It makes sense that hashing allows the transit provider to link the CPAN to the taps.
Having checked, the CPAN is not inputted via an iframe on the transit provider’s site - it’s sent via https, but directly to the site’s web host. Is that necessarily non PCI compliant (or only non compliant if they store it - which they might not)? Are there PCI bounties..?
My bigger problem with all of this is that someone who comes in temporary contact with a credit card can get that person’s transit history. Is that not a security risk?
It makes sense that hashing allows the transit provider to link the CPAN to the taps.
Having checked, the CPAN is not inputted via an iframe on the transit provider’s site - it’s sent via https, but directly to the site’s web host. Is that necessarily non PCI compliant (or only non compliant if they store it - which they might not)? Are there PCI bounties..?
My bigger problem with all of this is that someone who comes in temporary contact with a credit card can get that person’s transit history. Is that not a security risk?