ICO penalties for not encrypting sensitive personal data

Gary Mulder flyingkiwiguy at gmail.com
Mon Oct 29 22:27:27 GMT 2012

On 29 October 2012 14:26, Peter Tomlinson <pwt at iosis.co.uk> wrote:

But then came PCI DSS, which I believe means that merchants have to have
> their payment engine certified compliant in order to comply with their
> banking contract. So I don't think that running a non-compliant payment
> site is a criminal offence if the owner doesn't steal money or otherwise
> defraud the visitor, but the bankers will want to shut it down. And Trading
> Standards might be interested, but in which geographical jurisdiction will
> they decide to get involved?
> Peter

Interestingly, it is a legitimate small UK travel agent. Well legitimate to
the point of providing actual travel services to most of their customers. A
friend of mine used to work there and reported that they re-ticket
customers on functionally equivalent fare codes, and pocket the difference
in ticket price. I believe it could be criminal fraud, but hard to prove.
Of course they use an offshore guy to do the re-ticketing, which is likely
a violation of the DPA, as well.

They also claim to be PCI compliant, which is quite funny, as their net
profits are probably less than the cost of PCI compliance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20121029/a95886fd/attachment.html>

More information about the ukcrypto mailing list