How to Break an E-commerce Site’s PCI DSS Compliance in 30 Seconds!

Kabir (ko-bir)
Dec 5, 2019 · 3 min read

E-commerce websites that collect credit card information directly must comply with the Payment Card Industry’s (PCI) Data Security Standard (DSS). If such a site does not meet the PCI security requirements, most major card providers such as VISA, MASTER CARD, AMEX, etc. will not allow their credit card to be used on the site. Complying with the PCI standard correctly is a significant task, and many e-commerce websites do a poor job of it. To prove this point, I can show you how you can break many e-commerce sites’ PCI compliance in just a few seconds!

Critical Requirements of PCI DSS: PAN Security

An e-commerce website that accepts credit cards through its web applications such as a shopping cart, must not store the primary account number (PAN), which is the credit card number, as-is in the database. If a PAN must be stored in a database, it must be stored using high-grade encryption in a secure database.

Breaking PCI DSS Compliance in 30 Seconds

Here I will describe how you can easily break an e-commerce website’s PCI compliance in 30 seconds.

This form can be a customer contact form, a return processing form, or any other form outside their normal shopping cart process.

There is no need to use your credit card for this experiment. Just grab a phony credit number from

Now enter the fake credit card number in the message area or large free-form text area meant to provide the message, feedback, or other details. Submit the form with whatever information is required.

If the site accepted the data you sent with the fake credit card number, it has sent that information to customer service or stored it in a ticketing system and eventually in a database.

Many sites have contact forms and other non-shopping cart-related forms that can be filled out by customers. Allowing a visitor to enter a credit card number on a form and then sending that out to customer service staff or storing in the database creates a non-compliant system.

You may be wondering why would someone willingly enter a credit card number in such a form, right? Well, people do. They do it for various reasons. It does not matter why. What matters is that the system accepted the card and possibly shared it with people who should not see such information.

A naive customer may not know that a site is not protecting them when they are contacting a site’s staff to help them resolve a card issue. So the burden of protection falls on the site, not on the customer.

Am I Joking?

Nope. A site that allows credit card numbers to be emailed or stored in a ticketing system or some third-party customer service tool is just asking for it! Customers often think their data will be protected since many sites brag about HTTPS or show a security seal from another security vendor. They often believe that these things are enough to protect them, and all communication is secure. They are not!

By entering a credit card in an unintended form is a way to get the site in trouble with PCI compliance.

How to Stop This?

Simple. Make sure all data entering an e-commerce site has a LUHN test performed on the input data. This means that the site should apply a check on the input to see if a credit number was entered or not. If a credit card number was entered, it needs to take appropriate action to redact such a number for non-shopping cart modules like customer service or feedback tool or whatever else. Most sites do not practice such safety measures and, therefore, can be quickly become non-compliant with PCI.

Photo by Dustin Belt on Unsplash


EVOKNOW is a multinational e-commerce service provider and…

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store