I work at a company that has written an application that handles cc processing through Verisign's Payflow Pro system(Paypal bought this from Verisign I think). Currently CC#s are in the clear in the database since the system began years ago. I have discussed this with other developers but no one else seems to be concerned that this is a huge risk. I've been told that even if the information was lost that we hold no responsibility as a company. I was told that our name may be tarnished but we would not owe anybody anything for our negligence.

Is this true or are they just trying to get me to ignore the issue due to their ignorance. Also is there any law(s) stating how a private company must secure credit card information?

Thanks for any information you can give.

Although there may be no contractual obligations in place due to the legacy nature of agreements, there is always some way that your firm may be penalised if unauthorised access to the database or card data occurs and fraud results.
Examples include:
- Your customers penalised for doing business with your firm until you are complaint
- Civil claims for the cost of re-issing all compromised cards (US$20 each is a commonly quoted amount).

I understand many US states have laws that require PCI or similar controls for the handling and storage of credit card data, or personal data.

lyalc

Currently CC#s are in the clear in the database since the system began years ago. I have discussed this with other developers but no one else seems to be concerned that this is a huge risk.

I guess rather than discussing this with other developers, consider discussion of your security concerns with others in the company, any Managers, business process owners, accounting or auditing staff, or IT Security or other stakeholders that would care more about this then some of your peers ? Who would be affected and compainthe most if you pulled the plug on this applicaiton/server .. that is who you talk to. -- (and then you just put a bug in their ear about concerns on how we store cardholder data, and that you are really nervous, and that you read some on this whole PCI thing, hell print out an aritcle on the latest PCI breach. - that should get some attention to this.)

I'm guessing that based on the culture of the developers, there are other security controls are lax as well ? I guess I'd see if this is a department or company culture.

Otherwise I'd probably develop a career plan/strategy to exit this company.

PCI - applies to any organization that stores, processes or transmits cardholder data. -- your company would not be exempt from compliance. Card associates will fine the acquiring bank and that will pass down to the merchants or service providers responsible for any breach. Depending on the severity you could even get a visit from the FBI, and any forensic computer specialists if a breach where to occur.

Good Luck - I don;t envy your position here.

@DBergert----------------Great advise here...

Ya gotta love the candor of some of the respected posters of this forum.

To add to the other posts, your company may want to consider the other effects. The card brands have a list of vulnerable applications. Additionally, they have been known to use the 'poison pen' when companies have created products that resulted in data compromise. Finally, Visa has not begun to require that all acquirers only board new merchants that employ PABP validated apps (PA DSS) and by 2010 all merchants must use PABP validated apps. This means that if your company does not adopt the standard by 2010 (in theory) you will not be able to support any merchants.

Thank you all for your input on the issue. I will continue my hunt for something significant to brace my argument. Hopefully I can find a law that will force my company's hands or maybe just enough evidence from data breaches that someone will have to see the big picture here. After finding out that CC#s are stored in the clear forever I personally will not do business with our client. That is to say I will find a competitor if I need the goods our client provides. I am sure that much of the general public would agree and change retailers.


@lyalc
Do you have any thoughts on where I could look to find out what laws there are regarding CC privacy/security in different states. I don't want to release the state that the business operates out of.

@dbergert
The big problem that I face however is that I work on software contracts with clients. So it has only recently come to my attention that there are flaws in systems that we are building because I have never had to deal with these clients previously. My company is made of IT workers whom I had a discussion with about the issues at hand. Everyone seemed like I was just making a big deal out of nothing. I suppose I could go behind my company's back and discuss the matter with the client but this will likely cost me my job and also the client may be persuaded to continue business as normal with me out of the picture. I understand the thought that I should just turn tail and run from a company like this but that still doesn't solve the issue. The CC#s will still be here regardless of whether I am.

After finding out that CC#s are stored in
the clear forever I personally will not do business with our client.

So your company's customer loses a customer *AND* receives vulnerable, insecure software. Reminds me of some old friends that don't eat at same the establishments that they worked at, LOL :)


My company is made of IT workers whom I had a discussion with about the issues at hand. Everyone seemed like I was just making a big deal out of nothing.

You brought it to their attention and they choose to ignore it -- Your duty is done if you are not the decision maker -- they "accepted" or "assumed" the risk. (The sad news is likely that the client is most likely relying on the company's professional services, and is uninformed about the impact of this, and has no visibility in the matter)

But depending on the relationship and agreement and statement of work (that we know nothing about, and makes forum conversations interesting) I would suspect that the customer itself has some responsibility in defining the requirements of the project, monitoring, reviewing, and acceptance testing -- They might even be using a Disk Based encryption solution - so they are covered for encrypted CHD :) you never know.

Another angle to your peers could be: "To point out to the client that in their requirements that do not specify the protection of Cardholder data and that you noticed that it contained a little bit, and that with PCI and <insert breach of the day: umm.. let's see: how about: http://www.paymentsnews.com/2008/04/data-breaches-m.html ? your company can really help them with this. This could be considered a change of scope and more money to charge the client $$$. You can be a hero here - protect the client, and increased revenue for your company.

Be the hero.


I understand the thought that I should just turn tail and run from a company like this but that still doesn't solve the issue. The CC#s will still be here regardless of whether I am.

The issue isn't the cards - it is the culture and business ethics that you have to live with. (and that you don't agree with what is being done [it bothered you enough to post here], and will have to watch much more of it <-- This is the worse case scenario and speculation. only you can answer this)

Seriously and Respectfully: As I said, Good Luck - you are in a tough position, trying to do the right thing(tm) with out sacrificing yourself. -- a very hard balancing act... Your intent is admirable.

Dave

Not being in the US, I don't follow the US state laws on disclosure etc.
Can't help much, sorry.
Google "'breach disclosure laws" and I expect there will be lots of relevant hits and commentary.

lyalc

@dbergert
I didn't mean that it was a valid fix for the insecure system. I merely meant that I have become more cautious about who I do business with since this event.

The other item you bring up is that the project scope could be modified. The problem is the project has been finished for over 2 years. This means two years of data is already out there ripe for the taking. I suppose I need to just sit down with some other developers and discuss the risks of the storage system.

Thanks for the article I am going to search for a couple more hopefully with dollar amounts as I think that will be strong evidence of the risk.

You may want to visit CSO http://www.csoonline.com/article/221322

A map of current laws and the requirements is listed, click on each state for more details.

Thanks for the insightful post. This is very useful for me. Wow, exactly everything that I wanted to know!

Thanks alot,