Staysure fails to stay PCI DSS compliant

The Travel insurer Staysure has released information to 93,000 customers warning them that their bank card details may have been stolen in a cyber attack.

Customers who took out a policy prior to May 2012 have been informed that their encrypted payment card details along with unencrypted CVV data, customer names and addresses may have been leaked. Staysure continued to say that while CVV numbers alone are useless, hackers may be able to source data from elsewhere and match up some of these accounts, giving them the ability to illegally access customer’s bank accounts.

It’s clear that Staysure was not compliant with the PCI DSS at the time of the breach if they had sensitive authentication data (SAD) stored on their system. The PCI DSS does not allow the SAD to be stored post authorisation. The SAD  appears to have been stored on a legacy system from some of the comments in the press, however prior to gaining PCI DSS certification Staysure should have purged their systems of all SAD and also all cardholder data outside of the cardholder data environment. The cardholder data environment should be a protected zone within an organisation’s infrastructure where permitted cardholder data should be stored in a secure manner.

For those who aren’t aware of the Payment Card Industry Data Security Standard, it’s the standard which any organisation who store, transmit or process card holder data must comply with. Failure to comply with the standard will lead to severe fines as well as leave you open to severe hacks similar to what Staysure have suffered.

You can learn more about PCI DSS in PCI DSS: A Pocket Guide or better yet, you can attend the IT Governance PCI Foundation Course.