Credit Card Security
Despite several attempts to establish different e-payment solutions, credit cards still remain the currency of choice when it comes to shopping on the Web. Some estimates expect that by the year 2015 online sales will be in the range of over $250 million with no signs of slowing down.
With so much money changing hands over the Internet, credit card theft has become a tempting target for cyber criminals from every corner of the globe. So while credit cards may be the cornerstone to any successful e-commerce site, they may also be the biggest concern for many online retailers.
Risks Associated with Credit Cards
While great strides have been taken to help protect against credit card fraud, retailers cannot afford to be complacent when it comes to credit card security. Although the life line of any e-commerce site, the ability to process credit cards also comes with a number of risks.
In order to process credit card payments, the retailer must employ an application on their web site that can collect, process, and often store the credit card data in order to complete the transaction. Like any other web application, those that handle credit card transactions are threatened by a number of vulnerabilities such as:
•Malware (Drive-by downloads)
Unlike the early days of e-commerce where an attacker had to have a certain degree of programming skill to carry out a successful attack, the use of large armies of bots have made it easy for an attacker with a minimal amount of skill to launch a large scale, coordinated attack against multiple retail web sites to harvest thousands of credit cards.
Credit Card Fraud
One of the most worrisome issues when dealing with credit cards is a chargeback. These occur when a buyer disputes a charge. In cases where fraud is suspected, the credit card company almost always sides with the buyer leaving the merchant to take the loss, not the credit card company itself. In addition to lost revenue, some companies issue fees against a merchant when a fraudulent transaction is recorded on their site. Companies who are found to have too many chargebacks may even find that the credit card company will terminate the retailer’s ability to accept that card any longer.
PCI Compliance Issues
To combat the fraud and theft, five different credit card security programs merged to form the Payment Card Industry Security Standards Council (PCI SSC) in 2004. The intent of these companies, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, was to provide additional protection to card issuers making sure that all merchants meet basic levels of security when storing, processing, and transmitting cardholder data.
The PCI standards are required of both online retailers and brick and motar shops alike. Some of the requirements that merchants are expected to abide by include:
•Build and maintain a secure network
•Protect cardholder data
•Maintain a vulnerability management program
•Implement strong access control measures
•Regularly monitor and test networks
•Maintain an information security policy
Companies that fail to comply with the PCI compliance standards risk losing the ability to process credit card payments and may be subjected to audits and fines.
Loss of Business
Aside from the loss due to chargebacks, there are often legal fees and other fines that a company faces if they have allowed credit card data to be stolen from their site. While these often have a significant impact on a company’s revenue, once shoppers have it in their mind that their credit card may not be safe when shopping sales are sure to plunge. Brand damage after a data breach is often worse for the bottom line than any combination of fees and fines.
With the application layer being the soft spot that many cyber criminals choose to concentrate their attacks on, the PCI Data Security Standards specifically address what a Web Site needs to do in order to properly protect its web applications.
In what is known as requirement 6.6, web site owners who process credit cards are given two options for compliance. Option one requires a code review to be done by an internal employee or a trusted third-party source and must consist of one of the four methods:
1. Manual review of application source code
2. Proper use of automated application source code analyzer (scanning) tool
3. Manual web application security vulnerability assessment
4. Proper use of automated web application security vulnerability assessment (scanning) tools
Code reviews are a surgical approach to protecting web applications against attacks that can compromise credit card data. They involve a reviewer, or team of reviewers, going through an application’s code looking for possible vulnerabilities. While on the surface they may seem like the ideal way to approach PCI compliance, they are a costly approach that is not without drawbacks.
As with anything that involves human eyes, there is the possibility that something may be missed due to any number of reasons: negligence, ignorance, or a simple mistake. Alongside the possibility of human error, code reviews protect against known vulnerabilities. Once a code review is complete, future exploits may be found that were unknown at the time of the review. Add to this the fact that often times, vulnerabilities found in code reviews are not adequately patched and it is easy to see where a code review alone is not always the best solution.
Credit Card Security