The data theft, which left the credit card details exposed from late December to almost the end of January, used a security hole in the in-house web application that had been developed to manage Smalldog's ecommerce system.
Don Mayer, CEO of Small Dog Electronics, explained that the company is PCI compliant, and that it had been subjected to a penetration test by a third party, which he would not name. The flaw in the code has now been rectified, and Small Dog is investigating the issue with the pen tester, added Mayer, who did not know what language the ecommerce system had been written in.
"I'm very proud of our staff in terms of their reaction. We have dealt with this very responsibly, and notified customers immediately of the breach," Mayer added. "We are doing everything in our power to reclaim our customers' trust and provide the credit monitoring services that are necessary."
One customer who placed an order with Small Dog at the end of December last year found in mid-January that her credit card was being declined. She subsequently received a data breach notice from Small Dog.
The letter, obtained by Infosecurity US, did not offer her any form of credit protection. Mayer explained that Smalldog was not offering credit protection without being prompted. Customers are being given credit protection via the Experian service, but only if they contact Small Dog and specifically ask for it, he admitted.
"I've been a loyal customer of Smalldog for eight years. I've probably spent around $10 000 with them since then," said the customer, who resolved to call Small Dog when Infosecurity informed her of the retailer's credit protection approach.
"A friend's card was hacked recently [through another company] and she was provided with a year of credit monitoring as recompense," she continued. "Small Dog didn't even offer me a coupon off my next order. I think I'll be buying my Apple products from some other vendors from now on."
19 February 2010
Small Dog offers no proof of PCI compliance, so please stop spreading lies. As proof of PCI compliance, share with us the post-breach forensic report showing that they were in fact PCI compliant.
A self-assessment questionnaire or validation performed by a QSA once a year does not count as proof. A self-assessment can obviously be misrepresented. If a QSA was used, Small Dog could have rushed to make "proof" for the validation (a common problem) even though compliance requirements were not really being met across the board for all systems and policy adherence. It's also probable that some compliance they rushed to meet went away after the validation was finished. After that, there's no longer the pressure to follow policies and procedures required for some PCI DSS requirements. Those PCI DSS required policies and procedures ensure ongoign compliance (the checks and balances approach to PCI DSS).
Analogy: Showing an A grade on an exam doesn't mean you know the content. You could have crammed right before the exam, damn well knowing it's all going away after getting your mark. Or maybe you cheat to get that A since the mark is all you were focused on.
In summary, the only real way to prove actual compliance is in the event of a breach and after a forrensic audit is performed. The audit is required to include information on PCI DSS compliance. Let's see it, Small Dog.
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.