70% of incidents of cardholder data theft have taken place offline, with 54% occurring in restaurants. But many e-commerce merchants, especially smaller ones, are vulnerable, often due to flaws in their shopping cart software, says security firm Trustwave.
Based on a study of 350 cardholder data breaches in 14 countries, Trustwave found 25% of incidents involved retailers. Of those, more than half involved online merchants, says Nicholas Percoco, vice president of consulting. And 92% of merchant breaches were at retailers that fall into the lowest of four categories in terms of card transactions, meaning they are mostly smaller firms, often Internet-only retailers, Percoco says.
The No. 1 mistake retailers make is storing an entire credit or debit card number, Percoco says. In most cases, retailers can minimize risk and still have the data they need by storing only partial numbers along with the order authorization codes they obtain from card issuers. That way, a hacker who steals a partial card number would not be able to use it to make a purchase. Percoco suggests retailers check with their banks about information they must retain.
Retailers should never store the three-digit security code found on the back of a credit or debit card, Percoco says. Because that code only appears on the back of a card, obtaining that code makes it much easier for hackers to make purchases online, as e-retailers rely on the security code to verify that the customer is in physical possession of the card.
The most common entry point into online retailer data is shopping cart software, Percoco says. And the most common type of attack is an SQL injection, in which the hacker enters into a field, such as customer name or card number, a command using the Structured Query Language that allows e-commerce applications to communicate with back-end databases. That command might tell the database to e-mail card numbers to the hacker, or even modify the software so that every subsequent order is transmitted automatically to the attacker, Percoco says.
Such attacks can be prevented by using secure coding principles, such as requiring that a field meant for entering a credit card number accept only data in that format, rejecting, for instance, a command to export data, he says. Security assessors like Trustwave can evaluate shopping cart software for such vulnerabilities. A list of payment applications certified to Visa security standards, including e-commerce software, is available at visa.com/pabp, Percoco says. Those Visa standards have recently been adopted by the major payment card brands as part of the Payment Card Industry Data Security Standards that all merchants must follow.
The stakes for merchants are high, as a merchant that exposes card numbers can be held liable for fraud losses and issuers’ costs of replacing cards, and be fined by the card associations. “In some cases, it puts them out of business,” Percoco says.
Courtesy Internet Retailer, April 29th 2008