Customer Cardholder Data Environments – What Could Go Wrong?

By Myles Dacres

A good deal of Friday and yesterday was spent trying to unravel dataflows and network topography to determine the scope of a customer’s cardholder data environment (CDE).  Three interesting channels are currently under scrutiny but today’s job is to get to the bottom of an e-commerce website white labelled by our client and provided by an outsourced merchant.  After landing on our client’s website, clicking on the “shop” link takes the user off to the e-commerce merchant’s portal.  Goods and services are selected and at the point of purchase, the user either has to login to the portal or create an account and log in.  Then the user is transferred to an approved secure payment portal along with the value of the transaction.  Card details are entered.  An interesting twist is that the e-commerce portal has an add-in translation function which translates the information on the page as well as the navigation, footers etc. between English and other languages.

So, what could go wrong?

For a start, we’re wondering how the language plug-in actually works?  What if an attacker could amend the text and send the user off to a rogue payment page?  Is it some kind of Java functionality or perhaps it draws data from a content management system when the language switch is activated?  How secure is this feature?  Then we are wondering how much of the client’s website within scope?  Is it one page, more than that or all of it?  How exactly does our client segment and protect the bought-in e-commerce site and links?  How does it work with the translation function?  Where are these websites, who develops them and to what standards?  What exactly is a portal anyway?  It seems to be an over-used descriptor for all sorts of different things.

The brief was received late on Thursday.  “We have these new payment channels that people have committed to during lockdown, would you (DPP) review and sign off our risk assessment paperwork?”  The trouble is that without seeing how these channels are put together, it is simply not possible to give a considered response to a short risk assessment.  The risk assessment highlights that passwords are never required to be changed on the portal!  Wow!  And that there is no log-in logging.  It suggests this is non-compliance with Article 6 of the GDPR as well as a potential PCI DSS non-compliance.

If something so elementary as that is missing, what exactly are we looking at and where is the detail behind the risk assessment?  So we have arranged a meeting with the vendor: the e-commerce portal provider to go through the channel in more detail.

The nagging question is why are we doing this retrospectively and what if we find a can of worms?

Philip Brining – Director – Data Protection People 

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here

    Data Protection People Limited – March 2021