Early this morning, a first-time Reddit poster alleged that he or she had run a “basic web security evaluation” on Trion World’s game websites, including ArcheAge’s, discovering “multiple security risks surrounding [its] authentication system.” The poster claimed he or she had contacted Trion multiple times on December 12th and 13th, only to receive no response, prompting the poster to recommend that players remove payment info from their accounts and threatening to send in “attorneys in Texas” and disclose the vulnerabilities publicly should Trion not reply and address them.
We immediately reached out to Trion Worlds, which rebutted the claims, reassuring players that their payment information would not be at risk even if there were a vulnerability and explaining that the Redditor’s accusations about PCI non-compliance are simply inaccurate.
“Yes, we investigate all reports. We reached out to the poster of the thread within minutes of seeing it this morning,” Trion Worlds Director of Community Relations Linda “Brasse” Carlson told us.
“Fortunately, we don’t store payment method information of any type in our infrastructure (it’s stored with the billing processor, who has the highest level of audited PCI compliance). This is a pretty common design, and companies do it so payment information is as protected as possible. What that means is that even if a vulnerability were found for us to address, the risk to our customers’ payment information would be nonexistent.
“As for the non-payment information we do store in our platform, Trion is 100% PCI compliant and certified regularly at the appropriate PCI level, we’re happy to say, and our certifications are up to date.
“That said, reports like these are important to us, and we’re always thankful to hear about them. While they most often don’t indicate any actual problems, sometimes they do. People willing to share them in a way that lets us address rapidly is invaluable. We always appreciate that.”
It’s worth pointing out that ArcheAge has been struggling with downtime and drama following the launch of Revelation and its new fresh start servers this week, meaning Trion community team members are already working overtime to keep the notoriously cranky playerbase content. Perhaps to their credit, other ArcheAge players did indeed question the poster’s credentials, anonymity, timing, and unrealistic timeline expectations when the account and post were created this morning.