Paay open database exposes 2.5M transactions, challenges PCI compliance
Thursday, April 23, 2020
New York-based Paay was exposed by security researcher Anurag Sen who found transaction information that included credit card numbers, expiration dates and amounts spent dating back to Sept. 1, according to a TechCrunch report. Paay trades on its use of 3-D Secure, an XML-based protocol that is designed to be an additional security layer for online credit and debit card transactions.
Ilia Kolochenko, founder and CEO of ImmuniWeb, pondered the idea that the chaos created by COVID-19 may have played a role by distracting the staff, but contended legal authorities likely would not forgive the mistake if they find Paay didn’t meet the PCI standard.
“This incident will likely trigger jealous investigations and severe penalties. Likewise, it will probably bring a series of harsh ramifications under PCI DSS that seem to have been largely neglected in this case,” said Kolochenko. “The western judicial system will unlikely demonstrate any leeway for negligent or overly careless data protection even amid this unprecedented pandemic.”
SC Media contacted Paay for comment, but has not yet received a response.
According to the merchant processing firm Century Business Solutions, PCI compliance is mandatory and if a data breach occurs and a company does not meet the requirements, it will have to pay penalties and fines ranging between $5,000 and $500,000.
“It’s important for banks of all sizes only rely on vendors and third parties that are PCI compliant and come equipped with the necessary security and certifications to keep customers protected,” said Jumio CEO Robert Prigge.
That this event took place during the worldwide shutdown over COVID-19 may have played a role in both why the server we left open and the impact it could have on retailers.
“Startups are harshly affected by the coronavirus pandemic. Being at their active stage of rapid growth, they frequently under-invest time and money into data protection and compliance, falling victim to omnipresent cybercriminals,” said Kolochenko. “Amid a pandemic, even the largest financial institutions face major difficulties to securely maintain their business operations while working from home, let alone ultra-suspectable startups.” Read Full Article
Infosecurity Magazine: Alleged Neo-Nazis Post WHO and US Gov Log-ins Online