Is your e-Commerce business hacker proof ?

by on April 16, 2014

A massively scaling business is super exciting.  But let’s face it, when it does scale, you will likely find yourself cutting corners to keep the momentum going. That could mean less testing, quicker releases and a CTO that is likely helping ship product.

I asked a number e-commerce companies if they felt their credit card data was safe. They all answered yes and most added they are not at risk, as they don’t store credit card data. Unfortunately, that is not always the case, as some companies have found out the hard way. Just because you do not store credit card data does not mean your data cannot be compromised.

I thought we were safe until we got hacked”. Famous last words…..

Credit card security has been widely discussed in recent media as leading companies like Target, Amazon, Living Social and LinkedIn have fallen prey to this global problem. The amazing thing is that many of these companies never stored a single credit card; they used third party e-commerce software with state-of-the-art tokenization provided by their payment processor. Frequent victims, but much less prevalent in the public eye, are early stage companies. We’ve seen this scenario with increasing frequency and felt compelled to dig into the subject.

Why is this so important?

All modern startups recognize the importance of system security and protecting customer privacy. But it never seems urgent until you actually see a breach play out. We’ve seen it play out. And the tragic fact is that a security breach can cost you your company and investors their investment. The average cost of a breach is $200 per credit card plus fines and fees. With a single security breach, an e-commerce company can lose its merchant account and languish in the Terminated Merchant File or MATCH (Member Alert to Control High-risk Merchants)  for several years, during which time it cannot accept credit cards.  Without a means to accept payments, your business will likely die quickly.

How do hackers get in?

I spoke to Trustwave, a privately held security and data protection company, to understand current trends in how hackers are gaining access to credit card information. It’s astonishing to see how easy it is. Trustwave has conducted hundreds of post-breech security audits and they shared the most common ways hackers are accessing credit card information:

  • Memory Scraping Malware

Even if data is only stored temporarily – for instance when collected to be tokenized – malware will make a copy from it in RAM (main memory), while it exists in plain text. Targeted JavaScript malware that understands your payment process may even ride-along down to the users workstation undetected to collect it while the user is typing in their credit card number.

  • Logic Flaws and Web Requests Using Manual Request Editor

Inside a URL, there can be a way for hackers to change an order from a positive to negative quantity and get a refund.

  • SQL Injection

SQL injection is an old technique that many databases still don’t protect against. Malformed data – if not stripped out – is interpreted by your back-end database as instructions.  Being able to send arbitrary commands to your database opens up endless opportunity for the creative thief…

When a page has information not related to dynamic content and pulls in images from elsewhere and it gets the server to pull in a link, which then deploys on the server. From that point a malware code is executed.

  • Password Management Flaws

Self explanatory.

  • Third Party Supplier Intrusion

When a third party you are doing business with has been attacked, and as a result, also compromises your data.

  • Manual Insertion of Malware

This can be as easy as someone physically inserting a UBS key that deploys malware.

PCI Compliance 101

PCI-DSS stands for Payment Card Industry Data Security Standard (PCI). The standard applies to all entities that store, process, and/or transmit cardholder data.

With PCI rules you cannot store credit card data post authorization except for the name and last 4 digits of the card. There are 4 levels to PCI compliance that you should be aware of.

Level 4: Small businesses that process less than 20,000 eCommerce transactions and less than 1 million other transactions per year. Level 4 businesses must complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ).

Level 3: Mid-sized companies — those with between 20,000 and 1 million transactions per year — fall into this level. Level 3 companies are required to complete an annual risk assessment using the appropriate SAQ. Quarterly PCI scans, administered by an approved scanning vendor, may also be required.

Level 2: Level 2 companies conduct between 1 million and 6 million transactions yearly. These companies are required to undergo a risk assessment every year, using the appropriate SAQ. Quarterly PCI scans, administered by an approved scanning vendor, may also be required.

Level 1: “Big box” stores and major corporations are Level 1 companies, with a minimum of 6 million transactions per year. In addition to an annual internal audit conducted by a qualified PCI auditor, Level 1 companies may also be required to undergo quarterly PCI scans administered by an approved scanning vendor.

I use a service provider; do I still need to be PCI compliant?

While using a service provider may reduce a merchant’s risk of exposure and the effort needed to validate compliance, it does not exclude that merchant from PCI compliance. If you are a merchant who accepts or processes payment cards, you need to be PCI compliant according to card associations. If your vendor is not PCI compliant then inquire as to why not.  To verify if your vendor is PS-A-DSS you look up your vendor here.

The PA-DSS is for “software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties”. Most card brands strongly encourage merchants to use payment applications that are tested and approved by the PCI SSC.  View a list of approved vendors here.

How can I proactively respond to any credit card security threats?

Now that you understand the security issues faced by e-Commerce companies, how can you best prepare for them? Here are 10 recommendations:

  1. Take this stuff seriously. Know that it is not a matter of if, but a matter of when you will be targeted. Have a gap analysis done by an outside professional and at a bare complete a PCI Self-Assessment Questionnaire (SAQ).
  2. Use a strong password management software (ex: CyberArk password vault).
  3. Implement secure remote access with 2-step authentication where possible.
  4. Use accredited third party tokenization for e-commerce transaction and implement it according to PCI standards.
  5. Configure firewall for strict inbound and outbound rules and monitor IP addresses so only the ones you know get in.
  6. Run protection against executable files such as Bit9.
  7. Have a penetration test done.
  8. Update gateway and ecommerce software regularly.
  9. Implement software that detects abnormal network traffic and behavior by even for legitimate user credentials (in case they have been compromised).
  10. Limit admin passwords and privileges for users and apps and review for dormant and unknown accounts.

If you don’t understand this stuff, find someone who does because one security breach could cost you your company!