Targeted Victory doesn’t understand the Internet

Targeted Victory built the Victory Passport for the NRSC.  They posted a response to their blog:

The key problem with their statement is the "transmission" part.  They even acknowledge it themselves.  PCI governs the transmission of credit card data as well as the storage.

Targeted Victory, and by proxy the NRSC, are transmitting the credit card data through their non PCI compliant servers.

Why is this bad?

If an attacker was to gain access to the NRSC / Targeted Victory’s server, they could siphon off the credit cards of the donors as they were transmitted to the payment processor.

The fact that the NRSC / Targeted Victory don’t seem to understand this simple idea means that they are probably doing lots of other things incorrectly that we can’t see.  And that’s the scariest part.

How do professionals handle this?

When you give on an ActBlue form (or any other form that was built correctly) there is a two step process to making a contribution.

  1. When you type in your credit card number, but before you submit your contribution, the number is securely sent to a “Tokenization Vault”.  This vault stores the credit card number and returns a “Token”.
  2. When you submit the contribution, you are actually sending the token to the server and not the credit card number.  This means that the only part of your infrastructure that sees the credit card number is the secure tokenization server.

The NRSC sends the full, untokenized, credit card number to their website which is hosted on a non PCI certified server.

Even if they are only passing that credit card information on to their processor, the server that does the passing must be PCI compliant.

Them’s the rules.

Your credit card information is passed directly to WP Engine

When you sign up for the NRSC’s Victory Passport, you enter your personal information including credit card number.  

This information is then POSTed to the NRSC’s servers.  According to their HTTP headers, they are hosting with WPEngine, a well known wordpress host which is awesome but not PCI compliant:

Why does this matter?

This means your credit card information isn’t safe.  Who knows if it is stored in an industry standard manner?  The fact that they are sending your credit card number to WPEngine is bad.  If they are storing it there, it’s worse.

Don’t give your credit card information to the NRSC.  They have no idea what they are doing.






If you want to build secure, reliable and PCI compliant payment infrastructure for the left, ActBlue is always hiring engineers.  Get in touch if you are interested.