Who was the PCI auditor?
What company did Hyatt's PCI audit? Obviously the auditor was lazy or ignorant... or perhaps Hyatt lied about data protection measures. Don't rule out both being the case.
Having the CVV number is against PCI standards,
Requirement 3.2 - Storing sensitive authentication data after authorization. You can only do so if there is a business justification (not likely in this case) and if it is stored securely. Obviously this wasn't met.
Requirement 3.2.2 specifically states not to store CVV information after authorization.
Then there is Requirement 3.4 which goes into PAN data security and the use of STRONG encryption. Again, this obviously wasn't the case.
Requirements 3.5 and 3.6 goes into documenting procedures for key management. Here is where the PCI auditor should have caught the problem.
So when it comes down to it. Requirement 3.x in general was not implemented, nor was it properly audited.
The information security community deserves to know who the PCI auditor is who last signed off on internal safe keeping of customer data.
Biting the hand that feeds IT
