Air Europa has urged customers today to block their credit cards if they have used them to purchase airline tickets due to a data breach. According to the Spanish airline, a ‘cybersecurity incident’ was recently detected in one of the systems, in which potentially customer credit card information was also compromised. This includes credit card numbers, expiration dates, and CVV codes (*).

Further details about the incident are not provided by the airline. However, customers are advised to contact their bank and block their credit cards to prevent fraudulent use. Numerous customers shared via X the email that Air Europa sent about the data breach. The number of customers affected by the data breach is unknown.

(*) Storing CVV (Card Verification Value) codes is generally not allowed according to Payment Card Industry Data Security Standard (PCI DSS) regulations. PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

According to PCI DSS, organizations are not permitted to store sensitive authentication data, including CVV codes, after authorization. The CVV code is intended to provide an additional layer of security during a transaction, but storing it after authorization poses a significant security risk.

Typically, after a credit card transaction is authorized, the merchant or service provider is supposed to discard or mask sensitive information such as the CVV code. This is done to minimize the risk of data breaches and protect customer financial information.

If an airline or any other organization is found to be storing CVV codes after authorization, it would be a violation of PCI DSS, and the organization could face fines and other penalties. Customers are encouraged to inquire about the security measures of the organizations they do business with and to report any concerns about data security.