Skip to main content

Sony says PSN credit card info was encrypted

After more than a week of investigations into the security breach at Sony HQ, the Japanese mega-corporation still can't say with any certainty whether users of the PlayStation Network have had their credit card information compromised.

The latest update on the PlayStation Blog says, "All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."

Having no evidence that the data was stolen doesn't, of course, mean that it wasn't stolen and Sony's inability or indecision on coming clean about credit card info will do little to repair the company's irreparably tarnished reputation.

Those still worried about the safety of their credit cards will take little comfort from Sony's latest advice:

"While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility," writes Patrick Seybold. "If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system."

In a missive on the subject we received from security outfit Lieberman Software, CEO Phil Lieberman, gave the following advice: "Always assume that the company gathering your personal information is totally incompetent at securing the data, and consider what you share with them and how you are going to recover your personal identity after they lose your information." He also recommends giving a false date of birth when registering with online gaming outfits.