of the US. And, in different areas India could be way better than the US; this isn't "good countries" and "bad countries", it's "different countries place differently on whatever metric you pick".

dewey4y ago

I miss-understood your initial comment then, apologies! You have a good point.

ratww4y ago

> I don't have the experience to know if this is actually the case, but it seems completely plausible that different countries have different regulations (or enforcement thereof) such that US companies have to care about PCI more than Indian companies.

Or maybe even different companies forcing users to accept credit cards in different ways.

A handful providers I had to integrate with in my career (in LatAm and Germany) had this rule where you couldn't have the numbers going trough your system unless you got PCI certification. You had to use an iFrame, or redirecting to their website where the form was served.

Sometimes the APIs were there, in public, but even if you used a valid credit card number it would deny verification unless your merchant account was pre-authorised.

rob744y ago

Yeah, seems plausible - after all, as I recently learned from another HN post, it is customary for trucks not to have side mirrors in India, whereas this is much rarer in the US and virtually unheard of in (western) Europe...

j / k navigate · click thread line to collapse