Not sure what to see in mid term. American people chose Trump, knowing he’s corrupted. They will do so again and again.
The only thing may led to their hesitation is trump and allies are so incompetent that they can’t even pretend the economy is ok, for which I think we are not there yet.
I would add the nuance that the possibility of controlled migration from one versioned API to another should be right from day one, not necessarily the first API version.
I believe that means you are more or less setting yourself up as a payment facilitator, meaning you and your other merchants will be kicked off Stripe at any time if too many of your merchants misbehave. Is your compliance team ready for that?
Is it though? Or is it, oh, this is such a simple change that we really don't need to test it attitude? I'm not saying this applies to TFA, but some people are so confident that no pressure is felt.
However, you forgot that the lighting conditions are where only red lights from the klaxons are showing so you really can't differentiate the colors of the wires
This should be treated with absolute top priority by the police, with the same level of forensic attention as a terrorist attack. If everybody associated with the crime, including those providing, accepting, storing, transporting and dumping the waste are found an prosecuted to the absolute extent of the law, it would be a very good precedent and deterrent against future repetitions.
Slapping a police state on top of shortsighted policy failings doesn't make them not policy failings. Heck, it might even cost society more than scooping up the illegally dumped trash.
This isn't a problem that jurisdictions with competently run waste logistics have. When you hear about illegal dumping in the NYC area it's not literal mountains of trash like this. It's tires or hazmat or something that's genuinely expensive to get rid of for good reason.
Take a step back and think about the economics of bulk material hauling whether it's dirt or trash, the fact that the risk-reward calculation here pencils out should throw a massive "something deeper is wrong" red flag.
I propose we kick all of the people who talk like you out, and then find a solution in peace, without all the screeching and "something must be done"-isms. I bet we not only solve this in short order, but a whole other bunch of issues too.
It's not just business data though - usually it will include ultimate beneficial owner and directors' passports, tax ID, etc. So there is a risk of identity theft there of potentially some very wealthy individuals.
"The system was used for internal operational documents and merchant onboarding materials at that time"
To me it seems most likely that this is data collected during the KYC process during onboarding, meaning company documents, director passport or ID card scans, those kind of things. So the risk here for at least a few more years until all identity documents have expired is identity theft possibilities (e.g. fraudsters registering their company with another PSP using the stolen documents and then processing fraudulent payments until they get shut down, or signing up for bank accounts using their info and tax id).
>So the risk here for at least a few more years until all identity documents have expired is identity theft possibilities
Essentially nobody checks the validity of document numbers, there’s rarely any automated mechanism to do this. You could just photoshop the expiry dates on the documents and use them for years and years, even if document designs changed you could just transplant the info from the old document into a new template.
So no, documents expiring does mostly nothing to alleviate identity theft risks in most of the world.
And anyway, targeted phishing attacks are of much much higher severity than identity theft. From this data you can probably gather everything you’d need to perform rather high quality phishing attacks against the bank accounts of checkout.com clients, easily causing tens or hundreds of millions of losses that would never be recovered.
Passport or ID card scans would never be be stored alongside general KYB information, e.g. the standard forms PSPs use.
If you read between the lines of the verbiage here, it looks like a general archived dropbox of stuff like PDF documents which the onboarding team used.
Since GDPR etc, items like passports, driving license data etc, has been kept in far more secure areas that low-level staff (e.g. people doing merchant onboarding) won't have easy access to.
I could be wrong but I would be fairly surprised if JPGs of passports were kept alongside docx files of merchant onboarding questionnaires.
> Passport or ID card scans would never be be stored alongside general KYB information
How do you qualify this statement? Did you mean “should never”? Even then, you’re likely overstating things. Nothing prevents co-locating KYC/KYB information. On the contrary, most businesses conducting KYB are required to conduct UBO and they’re trained to combine them both. Register as a director/officer with any FSI in North America and you’ll see.
Fair point! Yeah, it could be. Although Europe tends to be stricter about those things, i.e. where PII is stored. I was trained way back in like 2018 about ensuring I never have any PII stored on my PC and around the requirements of the GDPR in terms of access to information and right to delete etc.
Yeah, even in Europe this is an excessively optimistic take.
Couple of years ago I accidentally stumbled upon an open folder a fairly big Scandinavian bank was using to store tens of thousands of passport/id scans
Why would merchants fill out docx files? They would submit an online form with their business, director and UBO details, that data would be stored in the Checkout.com merchants database, and any supporting documents like passport scans would be stored in a cloud storage system, just like the one that got hacked.
If it was just some internal PDFs used by the onboarding team, probably they wouldn't make such a big announcement.
Another person wrote a good response to this but yeah, I would say, as someone that has worked in fintech, you will almost always have some integrations with systems which require Microsoft word format, as well as obviously PDFs, CSVs, etc.
Every country you operate in has different rules and regulations and you have to integrate with many third party systems as well as governmental entities etc, and sometimes you have to do really really technically backwards things.
Some integrations I remember were stuff like cron jobs sending CSV files via FTP which were automatically picked up.
If you are dealing with financial services (and payment provider most certainly would), you will be forced to interface with infuriating vendor vetting and onboarding questionnaire processes. The kinds that would make Franz Kafka blush, and CIA take notice for their enhanced interrogation techniques.
The sheer amount of effectively useless bingo sheets with highly detailed business (and process) information boggles the mind.
reply