Kandypens Data Breach from March 7th 2019 - February 13th 2020
So, who actually got hacked. If not the CC processor, is it that bad of a situation. ??? — Baron23
Their own servers.
I have no "inside" info, but 99% of the time these things are because the merchant doesn't listen to us either because they are trying to save dimes (literally) or honestly they are lazy with respect to security. So the hack was almost certainly on their servers where they chose to store personally identifiable information. The whole purpose of a payment gateway is so that the credit card information is anonymous to the merchant -- they never actually touch the number and other info -- relieving them from having to build their own systems (like amazon). But it costs money. If they store it on their own servers then they are responsible for all "PCI security requirements" if they store it within the payment gateway (built for
security) encrypted (costs 10 cents usually), then even if the gateway got hacked (hard, hard, hard) all that would be seen would be a database of gibberish since the merchant has the "private key" (obviously this itself has "best practices" attached to it).
So in short, Kandy Pens CTO/CSO?etc likely fucked up big time and this is probably the main reason why they settled. They know a jury would want their head.