What threatens Burger King
For those who have not yet read the news about how Burger King integrated the unwanted AppSee software into their mobile application, I publish brief information:
Even if you believe that both statements are true, then all the same, Burger King violates the security standard by sending a video file to AppSee: you cannot transfer the expiration date and the owner's name with the card number (PAN). About the phone, I generally keep quiet. This is a direct violation of PCI DSS in particular and common sense in general. Regular MITM in a public WiFi to organize a DDC leak, and a phone number is generally the easiest way to get a duplicate sim card in any department using the name of the owner and the basic skills of the graphic editor.
The Burger King company itself has passed the test of standards , which means it falls under all punitive measures, namely:
In conclusion, I would like to add that such standards as GDPR or 152-FZ, to which they appeal, act on certain geopolitical areas, while PCI DSS is an international standard of payment systems and cannot be violated anywhere.
- AppSee is a malware service that can be integrated into a mobile application and get screen footage for some kind of analytics;
- As can be seen from the intercepted video - the data is transmitted without any processing, and already in the AppSee video itself is processed and the data of the cardholders (DDC) is filled with black squares, as they claim;
- Representatives of Burger King took the position that they do not violate anything, since the data from AppSee they already come after processing and they do not see them as DDC, as they claim.
Even if you believe that both statements are true, then all the same, Burger King violates the security standard by sending a video file to AppSee: you cannot transfer the expiration date and the owner's name with the card number (PAN). About the phone, I generally keep quiet. This is a direct violation of PCI DSS in particular and common sense in general. Regular MITM in a public WiFi to organize a DDC leak, and a phone number is generally the easiest way to get a duplicate sim card in any department using the name of the owner and the basic skills of the graphic editor.
The Burger King company itself has passed the test of standards , which means it falls under all punitive measures, namely:
- Heavy fines
- Repeated QSA audits
- Lower certification level
In conclusion, I would like to add that such standards as GDPR or 152-FZ, to which they appeal, act on certain geopolitical areas, while PCI DSS is an international standard of payment systems and cannot be violated anywhere.