"Hilarious in a sad way, the worst PCI fail I ever had was getting
solicited by a Wedding / Bridal catalog company to assist them in
improving their online ordering and bridal catalog subscription
service. I had no contract with them, this was just a preliminary
"Let's see what we can do for you." They sent us their website, and
also e-mailed me a copy of their site's source code.
In the source code was an SQL dump of over 7 years of brides personal
information including names, addresses, birthdays, and FULL credit
card numbers, expiration dates, CCVs, card type, phone numbers, email
addresses, and unencrypted passwords.
In shock of seeing this, I called the potential client, said we
couldn't help them and deleted the data as completely as I could.
The winner, “James P”, please mail your address to firstname.lastname@example.org and we will mail you your signed copy of The PCI Book, 3rd edition. And, no, we won’t charge your credit card for that
The runner-up entries were:
“A very large retailer decides to reorganize their IT department to be more responsive and reactive. As part of that reorganization, they create a group titled 'Enterprise Monitoring' that is responsible for the care/feeding of the log management and analysis solutions. Centralized personnel that actually do the monitoring are pushed out to the business units where, according to IT management, the actual monitoring belongs. Everyone at the meeting announcing this decision says that the name. Enterprise Monitoring, needs to be changed because it gives the impression that the group does the monitoring, but they are over ruled.
Spin ahead almost a year later to their PCI assessment. The monitoring personnel that were pushed out to the business units were, surprise/surprise, were seen as new bodies that could be used for everything BUT monitoring. So, we have great log management and analysis solutions running, but no one has been monitoring anything for almost a year! When asked, the business units point to the Enterprise Monitoring group and say that it is their responsibility because they are 'Enterprise Monitoring'. DUH!” (source)
“I work with a stadium and arena concessions operation that once told me they were compliant because they put their card swipe readers on the counter and turned them around to face the customer. They no longer touched the cards so this made them compliant. True story.” (source)
“It’s a not a fail, but I certainly found humor in this. When enrolling in training with the PCI Security Standards Council, if you would like pay by credit card they ask that you write your CC#, CVV, Expiration, etc on the invoice and fax it or mail it to them. They note, it is a secure and password protected fax. I expected something a little more from the people who create the standards, but hey that’s one way to reduce your scope. Upon receiving the invoice, it was an LOL moment. ” (source)
MORE PCI Book CONTESTS ARE COMING!! Stand by….