Wednesday, August 14, 2013

Smartphone Experts notifies customers of hack

That's the usual story: a payment-processing site/application got hacked, customers' data lands in hackers'hands, company notifies customers. However, there is something that really shocks me:

Although stored customer data were encrypted, Diana Kingree, the Senior Vice President of Commerce, noted that the hacker may have been able to use a decryption feature of the system to view customers’ names, addresses, credit or debit card number, CVV, and card expiration date.
The PCI-DSS Requirements state in point 3.2.2

Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions. 
This code is meant to be used when the person executing and the card used to execute the transaction are not physically present where the payment takes place. This is, to some extent, a password or a PIN. Why companies still store that CVV code? Beats me.

Storing the CVV defeats its whole purpose: making sure that the person doing the payment possesses the card. By having it in the same database as the credit card number and expiration date, its role is completely negated.