by Andy Carroll, 10 Jan 2011
Fraudsters targeting vulnerable networks and internet sites are as common as ever with credit card data being high on the list of prizes they seek. The payment card industry have joined forces and developed a code of practice which companies must comply with in order to store or transmit credit card information. It is called PCI DSS which stands for Payment Card Industry Data Security Standards. PCI DSS was developed to ensure e-commerce merchants and providers handle prevention, detection and appropriate reaction to any security incidents. Companies that are not PCI DSS compliant have a higher risk of being compromised and if the worst does happen are also open to lawsuits, payment card issuer fines and the more direct loss off trust and sales.
So what are the areas open to compromise and how can they be protected?
To secure credit card data we need to first track and scrutinize each step involved in processing the information and determine if unauthorized access can be gained.
The internet is an open network which means the information is passed along wires to routers which direct this information on to other routers until it arrives at the final destination. All these relays are potential areas to peek at the information. So for the example of an on-line purchase by a remote customer on the internet the credit card form page is sent to the visitor from the web server using Secure Socket Layer SSL encryption technology. When the visitor types the card number and expiry then submits back to the site the information is scrambled in such a way as to render itself useless until it arrives back at the server where it is reassembled.
Encryption protects the data in transmission to the webserver but after this point there are a number of possible scenarios. Some websites re-encrypt and pass this on to the payment provider without ever storing the data. Others store this data in a database away from the web server.
Imagine someone had secretly gained access and was able to change a critical script page on the server so instead of just transmitting the card data on to the payment provider the edited page also sent a signal remotely to the attacker recording the card information. Until this script is analysed and detected the attacker will receive a copy of all future card transactions... This would also be true of the second system but additionally the attacker could access the database and get every past transaction. Both these systems are open to abuse though the scope of compromise on the first is far less. PCI DSS aims to ensure companies scrutinize any potential hole which could be used to access private data and to prevent or limit its damage. So for companies that simply have to store card data a policy which involves regular purge of data would be a good idea. If the worst was to happen the scope of compromise would be less now that older data is being regularly removed.
You might think this is all very technical and more the responsibility of the web developer or hosting provider but in most real world situations it is a shard responsibility. A merchant's staff likely have direct access to card data via payment terminals. Maybe to print or store reports or they have computers with a direct connection to sensitive systems for merchandising or order processing. The system is just as open to compromise from a source in the merchant's office: a virus or key logger, an unscrupulous staff member or even just a badly secured wireless network.
The PCI DSS check list simply opens our eyes to potential problems and provides tiers of compliance based on how risky the system's scope of facility is. It also ensures merchants create and maintain policies so that they can review and improve security continually.
To remain compliant PCI DSS requires a regular security scan of a merchant's payment systems. These scans are available from approved scanning vendors ASVs such as McAfee, or TrustGuard. Also required is a monitoring and detection system to alert administrators of any file changes or intrusions. Goldfish Interactive recommend www.ossec.net from trend micro which is open source and cross platform and generates email alerts when important system files or defined website scripts change.
I have received a number of questions in regard to Google's recent webmaster alerts and subsequent…
Incorporating mobile facilities into your systems can take a number of directions. From making your…
Some systems involve publishing protected information and resources for access only by designated individuals.…
Do you question if your current website design elements, text or offers are helping or holding back…
07 579 9554
0275 339 855