The start-up payment processing firm Paay that promotes itself as providing extra security to online transactions called that claim into question when it misconfigured a payment card database, exposing 2.5 million credit card transactions and raising concerns over PCI compliance.
New York-based Paay was exposed by security researcher Anurag Sen who found transaction information that included credit card numbers, expiration dates and amounts spent dating back to Sept. 1, according to a TechCrunch report. Paay trades on its use of 3-D Secure, an XML-based protocol that is designed to be an additional security layer for online credit and debit card transactions.
Ilia Kolochenko, founder and CEO of ImmuniWeb, pondered the idea that the chaos created by COVID-19 may have played a role by distracting the staff, but contended legal authorities likely would not forgive the mistake if they find Paay didn't meet the PCI standard.
“This incident will likely trigger jealous investigations and severe penalties. Likewise, it will probably bring a series of harsh ramifications under PCI DSS that seem to have been largely neglected in this case," said Kolochenko. "The western judicial system will unlikely demonstrate any leeway for negligent or overly careless data protection even amid this unprecedented pandemic."
SC Media contacted Paay for comment, but has not yet received a response.
According to the merchant processing firm Century Business Solutions, PCI compliance is mandatory and if a data breach occurs and a company does not meet the requirements, it will have to pay penalties and fines ranging between $5,000 and $500,000.
“It's important for banks of all sizes only rely on vendors and third parties that are PCI compliant and come equipped with the necessary security and certifications to keep customers protected," said Jumio CEO Robert Prigge.
That this event took place during the worldwide shutdown over COVID-19 may have played a role in both why the server we left open and the impact it could have on retailers.
“Startups are harshly affected by the coronavirus pandemic. Being at their active stage of rapid growth, they frequently under-invest time and money into data protection and compliance, falling victim to omnipresent cybercriminals," said Kolochenko. "Amid a pandemic, even the largest financial institutions face major difficulties to securely maintain their business operations while working from home, let alone ultra-suspectable startups.”
From the merchant's perspective, “the timing of this breach also couldn’t be worse for victims as storefronts are closed amid the global health pandemic and more purchases are made online," Prigge said. "Impacted users are at greater risk for cybercriminals using exposed credentials to make fraudulent purchases."
Regardless of the circumstances leading to the open server, Paay is another example of an organization not putting enough effort into properly locking everything down, a far too common occurrence.
“Paay’s misconfiguration is quite common and we’ve grown used to seeing these data exposures pop up in headlines every couple of weeks," said Chris DeRamus, CTO and co-founder, DivvyCloud. "Companies need to realize that without a holistic approach to security, they open themselves up to undue risk.”