In response to the recent BBC article (thanks to Robin Lee for sending this on) – http://www.bbc.co.uk/news/business-25591548, I wrote the BBC this:
I run a company responsible for auditing firms on behalf of Visa, MasterCard, American Express et al, to ensure they are handling credit card details securely (we're known as Qualified Security Assessors, or QSAs, and the auditing standard known as PCI DSS).
Our services are mandatory for companies that handle more than 1,000,000 Visa transactions per year, which are generally larger companies and their service providers.
So it's reasonably safe to assume that any large company that processes these kinds of transaction volumes have been assessed by a company like ours, and are very well aware that storing CVV numbers is prohibited and have taken steps to correct.
However, these larger, established companies are but the tip of the iceberg. I guess that at least 95% of companies in the UK that take credit card payments are simply under the radar of firms like us, as there are no mandatory requirements to bring in experts to identify whether or not there are any security gaps, and these firms can “self-assess”. That is, as long as they fill in a document (known as a Self Assessment Questionnaire) and answer a series of questions, sign and return it, then the likes of Visa and MasterCard deem them as secure.
The problem is there's a huge knowledge gap. Small firms generally don't know how to even begin securing data, or even where to start looking for it, so they'll just sign the forms and return them. They certainly don't have the skills or know-how to audit and test systems to the levels that we do.
So let's look at Staysure. The payment card number was encrypted, which is good, as this means criminals can't use it. The CVV number was in the clear, which is not good, however if the payment card number is encrypted, then a criminal couldn't get the encrypted card number back so they couldn't use the CVV number anyway.
I would be more concerned about the other “personal data” that Staysure may have lost. CVV numbers you can change by getting a new credit card, but it's pretty difficult to change your mother's maiden name or date of birth.
If Staysure's encryption implementation was insecure, I'd be more worried, as that way criminals could start pulling out primary account numbers and use the CVV data, but I guess we will never find out.
As for dumping this all on Staysure's customers, and urging them to check their accounts, that's the least of their worries. Long term, criminals will use personal data to steal identities. A credit agency data monitoring service is a good idea as might spot criminals trying to get loans out using false identities etc, but out of 93,000 customers, how many customers do you think will bother signing up? Being “legacy systems”, then do Staysure have up to date contact and address details?
Whilst the storage of CVV numbers will most likely result in the biggest short-term pain for Staysure, as no doubt the card schemes will want to start fining them for non-compliance and are all over them like a rash with their credit card forensic teams, it's kind of detracting vision from the long term issues data breaches like this cause.