The folks at consumerist (excellent site, btw) just posted a copy of the disclosure letter geeks.com (aka computergeeks.com) sent to customers informing them that their credit card data may be compromised.
A few items that concerned me about the disclosure are…
Genica Corporation dba Geeks.com
1890 Ord Way Oceanside, CA 92056
January 4, 2008
The purpose of this letter is to notify you that Genica dba Geeks.com (“Genica”) recently discovered on December 5, 2007 that customer information, including Visa credit card information, may have been compromised. In particular, it is possible that an unauthorized person may be in possession of your name, address, telephone number, email address, credit card number, expiration date, and card verification number.
Two things immediately jump out at me in this first chunk of text. The first is date of letter compared to the stated date of discovery.
Being a PCI-DSS guy I know that most merchant gateway providers require disclosure within 1 day of “a suspected compromise”. Granted, that is disclosure to the merchant gateway and not customers. However, computer geeks operates out of California which is on the forefront of disclosure laws. In fact the California Security Breach Information Act (SB-1386) states…
Any agency that maintains computerized data that includes
personal information that the agency does not own shall notify the
owner or licensee of the information of any breach of the security of
the data immediately following discovery
The other troubling part was “and card verification number”. This is the CVV2 that is NEVER to be stored per PCI directive 3.2.2.
3.2.2 Do not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions
I am troubled by the fact that vendors still remain clueless on best practices and regulations that govern their actions. I am even more disturbed with the fact that (despite these regulations) implementing proper safeguards and demonstrating caution is in their customers best interests, but yet is still not done.