“Out of an abundance of caution, we are advising you that your credit card number (excluding security code) and expiration date may have been obtained,” Sony is reported to have said to the 77 million customers whose personal data was compromised between 17 and 19 April 2011.
Why? Why was Sony storing credit card numbers? It’s a PCI DSS requirement that payment card numbers are never stored or, if there is a clear business reason why they must be stored, then they must be hashed in the database so that they are unreadable. Clearly not something Sony did, or it wouldn’t need to warn customers that this data may have been compromised. Does PCI DSS not apply to Sony, or what? Everyday, we see small e-commerce businesses being hounded into PCI compliance by their acquiring banks, often at expense far greater than the immediate value to their business – but apparently not Sony. Is Sony too big to comply?
And what exactly does Sony mean when they talk about ‘an abundance of caution’? They weren’t cautious enough to protect card holder data in the first place and, as Michael Paller was reported by Reuters to have said, Sony may also have a tendency to throw up unreviewed, unsecure code in a rush to get products to market – so, overall, not very cautious at all. Negligent, in fact, you might think.
