Customers of Dungarees.net who placed orders between March 26 and June 5 this year have been warned that their cardholder data – including card validation codes – was exposed to criminal hackers.
According to a letter sent to affected customers on June 25:
“On May 15, 2015, we first became aware of a possible breach when we discovered that our website had been manipulated by hackers. After this discovery, we took immediate action to secure our website and we engaged a forensic IT firm to assist us in determining how this occurred. The forensic IT firm discovered that the hackers made additional manipulations to our website that were not apparent on May 15th.
“Based on our investigation, we believe that customer information associated with orders placed on our website between March 26, 2015 and June 5, 2015 may have been affected. We have determined that the information involved in this breach included customer name; customer billing, mailing and email addresses; credit or debit card number, the card’s expiration date and CVV.”
PCI DSS requirement 3.2.2
All organizations that store, transmit, or process payment cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS) – the industry standard designed by payment brands to protect payment card information.
Storing CVVs and other sensitive authentication data (SAD) is a contravention of the PCI DSS. Requirement 3.2.2 clearly states: “Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorization.”
As the PCI DSS explains, “If [card validation codes are] stolen, malicious individuals can execute fraudulent Internet and MO/TO [mail order/telephone order] transactions.” In other words, there’s nothing to stop criminals maxing out your credit card.
There is no evidence to suggest that Dungarees itself was guilty of this contravention. It’s perfectly possible that a cross-site-scripting (XSS) attack could have directed customer data to the criminals at the same time that is was being transmitted to Dungarees’ payment module, for instance.
Dungarees’ letter to customers continues:
“Be assured that we place a top priority on protecting the security of our customer’s personal information and with the help of highly regarded security experts, we have put further safeguards in place to help prevent future attacks.”
PCI DSS compliance
IT Governance is a PCI Qualified Security Assessor (QSA), and provides a wide range of products that can help your organization achieve and maintain compliance with the PCI DSS, including guidebooks, e-learning, a documentation toolkit, and consultancy support.
For more information on PCI DSS compliance, and to learn how IT Governance can help you protect your data, email us at firstname.lastname@example.org or call us on 1-877-317-3454.