ICO penalties for not encrypting sensitive personal data

Peter Tomlinson pwt at iosis.co.uk
Mon Oct 29 14:26:39 GMT 2012

 From material and people dug up by Smartex over the years, some time 
ago the police decided that the bank card payment system is so prone to 
problems that they were not prepared to be the first port of call for 
aggrieved people. Not that the police have completely abdicated, they 
just want the serious incidents passed on, and they are also pro-active 
- for example a year or so ago a gang was "cashing out" in the early 
morning at ATMs in Bristol's central shopping area, an operator of a 
private 24 hour CCTV service spotted it, called the police, and a big 
gang was rounded up (they had counterfeit bank cards). That lady who 
used to represent the banks kept on assuring us (her manner on TV 
reminded me of "She only does it to annoy...") kept on assuring us that 
things were getting better [1].

But then came PCI DSS, which I believe means that merchants have to have 
their payment engine certified compliant in order to comply with their 
banking contract. So I don't think that running a non-compliant payment 
site is a criminal offence if the owner doesn't steal money or otherwise 
defraud the visitor, but the bankers will want to shut it down. And 
Trading Standards might be interested, but in which geographical 
jurisdiction will they decide to get involved?


[1] She is now Chief Exec of Energy UK. Actually the correct text is "He 

On 29/10/2012 09:30, Mary Hawking wrote:
> Is this a criminal offence, and if so under what law? (I'm assuming it isn't
> as no-one has suggested the police)
> And if it isn't, surely it falls under some regulator?
> Do the customers receive the goods/services for which they are paying?
> i.e. is this a criminal scam to gather customer card details, or a real
> business with deplorably unsafe/illegal on-line procedures (? Trading
> Standards?)?
> Is there any way of discovering whether the customers of this site have a
> higher than normal risk of having their card details used illegally?
> And above all, how common is this, and is there any way a savvy shopper can
> spot it in time?
> Mary Hawking
> "thinking - independent thinking - is to humans as swimming is to cats: we
> can do it if we really have to."  Mark Earles on Radio 4.
>   don't forget patients like Fred!
> http://primaryhealthinfo.wordpress.com/2012/08/04/will-apps-help-fred/
> -----Original Message-----
> From: Ben Liddicott [mailto:ben at liddicott.com]
> Sent: 28 October 2012 22:02
> To: ukcrypto at chiark.greenend.org.uk
> Subject: Re: ICO penalties for not encrypting sensitive personal data
> Surely the people to tell are MasterCard and Visa? I would imagine they
> would put a stop to it in short order?
> Perhaps your experience is otherwise however. Anyone know how they
> respond to things like this?
> Cheers, Ben.
> On 28/10/2012 17:55, Gary Mulder wrote:
>> That's interesting. I discovered today a website that intentionally
>> makes false claims of using SSL, and Visa 3D Secure or Mastercard
>> SecureCode, but in fact accepts credit cards online in plain text. How
>> do you get the ICO to investigate such blatant misrepresentation and
>> violations?

More information about the ukcrypto mailing list