PCI DSS: Lessons to learn from recent payment card breaches

Over the past month or so, we’ve been discussing the threats associated with payment card breaches, and why it’s important to comply with the PCI DSS (Payment Card Industry Data Security Standard).

In this week’s blog, we examine some recent examples of payment card breaches to help you understand common problems that organisations run into and how you can avoid them.

Further reading:

British Airways

What happened: On 7 September 2018, British Airways confirmed a data breach involving the personal and financial information of more than 380,000 customers. The breach occurred between 21 August and 5 September 2018, according to BA’s statement.

What went wrong: RiskIQ researchers claim to have found evidence of modified scripts on payment forms on BA’s website that delivered “payment information to an attacker-controlled server while maintaining their intended functionality to avoid detection”. RiskIQ has attributed the attack to Magecart, the criminal hacking group linked to Ticketmaster’s July breach

Dixons Carphone

What happened: In July 2018, the electronics retailer confirmed that 105,000 customers’ payment card details had been compromised, because they didn’t have chip-and-PIN protection. The criminal hackers had also attempted to obtain another 5.8 million card details, but these were all sufficiently protected.

Weeks later, Dixons Carphone confirmed that a data breach announced in 2017 was much larger than it originally claimed, affecting not 1.2 million customers, as it first said, but 10 million.

What went wrong: Investigations into the hack are still ongoing, but many experts have surmised that Dixons Carphone’s defences fell a long way short of best practices. The incident occurred after the EU’s GDPR (General Data Protection Regulation) took effect, so the organisation should have had plenty of time to put in place appropriate measures.

Ticketmaster UK

What happened: Ticketmaster released a statement on 23 June 2018 announcing that it had identified malicious software on a customer support product hosted by a third party.

The ticket-selling site said a criminal hacker gained access to customers’ personal data, including names, addresses, email addresses, telephone numbers, Ticketmaster login details and payment card information. Up to 40,000 people are thought to have been affected.

What went wrong: Inbenta, which runs Ticketmaster’s customer support chat tool, confirmed that the source of the breach was a “single piece of JavaScript code” that it created. However, Inbenta CEO Jordi Torras said the organisation wasn’t told the code was going to be used on payment pages.

Had Inbenta been given this information, it would have advised Ticketmaster not to use the code, said Torras.

Rail Europe

What happened: Rail Europe, a US-based distributor of train tickets across Europe, confirmed in April 2018 that its online payment systems had been compromised between 29 November 2017 and 16 February 2018. It warned that the criminal hackers behind the attack “may have compromised” payment card information, including card numbers, expiration dates and verification codes. Customers’ names, gender, delivery and invoice addresses, phone numbers and email addresses are also at risk.

What went wrong: In a letter filed with the California attorney general, Rail Europe said criminal hackers put credit card-skimming malware on its website. It took three months to identify the malware, but the organisation contained it quickly, rebuilding all compromised systems from known safe code and removing any potentially untrusted components.


What happened: In January 2018, customers of the Chinese smartphone manufacturer began reporting fraudulent transactions on their bank accounts. OnePlus investigated and confirmed that up to 40,000 customers’ payment card details had been compromised.

What went wrong: During its investigation, OnePlus found malicious code in its payment page, which it said had been there for about two months. The script operated “intermittently”, capturing and sending data directly from the user’s browser.

Stay secure with the PCI DSS

These incidents show that organisations can be exploited in many ways. Flawed code, poor communication with third parties and a failure to test networks and systems are all common errors, but they can be mitigated by complying with the PCI DSS.

Unveiled in 2004, the PCI DSS is the result of a collaboration between major credit card brands (American Express, Discover, JCB, Mastercard and Visa) and aims to facilitate the broad adoption of consistent data security measures involved in payment card processing. It provides a detailed list of best practices for staying secure. As a general guideline, any merchant or service provider that stores, processes or transmits cardholder data is required to comply.

Download our PCI DSS green paper

Security testing and the PCI DSS unpacks the complexities of the Standard, and helps organisations understand how they can achieve and maintain compliance.

Download this free green paper to receive practical guidance on how to test the security of your systems and processes, and better protect the payment card information you store.