gamesas.com Credit Card Security Announcement

Post » Mon Aug 25, 2008 3:16 am

Why they don't offer the DELETE option for the credit card info?
Because when you enter the multiplayer mode, the purchase info among with the credit card is verifyed. If there is no more credit card info, the DLC will not be available in game. I just posted this above:
"Aaaa... secure site you say? Then, why my credit card data was missing 2 days after I added it and purchased the DLC?
Yesterday when I tried to play online, an error message appears saying "Failure to load DLC proof of purchase" or something similar. So there was no LE unlocks (these are free) and no DLC maps. I entered gamesas.com/store and in the Purchase History there was the LE code and the DLC. In the Payment method - "no credit card associeted with this account". WTF... Where did my credit card data go?
After I added it again, I was able to play the DLC, and the LE bonuses appeared."

It's a crap, I know. I want to remove the credit card info too, but presently, we can't. They must modify the methode for verifying the DLC, first. Why they are verifying it: because anyone who bought the DLC can pass it to others for free. It's just a zip file.

User avatar
nath
 
Posts: 3463
Joined: Mon Jan 22, 2007 5:34 am

Post » Sun Aug 24, 2008 8:59 pm

well obviously if you have purchased the dlc then it will show up in your purchase history same as limited edition. there is no **** need to save the credit card information if it's already purchased.
User avatar
Mimi BC
 
Posts: 3282
Joined: Sat Oct 07, 2006 10:30 pm

Post » Sun Aug 24, 2008 12:11 pm

don't you have a steam account? steam has the option for you to remove your credit card info after you purchase a game. do you have an apple account? you also have the option to delete your credit card info after you purchase a song or an app.
User avatar
LADONA
 
Posts: 3290
Joined: Wed Aug 15, 2007 3:52 am

Post » Sun Aug 24, 2008 7:06 pm

crytek should give us option to remove our credit card info.
User avatar
Nuno Castro
 
Posts: 3414
Joined: Sat Oct 13, 2007 1:40 am

Post » Sun Aug 24, 2008 6:18 pm

For L1belle,

Yeah, you are right; this "frame" design is causing to much truble. I did't unlocked for 2 months the LE code, because of this; it was giving an error saying I must sign in, when I was signed in. This besides the security issues. A full secured window/link would be more appropriate than a frame, like the one that opens when you select with right click "This frame > Show only this frame". (This solved my problem with the login, by the way).
In the first post i was in a hurry and I just saw the part with "this is not a https site". I did't want to offend you. Sorry...
Let's face eachother on the battlefield. Beware of HEADSHOTS ;)
User avatar
ImmaTakeYour
 
Posts: 3383
Joined: Mon Sep 03, 2007 12:45 pm

Post » Mon Aug 25, 2008 4:01 am

Hi everyone,

We are aware of player concerns over payment security on gamesas.com.

Rest assured that all financial transactions and sensitive data on gamesas.com use an approved, PCI-compliant, fully-secure payment technology including HTTPS/SSL inside the store frame, regardless of the parent URL displayed in the browser.

Please also note that, per PCI standards and industry best practices, our payment partner GameSpy never stores your credit card details, but instead securely registers them with one of the largest and most secure credit card gateways and card issuers in the world, so there is no opportunity for ‘hacking’ this data from either Crytek or GameSpy.

Thank you,
EA/Crytek

I have to disagree!
PCI DSS 2.0 Requirement 4.1.e Testing Procedures says clearly:
"For SSL/TLS implementation: *Verify that HTTS appears as a part of the browser Universal Locator (URL)."

That means any Website that has no HTTPS in the URL cannot by PCI DSS 2.0 compliant!

The idea behind that requirement is: that the cardholder can verify by himself, on which website his data is send to. If you use frame technology a customer does not see where the data is going and whether this is done on a secure way or not. This opens a weakness in the security chain. It is very simple to attack a HTTP site rather than a HTTPS site!

Just for the understanding: I worked now for more than 3 years as a certified PCI DSS auditor.

Best regards

L1belle

This. We learned this in AP Computer Science back when I was in high school. Does CryTek really think we'll fall for this?

Is CryTek really this dumb?

Even PayPal is more secure than this current piece of security crap.
User avatar
Alexandra Louise Taylor
 
Posts: 3449
Joined: Mon Aug 07, 2006 1:48 pm

Post » Mon Aug 25, 2008 12:49 am

guys seriously just don't even buy this **** dlc. it svcks
User avatar
Jason White
 
Posts: 3531
Joined: Fri Jul 27, 2007 12:54 pm

Post » Mon Aug 25, 2008 2:56 am

Just so you know, this policy of holding credit card information illegally can end up in a lawsuit. Especially when you don't even warn the customer before making a purchase.
I contacted support twice and i haven't received a single response.
User avatar
Markie Mark
 
Posts: 3420
Joined: Tue Dec 04, 2007 7:24 am

Post » Mon Aug 25, 2008 3:34 am

Hey guys,

Firstly on the topic of removing credit card information - this functionality will be offered very soon so please keep an eye out for that.

In terms of security, we're using PCI DSS 1.1 so the HTTPS is not a requirement, however we will be adding this to the site regardless. Additionally if a user wished to launch an attack on an HTTP site (in this case gamesas) it would yield zero credit card information as the data isn't stored or even passed through here.
User avatar
marina
 
Posts: 3401
Joined: Tue Mar 13, 2007 10:02 pm

Post » Mon Aug 25, 2008 4:18 am

Its not a particularly hard fix. i mean, just change the entire page to HTTPS or make it blatantly obvious that it is secure. Not very many people will be dumb enough to not check for HTTPS. What about PayPal.

Work with us here gamesas, we're trying to make your job easier and stop you from getting sued when your site is hacked.
User avatar
Javier Borjas
 
Posts: 3392
Joined: Tue Nov 13, 2007 6:34 pm

Previous

Return to Crysis