Travis:
Just to clarify your comments, StorageBattles.com took all security measures and precautions in transferring over our clients information recommended by our CIO and an external security consultant. No credit card information is being transferred over, and actually through our security procedures, is not even saved in our system. All that was transferred over was contact information. You can use the site without entering a credit card. However, if you do wish to bid, then you will be required to enter your credit card information and change your password. As we continue to be the leader in the online storage auction business segment, our StorageTreasures.com web site will continue offer many more benefits than our StorageBattles.com web site including the most comprehensive list of live auctions in the US, over 6,000 online auctions per month, and now the ability of trading, selling and buying items online through our new TreasureChest FREE online store.
Thank for yours and your contributors concerns and comments. Keep them coming as they help make us better.
Jim Grant
CEO StorageTreasures/StorageBattles
Jim,
First off your not making smart decisions, but yet you have success. I can think of a few people that fall into this category. Sometimes clueless people just get dealt the right cards. I'm not saying Travis is right, lord knows he and I disagree on just about everything.
Secondly, using the same password for all accounts is not smart, most people will say it's stupid, any external security company would not advise that. So I personally don't believe you and if by some chance you're telling the truth, see my first comment. This decision alone makes me feel un-safe to use your system.
Thirdly, when I was in my new "Storage Treasures" account, I went to add my "Credit Card" and well it said my credit card was already on file. So they might not get my Credit Card #'s because you are using Authorize.net CIM solution. The hacker will still gain the ability to use my account and bid on auctions and my credit card would be charged and when those people complain you will be charged with Charge-back fee. Get enough of those and well, we both know what happens.
Forthly, Title's like "CIO", "Security Consultant" - Doesn't means it implies intelligence or removes you from accountability. They are just people and nothing special, companies go bankrupt all the time and they all have CIO's and CEO's, CFO's, CPA's etc. Title's are meaningless it's the person's knowledge and experience that counts. For example keep reading.
Fifthly, Your Programmer and external security adviser *Cough*, must of not informed you that you are not even PCI Compliant. For example, I can register for an account at http:// www. storagebattles.com/register/ - Notice it's not "SSL" - Then I can advance to the next screen and put my data in, not under SSL. Just because your link on the front page takes you to a SSL Page, doesn't make you PCI Compliant. If I sent the register link to a friend or posted the register link on a forum with HTTP not HTTPS and then they sign up. Their CREDIT CARD data can be comprised. So that about sums it up Jimmy, I'm not even trying to audit your system and processes. Imagine if I did? Just make smarter decisions and hire the right people.