A large payments database owned by New York mobile payments processor PAAY left millions of credit card and other payments transactions exposed for more than three weeks before a security researcher found the security failure.

PAAY logo

Security researcher Anurag Sen discovered the database on PAAY’s server without a password, leaving the payments transaction data open publicly for more than three weeks.

After TechCrunch contacted the payments processor on behalf of the security researcher, the database was immediately removed.

“On April 3, we spun up a new instance on a service we are currently in the process of deprecating,” PAAY co-founder Yitz Mendlowitz told TechCrunch. “An error was made that left that database exposed without a password.”

Company response questioned

TechCrunch reported the “transactions contained the full plaintext credit card number, expiry date, and the amount spent. The records also contained a partially masked copy of each credit card number. The data did not include cardholder names or card verification values, making it more difficult to use the credit card for fraud.” Transactions dated back to Sept 1, 2019.

Internet security

Mendlowitz initially told the publication the database contained no credit card numbers. “We don’t store card numbers, as we have no use for them,” he said. After a reporter sent a copy of two records containing credit card numbers, the company did not respond to further media questions.

The cofounder said PAAY was advising 15 to 20 merchants of the potential data breach and has engaged a forensic auditor to identify the scope and impact of the security problem.

PAAY claims compliance, analysts wonder how breach happened

The payments processor claims on its website that it maintains high-security compliance and “utilizes EMV 3DS; a global security protocol created by the credit card networks to authenticate CNP cardholders.” PAAY also says it is PSD2 compliant, using strong customer authentication (SCA) to protect its European clients.

Launched in 2011, PAAY has not yet acknowledged the data breach on its website or company blog three days after the security breach was disclosed and reported.

data security breach

Jonathan Deveaux, head of strategic partnerships for enterprise data security specialists comforte AG, said, “It would be interesting to understand what data protection approach PAAY has deployed to meet PCI DSS requirements for storing credit card data.  The Payment Card Industry Security Standards Council (PCI SSC) has implemented standards that must be followed should a payment processor or financial services organization choose to manage credit and debit cards from the four major credit card labels. Violation of the requirements may result in substantial fines or even the suspension of the company’s ability to process credit and debit cards.”

“Requirement 3.4 in the current PCI DSS version (3.2) says to “Render PAN unreadable anywhere it is stored.”  A highly effective data protection method, suitably implemented, would have deployed tokenization to replace the actual PAN value with a surrogate value before any data is written to a database.  Therefore, if (or when) researchers such as this case, find open or unsecured databases online, the credit card data they find would be the replacement data – which has no exploitable value,” Deveaux said.

Deveaux said there has never been a reported data breach for organizations that were fully PCI DSS compliant before.

small business data security problems

“Fifteen years of PCI DSS has taught merchants and card processors to encrypt, tokenize and redact cardholder data and never store it live. The risk is too great. New players, especially startups, can’t skip these clear and enforced requirements. Fundamentally, all vendors handling card data should be tokenizing it so they can provide their value-added analytics and business processes without putting the merchant’s cardholder data into attackers’ hands,” said Mark Bower, senior vice president at comforte AG.

“Developer errors, operational configuration accidents, or misunderstanding of very clear PCI rules, unfortunately, don’t cut it for cardholder data security – secure it, or face serious consequences and costs,” Bower added.

Robert Prigge, CEO of identity verification company Jumio Corp, told SiliconANGLE. “It’s important for banks of all sizes to only rely on vendors and third parties that are PCI-compliant and come equipped with the necessary security and certifications to keep customers protected.” Prigge said passwords are no longer adequate protection for sensitive data in today’s fraud environment when other alternatives such as artificial intelligence and facial recognition are available.

password security is a challenge

While the company struggles to respond to inquiries, speculation continues on how and why a serious data breach could happen to a company handling secure payment processing for a wide range of high-profile clients.

Several other high-profile payments processors were also victims this year including two companies processing payments for court fines and utilities, and a Christian service called Cornerstone Payments. The US Small Business Administration (SBA) may also have left data exposed for more than 8,000 small businesses seeking coronavirus-related loans.

The PAAY data breach is potentially even more harmful in today’s coronavirus environment with so many people out of work, with banks struggling to handle customer business, more online purchases, and fraudsters making use of work from home security challenges and other unique ways to attack businesses and consumers.