Credit Cards: A Nightmare Story
Oh shit.
That’s the reaction when you see your company’s name associated with words like “hacked”, “data breach” or “credit cards stolen”. All that effort to build your product, acquire customers, create a reputation, earn a living and make it to the mountaintop. Then, all in one moment, your heart rate tops 180 and the panic sets in.
This happened recently to a company called Bluesnap, a global payments company. If you want to read the play-by-play, pour yourself a stiff scotch and settle in for a thriller.
The good news is that it turns out that Bluesnap appears not to be at fault for this 324k strong credit card, CVV and PII breach. So how crappy is it that Bluesnap’s name is the main one associated with the breach?
Even though Bluesnap ends up apparently not being the one responsible for this data breach, they still need to go into full PR crisis mode to defend their brand and reputation to avoid clients thinking that Bluesnap are the ones responsible.
Avoiding the dreaded credit card breach
Many people think that a primary way to avoid this kind of PR and business disaster is to be PCI compliant or use a PCI compliant vendor. As you can see in the play-by-play, there is confusion about PCI level one and level two certification, but frankly, the PCI standards are just a starting point. Here’s what the PCI control objectives and requirements look like:
If you achieve these six objectives by following the twelve requirements, does that make you immune to a credit card breach PR disaster? It’s fairly reasonable to get your business PCI certified at any point in time. Bluesnap successfully did. Even Regpack, who appears responsible for breach, did. Problem averted? Not.
Looking closely at the list above, a number of the requirements are business processes and best practices. Exactly the most likely things to be circumvented by either cunning or laziness or a combination thereof. Ever heard of “tailgating”, “spearfishing” or “pretesting”? (facepalm)
There are just so many moving parts that unless you have time, knowledge and persistence, many companies decide to out-source the PCI responsibilities to an expert like cleverbridge. We live PCI and beyond every day so that you can sleep well at night.
