Paay which is a merchant processing or payment processing company. They claim that they offer an extra layer of security to the online transactions. However, the company exposed data of 2.5 million credit card transactions. It also raised concerns over PCI compliance.
TechCrunch report says, Anurag Sen, a security researcher found the information regarding the transactions that include expiration dates, the amount that is spent, and credit card numbers. He exposed this New York-based payment processing firm.
Kolochenko, CEO and founder of ImmuniWeb said that the impact of COVID-19 might have distracted the staff. However, legal authorities will definitely take action. The action will be taken if there is any mistake or if the company did not meet the standard set by PCI.
Ilia Kolochenko said, “This incident will likely trigger jealous investigations and serve penalties. Likewise, it will probably bring a series of harsh ramifications under PCI DSS. This seem to have been largely neglected in this case.” He further added some other details. “The western judicial system will unlikely demonstrate any leeway for negligent or overly careless data protection. This will be done even amid this unprecedented pandemic.”
Century Business Solutions, a merchant processing firm is of the opinion that PCI compliance is compulsory. If there is any data breach and the company does not meet the requirement, it will have to pay fines and penalties. It can be anything in between $5000 to $500,000.
Robert Prigge, CEO of Jumio says, “It is important for banks of all sizes only rely on vendors and third parties that are PCI compliant and come equipped with the necessary security and certifications to keep customers protected.”
Paay forgot to put password protection on their server and therefore, it allowed anyone to access the inside data. The housed data consists of credit card numbers, the amount spent, expiration dates, and masked copies of each credit card number. However, it did not include CVVs and cardholder names in it.
For addressing the issue, the company has already informed 15 to 20 merchants. Moreover, they are working with a forensic auditor in order to detect the scale of this problem.
Chris DeRamus, CTO and co-founder of DivvyCloud has made his comment on this data breach”. According to Paay’s CEO, they spun up and subsequently misconfigured an instance leaving their database of 2.5 million card transaction records exposed to the public without a password.”