Forever 21: PCI Auditor Missed 5-Year-Old Transaction Data
Evan Schuman writes on StorefrontBacktalk:
As more details drip out from Forever 21's data breach of almost 100,000 payment cards, the chain now says it had been certified PCI compliant, despite having stored complete card information from as far back as 2003.More here.
"The files were inadvertently retained within other data files and this was not uncovered by the assessor," a statement from the chain said. (Our story from last week has been updated with the new information, along with a link to the earlier report of the breach.)
This is proving to be a frightening trend, with retailers believing they are compliant and much later on discovering various pockets of forbidden data scattered through their network.