Paay Exposed Credit Card Transactions Raising Concerns over PCI Compliance

The start-up payment processing firm Paay that advertises itself as giving extra security to online transactions called that claim into a problem when it misconfigured a payment card database, exposing 2.5 million credit card transactions and raising attention over PCI compliance.

What happens if you're not PCI compliant

If a data breach occurs and you're not PCI compliant, you run the risk of losing your merchant account, which means you won't be able to accept credit card payments at all. In addition, your business will have to pay penalties and fines ranging between $5,000 and $500,000. Are you PCI compliant? With just a quick phone call, Careful Security can determine if you're business is compliant or needs further audit. Inquire today for more info: Careful Security Free Consultation


Continue reading post below.


New York-based Paay was exposed by security researcher Anurag Sen who found transaction data that involved credit card numbers, expiration dates and amounts spent dating back to Sept. 1, according to a TechCrunch story. Paay trades on its use of 3-D Secure, an XML-based protocol that is outlined to be an additional security layer for online credit and debit card transactions.


Ilia Kolochenko, founder and CEO of ImmuniWeb, considered the idea that the chaos created by COVID-19 may have played a role by misleading the staff, but contended legal authorities likely would not forgive the error if they find Paay didn’t meet the PCI standard.


“This occurrence will likely trigger jealous investigations and strict penalties. Likewise, it will presumably bring a series of harsh consequences under PCI DSS that seem to have been considerably ignored in this case,” said Kolochenko. “The western judicial system will unlikely show any leeway for negligent or overly careless data protection even amid this unprecedented pandemic.”


SC Media reached Paay for comment but has not yet obtained a response.


According to the merchant processing firm Century Business Solutions, PCI compliance is compulsory and if a data breach occurs and a company does not meet the conditions, it will have to pay penalties and fines ranging between $5,000 and $500,000.lochenko, founder and CEO of ImmuniWeb, considered the idea that the chaos created by COVID-19 may have played a role by confusing the staff, but disputed legal authorities likely would not forgive the mistake if they find Paay didn’t meet the PCI standard.


“It’s essential for banks of all sizes only rely on vendors and third parties that are PCI compliant and come equipped with the required security and certifications to keep customers protected,” said Jumio CEO Robert Prigge.


“Startups are seriously harmed by the coronavirus pandemic. Being at their active stage of rapid growth, they usually under-invest time and money into data protection and compliance, falling victim to ubiquitous hackers,” said Kolochenko. “Amid a pandemic, even the biggest financial institutions face major challenges to securely keep their business operations while working from home, let alone ultra-suspectable startups.”


From the merchant’s view, “the timing of this breach also couldn’t be more serious for victims as storefronts are closed amid the global health pandemic and more purchases are made online,” Prigge said. “Impacted users are at higher risk for hackers using exposed credentials to make deceitful purchases.”


Despite the factors leading to the open server, Paay is another example of an organization not setting enough effort into correctly locking everything down, a far too frequent occurrence.


“Paay’s misconfiguration is quite normal and we’ve grown used to seeing these data leaks pop up in headlines every couple of weeks,” said Chris DeRamus, CTO and co-founder, DivvyCloud. “Companies need to realize that without a holistic approach to security, they present themselves up to undue risk.”


Source: scmagazine.com