TechCrunch reported yesterday that New York payments startup, Paay, exposed millions of credit card numbers. The massive database storing millions of credit card transactions is now secure after spending close to three weeks exposed publicly to the internet.
The report said, “because there was no password on the server, anyone could access the data inside.”
Security researcher Anurag Sen found the database. He said there are about 2.5 million card transaction records in the database. After TechCrunch contacted the company on his behalf, the database was pulled offline.
Asked to comment on this event, Jonathan Deveaux, head of strategic partnerships for enterprise data security specialists comforte AG, said:
“It would be interesting to understand what data protection approach Paay has deployed to meet PCI DSS requirements for storing credit card data. The Payment Card Industry Security Standards Council (PCI SSC) has implemented standards that must be followed should a payment processor or financial services organization choose to manage credit and debit cards from the four major credit card labels. Violation of the requirements may result in substantial fines or even the suspension of the company’s ability to process credit and debit cards.
Requirement 3.4 in the current PCI DSS version (3.2) says to “Render PAN unreadable anywhere it is stored.” A highly effective data protection method, suitably implemented, would have deployed tokenization to replace the actual PAN value with a surrogate value before any data is written to a database. Therefore, if (or when) researchers such as this case, find open or unsecured databases online, the credit card data they find would be the replacement data – which has no exploitable value.
In the 15 years that the PCI SSC has presented these Data Security Standards for processing credit and debit cards, there have been zero reported data breaches for organizations that were fully PCI DSS compliant.”
The TechCrunch report added, “The database contained daily records of card transactions dating back to September 1, 2019, from a number of merchants. TechCrunch reviewed a portion of the data. Each transaction contained the full plaintext credit card number, expiry date, and the amount spent. The records also contained a partially masked copy of each credit card number. The data did not include cardholder names or card verification values, making it more difficult to use the credit card for fraud.”
Mark Bower, senior vice president at comforte AG, added:
“Fifteen years of PCI DSS has taught merchants and card processors to encrypt, tokenize and redact cardholder data and never store it live. The risk is too great. New players, especially startups, can’t skip these clear and enforced requirements. Fundamentally, all vendors handling card data should be tokenizing it so they can provide their value-added analytics and business processes without putting the merchant’s cardholder data into attacker’s hands. Developer errors, operational configuration accidents, or misunderstanding of very clear PCI rules, unfortunately, don’t cut it for cardholder data security – secure it, or face serious consequences and costs.”