[cdwhitcombe]

In the address example you can even emit the arguments and it just returns you a large list of addresses. Would expect this to be hitting the news here in the UK tomorrow!

Judging by their parent companies website they seem to be PCI certified (http://careers.photobox.co.uk/security-officer-moonpig/) which is likely to be removed from them after this, also given the private information on show I would expect this breach of the data protection act to be meaning a large fine for them.

For anyone at risk from this you can't just cancel your account, but you can manually go through and delete quite a bit of data such as address books and they then disappear from the API calls.

[MichaelGG]

Been a while since I read PCI DSS but if the PAN isn't there, does it specify you have to protect that information? Also, if they don't actually have the PAN touch their servers (like, using a BrainTree or Stripe-like solution), PCI compliance is quite minimal. Even PCI DSS 3.0 is trivial to deal with using Stripe (they just insert an iframe so the CC info goes directly to their site).

Of course, yeah, they don't deserve the benefit of the doubt here. Given such a terrible API they probably are a mess inside, too.

[cdwhitcombe]

Reading that job spec I assumed they handle all the PCI side of things themselves, if using stripe etc I doubt you'd need such an involved role.

Given the mess it looks like on the front, I would bet PAN's are stored in clear text too!