Back in my younger days, I've implemented exactly such a system. Looking back, it seems like a "WTF where you thinking" but somehow it made sense back then. What is obvious practice now took 20+ years of internet evolution to reach.

I've also worked for companies that:

- Stored user passwords in plaintext so you can email the customer their password if they forgot - Stored the CVV so "we could issue refunds" - Accidentally created anonymous email relays using copy & paste code from some "how do I create a webform in PHP" site. - Test data was simply a mirror of production - Test servers would send real emails to real customers (because the test data was a prod mirror)

There are probably some other atrocities I've been exposed to but those are the highlights.

Oh yeah, forgot one:

- To "save money" on hard drives for "the server" we did a RAID0 array. Works great until one of the disks die and you loose everything. (This was my own dumb fault though).

Live and learn I guess!

I don't have the experience to know if this is actually the case, but it seems completely plausible that different countries have different regulations (or enforcement thereof) such that US companies have to care about PCI more than Indian companies.

> These $100B in annual sales aren't processed by script kiddies, it's a very large and mature industry.

Those are less connected than you think; loads of companies run obscenely large monetary transactions and essential business processes with horrifying hacked-up systems (50k LoC files, 20-year-old Perl scripts that nobody understands, Solaris 2.x desktop in the maintenance closet...); utility and good code are less correlated than we wish.

Of the nearly 45-50 contract jobs I've seen, a lot of them use pirated WP or Magento plugins, and plain text storage of sensitive content.

It doesn't seem like a generalization at all. It's someone relaying their actual experience:

"having worked with many E-Commerce shops in India as a consultant"

It very often happens on HN that if someone talks about something they had personal experience with, that people try to characterize it as a generalization, as if that somehow magically makes the statements a fantasy. It does not.

1. The vendor is not aware that this is a problem 2. As a result of point 1, the vendor does not have budget planned for this. 3. The reward for the investment does not make sense for most of the vendors.

About point 3: For the vendor, there is no tangible improvement in sales (in fact, some security measures raise the barrier for their customers to place an order). So why should they do it? In their experience, the budget is better spent on improving the customer experience, marketing, increasing stock, lowering prices, etc.

Point 3 is really tricky, especially in some cultures and countries. If there is no legal consequence for leaking customer data, why should they be spending money on preventing something that may or may not happen in the future?

https://support.apple.com/en-us/HT210425

Does that somehow magically excuse racist statements like this? Good engineers are everywhere. Bad engineers are everywhere

First, they offered a poor conversion rate.

Second, they said they will charge in INR and hence no further markup by banks which was an outright lie as they charged in INR from PayPal Singapore which applied foreign markup anyway by the bank. So I paid double markup.

It's basically a scam.

If that is the case, then it is not for me.

Some providers even had integration with banks, so when a credit card was auto-renewed and the expiration changed (the CC number was still the same), we didn't even have to ask the customer for an update. Only when the customer specifically asked for a new card.

So there's even the possibility of even more convenience to customers.

Why is that a good thing?

PayPal restrictions exist because india doesn't have free capital account convertibility and forex providers need to implement regulatory mechanisms to comply with forex regulations. The regulations on forex haven't changed in many years. It's paypal who isn't bothered to comply with mechanisms implemented and hence removed those features as they felt customers like you aren't worth it to them.

Most developing countries have capital controls like India for financial stability reasons and removing it for the sake of small segment of entrepreneurs feeling difficulty to process some payments or can't manage the accounting is not in the interest of the state or it's people.

Stripe thinks you are worth it to them and are providing that service. Find better service providers. Talk to a bank.

As far as GST is concerned, every country has tax accounting. Some other countries like in Europe have it way worse on the paperwork. Have you ever dealt with pre-GST service tax or VAT paperwork? Accounting is a universal thing and it's the reality of doing business.If you think just by jumping one country to the other you can avoid taxes or paperwork you need to rethink your approach to business. Most countries who don't have taxes or tax paperwork are just tax havens living off someone else's money. Will you go to NZ/Canada and not do their tax paperwork?

If it's getting harder, maybe your size is large enough to hire an accountant to do that work for you.

If you have so many customers overseas maybe you better incorporate a foreign subsidiary or an IFSC subsidiary to manage USD transactions.

These rules won't be changed for you - there are larger socio economic reasons for the rules.

How has GST made things worse? I had paid Service Tax for 10 years prior to GST, and that was a far worse experience.

a) Prior to GST these was an enormous amount of tax fraud. GST makes that way harder, on account of people being able to track and claim input credits. Many (not all) people who were complaining did so because they were suddenly unable to dodge taxes. This forced them to disclose all sales, which affected income tax as well.

b) Everything is now visible on the portal. Who you paid, what they deposited etc.

c) Initially, there were many more compliance requirements. Now it's simpler, with quarterly filing if you qualify.

Why are you having to spend so much time? I mean all the popular accounting suites already support GST and automate most of the compliance. The rules haven't materially changed so, why is it getting progressively harder?

> I almost got my Digitalocean account suspended few months back because the credit cards won't bill anymore.

Why won't they bill anymore? After I enabled international transactions on my card, I haven't faced any problems with DO or AWS.

> If it were not for Stripe Atlas

If you have a Delaware C Corp, why are you even bothered by RBI rules? None of the limitations of the Credit cards or PayPal apply to you anymore.

The e-mandate system seems to be pretty good. Netflix is compliant and it worked seamlessly from day one of the switch. It could be because they have incorporated locally, which can be difficult for many other companies.

> Please don't comment on whether someone read an article. "Did you even read the article? It mentions that" can be shortened to "The article mentions that."

this means, anyone who read the news understood this was going to happen and scammers put their numbers and sent out sms. any unsuspecting user would just call them whereby they would ask their aadhar card, pan card, otp and you are fucked.

I understand the confusion, but just to clarify I'm a big fan of UPI :).

Now, is it good move for the people? It's a complex topic, one could write a lot about it. This move will push people away from cards because card tokenization won't be supported for a while, making recurring payment harder. It's well known that very small amounts of friction can drastically reduce the conversion rate. Entering the card details every time is a hassle for sure.

So more UPI payments. But today there are no MDR for UPI transactions, meaning fintechs and banks are losing money when they process these transactions. For banks, it's supposed to be ok because a digital transaction is cheaper than a physical one. For fintechs, this is tough, you need to find money somewhere else. So less money = less incentives = less innovation. However there have been talks to put back some fees on UPI (banks are pushing a lot on this).

On the other hand, more card payments = higher MDRs. So merchants or customers, or both, will pay more to process the transactions. Banks and fintech get more money. But with a lack of competition, because of the current duopoly (Visa/Mastercard), and the difficulty to enter the market due to strict regulation, innovation is far from its peak. Just by looking at how long 3DS2 takes to roll out you can see that there is a lot inertia.

It's not black and white, as often. Personally I think UPI is a better direction. The only downside is that's it is only for domestic payment. I'd love to see an EU initiative as successful as UPI: instant payment could be the EU equivalent but the fees are crazily high in some countries.

Is there any evidence that the RBI actually thinks this? You seemingly criticise GP on their inference of an ulterior motive but then posit your own ulterior motive.

Sometime you won't see Visa or Mastercard but instead "Debit Card" and "Credit Card" vs "Rupay" for instance.

Recurring payment greater than 5000Rs requires a separate auth. (EMI's are not impacted by this)