Ask HN: PCI Violation by client storing 'cardholder data'

2 points by alanhoskins 8 years ago | 2 comments

I was recently contacted to fix the admin portion of a website that was not loading properly. Upon fixing the issue, I found that the website is storing credit card information (number, expiration, ccv and customer info) in their database and even displaying it in plain text to the admin for processing offline.

I've informed the client that this needs to be fixed as soon as possible and that it is a violation. From what I saw they have at least 4000+ entries of cardholder data.

What, if anything, should I do?

cabrel 8 years ago |

Companies like this are why breaches can be so devastating (financially and privacy-wise) to the general public [1].

If you know who their credit card processor is, you should go directly to them and report the problematic business. You can also go to the credit card company sites and contact them directly. If you know whom their QSA is, I would also contact the credit card companies about the QSA and they can investigate whether his PCI auditor status should be revoked. [2]

It is in the credit card companies best interest to investigate things like this which is why the channels exist to report these instances.

For reference, requirement no. 3 of the PCI standards cover the appropriate procedures for storing this type of information [3].

IANAL and all that..

[1] See the first comment of https://news.ycombinator.com/item?id=14401825

[2] https://www.pcicomplianceguide.org/how-do-i-report-a-pci-vio...

[3] See page 36 of https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2....

gregjor 8 years ago |

You did what you can do. Maybe point them to their merchant agreement and PCI compliance rules. I've run into this before and clients have paid be to fix the problem.