No reason to ship credit card data to third parties, says expert

Organizations shouldn’t ship data to a third party for processing that includes sensitive subscriber credit card and verification numbers, says a Canadian IT security expert.

“There’s absolutely zero reason for a third party to have access to credit card numbers unless they are a payment processor,” Michael Ball, a former CISO for Canadian organizations who has held several IT security roles.

As a best practice, Ball said, credit card data should be tokenized — that is, substituted with non-sensitive data in the form of an encrypted token. The token can still be used for playing around within an application, but the data it represents can’t be exploited.

The Payment Card Industry (PCI) standard for handling credit card data doesn’t allow the transfer of real payment card information to third parties, he added.

Ball was speaking after Freedom Mobile acknowledged Tuesday that a third-party processor called Apptium Technologies had not adequately protected a database the carrier sent the firm “to streamline our retail customer support processes.” Data on 15,000 customers “was exposed as the result of a misconfigured server” by Apptium, the carrier said.

Headquartered in Virgina with offices in several cities including Mississauga, Ont., Apptium sells a platform that enables organizations to improve dealings with customers. Telcos are among its target market, with customers including Canada’s Allstream.

Apptium couldn’t be reached for comment by press time.

According to security researchers with a company called vpnMentor who broke the story, the open and unencrypted database included customer names, email address, home and mobile phone number, home addresses, dates of birth and credit card and card verification numbers.  In an email vpnMentor said the database was accessed through an open port.

The researchers thought there was data on 1.5 million customers, but the carrier said it was 15,000.

Those affected are customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations between March 25 and April 15, and any customers who made changes or opened accounts on April 16.

Third party risk

The risk of third parties being a source of security incidents came to the fore after the 2013 breach of U.S. retailer Target, when hackers got into the company’s system through a heating and ventilation contractor that had online access.

Since then Ball said, organizations have learned to review the IT security policies of third parties, possibly obliging them to either go through or show evidence of penetration tests to prove their readiness. Service contracts should include penalties for misusing data.

Asked how a primary data provider can assure itself that anyone — employee or third party — doesn’t make mistakes handling data that result in a security incident, Ball said every organization must have processes in place, including checklists for who can access data and how. “There should be a number of ways that would protect data from open Internet access,” he said. “There is no reason for this data to have open Internet access.”


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now