Refunds?!
Dodgy Geezer said:
"Another visit is likely to be from the Argos Security team to their independent PCI auditor and accreditor, asking why this was not spotted and for a refund of their money....."
Because that's not part of the PCI assessor's remit, perhaps? There's a requirement for Argos to have a penetration test, which might or might not pick up on it. An on-site assessment checks that a pen test has happened, and that it looks like a pen test (and not, say, a vulnerability scan), but that's really the only place that would catch this. There's a requirement for cardholder data to never be sent by email too, but that's more a "check policy and ask people if they do it" type question. There's nothing requiring anyone to actively check outgoing emails for cardholder data, which is the sort of thing that *would* catch this.
Of course, this is all assuming that Argos have been found compliant in the first place..... A fair proportion of Level 1 merchants are still a way off being compliant.....
Biting the hand that feeds IT
