- first let them know you know, and that you'd like for this to be handled in the best interest of the users (that's who you're doing this for, right?)
- then, depending on the response you have several options:
- If they stonewall, alert the public
- If they respond, figure out what a reasonable timeframe should be for them to become compliant
- Then give them that much time and review the new situation
- If they're still not compliant but have made progress review the situation from the new vantage point
- If they have not made meaningful progress, alert the public.
Don't let this 'opportunity' get the better of you in the ethics department, what goes around comes around and since you're doing your utmost to be anonymous here be aware that you too might have a skeleton or two in your closet and making enemies with nothing to lose might not be in your advantage.
On the other hand: building a bridge for a competitor to walk over when they were vulnerable might place you well some years down the line when that founder is looking for succession.
As for the whole PCI compliance thing: depending on where this all happens in the chain the company might be lying about them being PCI compliant or their auditors have messed up, either way nobody appointed you judge, jury and executioner so tread with some care, the whole thing might backfire in some unexpected and spectacular way if it turns out you were mistaken.
I wouldn't set myself up as a judge. How do you know what a reasonable time-frame is, or meaningful progress?
I'd report it and be done with it. Minimal drama and involvement. Alert the public as a very last resort, if the PCI folks are uninterested (and I guarantee you, they will be interested).
Overall I like this approach. If this is an honest oversight and they take actions to rectify it then that is the best. If, on the other hand, they ignore it then I would let the public and everyone else know because there are a bunch of other people that are at risk.
This gets worse when bank accounts are involved because the protections for businesses and consumers are next to nothing if your information is leaked out from a legal perspective and there are many instances of banks not backing up their customers.
We ended up ending a consulting engagement because a client had some big holes in their account security for bank accounts and had no interest in rectifying that. Our problem with that was twofold. First, the customers our former clients had no idea that there was an issue and second, if a breach did occur it could have put our clients customers out of business. There are stories about that happening.
I have personally run across way too many business that are interested in making money, even if that is at the expense of others with severe consequences for those actions.
- first let them know you know, and that you'd like for this to be handled in the best interest of the users (that's who you're doing this for, right?)
- then, depending on the response you have several options:
- If they stonewall, alert the public
- If they respond, figure out what a reasonable timeframe should be for them to become compliant
- Then give them that much time and review the new situation
- If they're still not compliant but have made progress review the situation from the new vantage point
- If they have not made meaningful progress, alert the public.
Don't let this 'opportunity' get the better of you in the ethics department, what goes around comes around and since you're doing your utmost to be anonymous here be aware that you too might have a skeleton or two in your closet and making enemies with nothing to lose might not be in your advantage.
On the other hand: building a bridge for a competitor to walk over when they were vulnerable might place you well some years down the line when that founder is looking for succession.
As for the whole PCI compliance thing: depending on where this all happens in the chain the company might be lying about them being PCI compliant or their auditors have messed up, either way nobody appointed you judge, jury and executioner so tread with some care, the whole thing might backfire in some unexpected and spectacular way if it turns out you were mistaken.