British Airways breach shows the need for 'constant compliance'
The recent British Airways card breach compromised several types of information that raise both PCI DSS and GDPR concerns.
I have promoted the concept of continuous assurance (continuous auditing and compliance), which enables organizations to stay on top of and newly discovered risks and threats and take mitigating actions immediately.
In the case of British Airways, the data that may have been compromised include name, email address, credit card numbers and, most surprisingly, CVV codes. Having access to CVV data indicates that the attack took place during live transactions since CVVs cannot be saved anywhere at any time per PCI DSS 3.2.1.
Were the attackers able to hack in through java scripts that were executing on the platform, thus modifying the code directly? If the CVV codes were saved on the British Airways platform, that would be in direct violation of PCI DSS and would have a major impact on the airline.