
Ask HN: PCI Violation by client storing 'cardholder data' - alanhoskins
I was recently contacted to fix the admin portion of a website that was not loading properly. Upon fixing the issue, I found that the website is storing credit card information (number, expiration, ccv and customer info) in their database and even displaying it in plain text to the admin for processing offline.<p>I&#x27;ve informed the client that this needs to be fixed as soon as possible and that it is a violation. From what I saw they have at least 4000+ entries of cardholder data.<p>What, if anything, should I do?
======
cabrel
Companies like this are why breaches can be so devastating (financially and
privacy-wise) to the general public [1].

If you know who their credit card processor is, you should go directly to them
and report the problematic business. You can also go to the credit card
company sites and contact them directly. If you know whom their QSA is, I
would also contact the credit card companies about the QSA and they can
investigate whether his PCI auditor status should be revoked. [2]

It is in the credit card companies best interest to investigate things like
this which is why the channels exist to report these instances.

For reference, requirement no. 3 of the PCI standards cover the appropriate
procedures for storing this type of information [3].

IANAL and all that..

[1] See the first comment of
[https://news.ycombinator.com/item?id=14401825](https://news.ycombinator.com/item?id=14401825)

[2] [https://www.pcicomplianceguide.org/how-do-i-report-a-pci-
vio...](https://www.pcicomplianceguide.org/how-do-i-report-a-pci-violation/)

[3] See page 36 of
[https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2....](https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf?agreement=true&time=1495633461855)

------
gregjor
You did what you can do. Maybe point them to their merchant agreement and PCI
compliance rules. I've run into this before and clients have paid be to fix
the problem.

