Tesco Online Internet Security Flaw

Tesco have failed at making their system secure and up to the standards of the Payment Card Industry (PCI) Data Security Standard by sending users passwords in plain-text format over email. This is a huge security issue for a a company of its size, and with all the person information stored by users.

Requirement:
3.4.a
Testing procedure:
Obtain and examine documentation about the system used to protect the PAN, including the vendor, type of system/process, and the encryption algorithms (if applicable). Verify that the PAN is rendered unreadable using any of the following methods:

  • One-way hashes based on strong cryptography
  • Truncation
  • Index tokens and pads, with the pads being securely stored
  • Strong cryptography, with associated key-management processes and procedures

The very same issue regarding Tesco’s huge security issue was raised way back in 2007 by a blogger, Jemjabella and still nothing has been done about it. Will Tesco get their act together and resolve the issue this time? In the mean time, change your password!