The ICO’s monetary penalty notice issued to Ticketmaster makes interesting if not worrying reading. LOTS of buck passing preceded and arguably slowed identification of the compromise. Indeed, a customer notified Ticketmaster via Twitter about the vulnerability 6 or 7 weeks before Ticketmaster and their incident response team identified it.
It seems fairly obvious to the Outsourced DPO who is not a particularly technical person, that putting a chat bot on a payments page was a risky idea. Putting anything superfluous to the function of processing payment information is a bad idea and the PCI DSS prohibition of using end user messaging technologies like chat bots and email for transmitting payment card information should have been a clear warning. However, someone at Ticketmaster must have successfully argued that the chat bot was essential for the “customer journey” because there it was.
The MPN points out several failures of Ticketmaster to meet the payment card industry data security standard (PCI DSS). This is interesting as the Marriott MPN also cited the PCI DSS. Ticketmaster argued that the chat bot was not designed to process card holder data. But being an entity connected to the card holder data environment it was always within or potentially within the scope of their card holder data environment (CDE). As the merchant (i.e. Ticketmaster) is responsible for identifying the scope of their CDE, perhaps the exclusion of the chat bot was never challenged.
Some interesting take-aways from the Ticketmaster MPN are:
- Commercial and marketing representations about the customer experience need tempering and risk assessing;
- Just as we are to minimise data collection, we should keep application functionality to an absolute minimum Don’t deploy or switch off un-necessary functions;
- Challenge the scoping of your PCI DSS card holder environment – don’t assume it was correctly scoped last year and remains “as is”;
- Regularly test your customer journeys on your websites and document the findings;
- Up-to-date knowledge regarding the technologies you chose to implement and use is considered a pre-requisite. If you don’t understand the latest or state of the art thinking about those technologies – don’t deploy them until you do.