A big fine for sure!
Earlier this year an online travel insurance company (based in the UK), were fined £175,000 by the Information Commissioner’s Office (ICO) for a data security breach that included payment card data. The company did not take sufficient steps to protect the security of the information it retained about its customers and was responsible for a serious breach of the Data Protection Act.
Hackers were able to exploit ‘known vulnerabilities in the company’s security software’ and gain access to over three million customer records. The information stolen included; full name, dates of birth, address, email address, phone number, travel dates, medical screening response data and worst of all the payment card information (including card number, expiry date and the CVV security code).
Staysure.co.uk admitted that they were storing CVV numbers (which is not permitted in the PCI DSS standard) but said human error was to blame for them not being deleted once this was identified.
In essence, the company knew they were not following PCI DSS but they didn’t think they would be hacked or that they would come onto the radar of the PCI SSC or a PCI Forensic Investigation. With a PCI fine of £175,000 that could have been avoided, it just goes to show that had they de-scoped their business they would have saved a large amount of money and kept their reputation intact.
For more information on de-scoping your PCI DSS requirements please have a look at our ‘Solutions’ pages.