Targeted Victory built the Victory Passport for the NRSC. They posted a response to their blog:
The key problem with their statement is the "transmission" part. They even acknowledge it themselves. PCI governs the transmission of credit card data as well as the storage.
Targeted Victory, and by proxy the NRSC, are transmitting the credit card data through their non PCI compliant servers.
Why is this bad?
If an attacker was to gain access to the NRSC / Targeted Victory’s server, they could siphon off the credit cards of the donors as they were transmitted to the payment processor.
The fact that the NRSC / Targeted Victory don’t seem to understand this simple idea means that they are probably doing lots of other things incorrectly that we can’t see. And that’s the scariest part.
How do professionals handle this?
When you give on an ActBlue form (or any other form that was built correctly) there is a two step process to making a contribution.
- When you type in your credit card number, but before you submit your contribution, the number is securely sent to a “Tokenization Vault”. This vault stores the credit card number and returns a “Token”.
- When you submit the contribution, you are actually sending the token to the server and not the credit card number. This means that the only part of your infrastructure that sees the credit card number is the secure tokenization server.
The NRSC sends the full, untokenized, credit card number to their website which is hosted on a non PCI certified server.
Even if they are only passing that credit card information on to their processor, the server that does the passing must be PCI compliant.
Them’s the rules.