By Paul Brennecker, PCI QSA, PCI PFI, PCIP, Principal QSA, Security Risk Management Ltd
Last week we saw another significant breach of over 650,000 records of customers’ data from pub chain Weatherspoons.
This data was historic and was residing on a webserver that was no longer current, going to show that knowing just what data is hanging around (and dealing with it) is so important. Not all of this data was captured in the traditional transaction environment, with sales of vouchers being the primary source.
When conducting a PCI assessment it is always important to identify every source of incoming data, otherwise it is all too easy for things to get missed and sit around waiting for some unwanted attention.
It is worth noting that the law has specific requirements regarding the storing of historical data; in particular Principle 5 of the Data Protection Act which says that “personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes” and Requirement 3 of the PCI standard which provides guidelines on protecting stored cardholder data.
Hopefully the small number of credit card details included in this hack will not cause significant problems but it is going to cause a headache for those involved.