
Someone just lost 324k payment records, complete with CVVs - just_observing
https://www.troyhunt.com/someone-just-lost-324k-payment-records-complete-with-cvvs/
======
just_observing
"Let's talk about that CVV for a moment. ... PCI DSS is very clear about how
the CVV (or CVV2 as it is these days) should be stored ... It shouldn't be
stored and that's what makes this breach such a big issue. Violation of PCI
DSS guidelines can lead to pretty serious fines and even loss of merchant
facilities; the card providers take this very seriously.

It checked out - this is the CVV."

~~~
pjc50
While we're on the subject, how do Amazon get a pass for not making the user
re-enter the CVV for every transaction?

~~~
TimWolla
AFAIK the CVV is not required to perform a transaction. It's just that you
take the hit in case a fraud occurs when you don't check the CVV.

~~~
devicenull
Depends on your merchant account I believe. We tokenize them somehow, and can
do further transactions by referencing the first transaction.

------
admiralhack_
The author doesn't explicitly mention it, but the CVVs were saved as a part of
debug logging. That mistake should serve as a warning to others implementing
PCI DSS systems.

~~~
karmajunkie
Where do you have that information from? I've seen the theory in the comments
on troy's website, but no confirmation of it. My kid's after school program
got hit and I'm working with them to translate Regpack's obfuscation of what
went on and ask some pointed questions.

------
oneloop
Oh man this Troy guy is the hero we need, fighting the good fight.

