THE RETAIL BULLETIN - The home of retail news
Click here
Home Page
News Categories
Commentary
CX
Department Stores
Desert Island Stores
Electricals and Tech
Entertainment
Fashion
Food and Drink
General Merchandise
Grocery
Health and Beauty
Home and DIY
Interviews
People Matter
Retail Business Strategy
Property
Retail Solutions
Electricals & Technology
Sports and Leisure
TRB conference review
Christmas Ads
Shopping Centres, High Streets & Retail Parks
Uncategorized
Retail Events
People in Retail Awards 2024
Retail Ecom North
Retail HR North 2025
Retail Omnichannel Futures 2025
Retail HR Central 2025
The Future of The High Street 2025
Retail Ecom Central
Upcoming Retail Events
Past Retail Events
Retail Insights
Retail Solutions
Advertise
About
Contact
Subscribe for free
Terms and Policies
Privacy Policy
CitySights card hack could generate PCI DSS fallout

Reports that the Web site of a New York-based tour firm has been hacked may have repercussions for the company on the PCI DSS front. According… View Article

RETAIL SOLUTIONS UK NEWS

CitySights card hack could generate PCI DSS fallout

Reports that the Web site of a New York-based tour firm has been hacked may have repercussions for the company on the PCI DSS front.

According to Amichai Shulman, chief technology officer with the data security company Imperva, the hack itself occurred via a SQL Injection attack. In such an attack, the hacker gains illegal access to information in the database. As media reports have shown, the hacker launched the attack on September 26 over a 3 week period obtaining over 100K credit card details including the account number, expiration date, CVV2, and other personal identifying information such as home and email addresses.

Shulman’s team had investigated this attack, and what they found was an Indonesian hacker’s blog listing numerous websites vulnerable to attack, including the site of CitySights. Interestingly enough, the blog’s entry was dated September 9th – more than two weeks prior to the initial attack campaign.

 

While this case clearly illustrates the security misgivings the company suffered from, CitySights may also be in breach of the PCI DSS industry regulation. The PCI regulation, mandated by major credit-card processing companies such as Visa and Mastercard, defines the required security controls to be placed on the storage and processing of credit cards. The PCI regulation includes specific requirements in regards to the storage of unencrypted credit card data as well as prohibiting the storage of sensitive authentication data (CVV2) all together.

Since the hacker was able to gain access to this data, “may indicate that the firm’s data security practices are not aligned with PCI DSS requirements”, Shulman proceeds to say.

Subscribe For Retail News