CVS Hack Highlights Importance of Vendor Selection
The recent hack of retailer CVS’s photo printing service highlights the importance for retailers and others to scrutinize the independent vendors they engage to handle cardholder data to ensure those vendors apply appropriate security measures.
Retailer CVS has shut down its CVSPhoto service, an online service allowing consumers to upload digital pictures for printing at their local CVS stores, due to a potential security breach of an independent vendor that managed and hosted the CVSPhoto.com Website. The vendor’s responsibilities included collecting consumer cardholder information. Consumers attempting to visit the CVSPhoto.com Website are redirected to a message from CVS explaining the potential breach and disclosing that cardholder information collected by CVS’s independent vendor may have been compromised.
CVS’s vendor that managed the CVSPhoto.com Website and collected cardholder information is PNI Digital Media, a Canadian company whose platform is used by multiple retailers offering online digital photo services. PNI also manages Walmart Canada’s online photo center, which also has been shut down. Transactions conducted in CVS stores and on the CVS Website were not affected. Other retailers potentially affected by the breach include Costco, Sam’s Club, Walgreens and Rite Aid.