PCI Series — Part II

PCI Series — Part III

According to a 2014 study by Trustwave, 54% of the breaches that took place in 2013 occurred on ecommerce websites. This statistic, coupled with the massive Point-of-Sale (POS) breaches of well-known companies such as Target, P.F. Chang’s, and Home Depot, highlight increasing security risks. Unfortunately, there are myriad organizations out there – large and small – that aren’t even aware yet that their data’s been compromised.

In fact, a 2014 Mandiant report, “MTrends: Beyond the Breach” revealed that the median number of days a breach occured before detection was 229 days! That’s almost a full year. Remember, too, it’s just the average length of time. The report revealed that in one instance, it was 2,287 days before the breach was discovered.

Large retailers aren’t the only ones that need to be concerned. In fact, a June 8, 2015 Bankrate article, notes that, according to the National Cyber Security Alliance, “Ninety-five percent of credit card breaches discovered by Visa Inc. are from its smaller-business customers.” They also indicated that, “71 percent of security breaches target small businesses.” No one is immune to breaches and organizational size doesn’t dictate who is vulnerable to one and who isn’t.

These statistics support the dire state of ecommerce security as well as the need for increased vigilance regarding electronic payments security. No longer can organizations subscribe to the “one and done” mentality of implementing security software and assuming the problem will take care of itself. The stakes are too high. Your organization’s reputation and money are on the line. Therefore, it’s imperative that you don’t forgo a quality security program or take shortcuts.

Complacency and Non-compliance are Costly

As a seasoned service provider of comprehensive billing and payments solutions, we’ve seen and heard it all before: “We can handle the compliance issues since we just need to meet the basic requirements.” (Great but it’s more complex than that.) “Payment security costs too much and we can’t do those things.” (True, payment security is expensive, but criminals are only getting more sophisticated and the ramifications of a breach are too dire to ignore.)

The 2015 Cost of Data Breach Survey from Symantec and the Poneman Institute revealed that for every exposed customer record, the cost is $145 per record, a 9% increase over the 2014 cost. In August 2014, Target agreed to pay $10 million to customers as settlement in a class action suit as a result of its breach. Customers who can prove that they were negatively impacted by the breach (un-refunded, unauthorized debit and credit charges, cost to repair credit, loss of access or restricted access to funds, etc.) could receive a settlement of up to $10,000 per claim.

It doesn’t end there though. Long-term ripple effects can run up those tallies as well. Damage control necessitating public relations and marketing campaigns, consumer distrust and hesitancy towards these organizations’ security protocols and controls, retooling of technologies, policies and procedures, and employee training to ensure that it doesn’t happen again, all increase an organization’s costs. Target’s earnings report on February 25th of this year, supports just how detrimental the long-term effects of spotty security can be. In their case, it was to the tune of a $252 million net price tag.

Is your eCommerce the Weakest Link?

Remember that game show from the early 2000s, Weakest Link? The stern British host would ask players a series of questions, receiving money to bank for each correct answer. Of the two remaining players, the one who first answered incorrectly was ceremoniously met with a (cue a clipped British accent) “You are the weakest link.”

Every organization must consider whether it and/or any of its vendors are the weakest link when it comes to their ecommerce security. In each of the aforementioned breaches, faulty POS security allowed cardholder data to be skimmed directly from the card swipe. International crime syndicates have targeted POS networks as their preferred point of entry because they’re relatively easy to break into and loaded with valuable data.

Cybercriminals may only need to compromise a single user password to gain access to a businesses network. Once accessed, they can steal critical data or possibly load intrusive malware across a retailer’s POS network. You may detect the breach quickly; then again, maybe not. Either way, the damage has already been done.

The good news is that 2015 regulations will improve POS security. The mandatory rollout of chip cards and EMV card swipers will dramatically improve security at the card level, markedly reducing vulnerabilities at the POS.

The bad news is that cybercriminals are wily and resourceful. As the POS gets more secure, they’ll redirect their attacks to more vulnerable areas like online payments. Those in the security industry are deeply concerned that ecommerce fraud will accelerate in the coming months. EMV doesn’t address card-not-present transactions, such as online payments, where exploitable security gaps still exist.

“Cybercriminals will always exploit the weakest link,” said Alisdair Faulkner, Chief Products Officer of cybersecurity firm, ThreatMetrix. With POS skimming off the table, online payments make an appealing target for cybercriminals and will likely result in a surge of online payment fraud. A report by the security firm, Trustwave, substantiates it. They studied 691 breaches in 24 countries and found that ecommerce websites frequently are exposed, citing that “databases involved in ecommerce payments continue to be common targets of attack.” The study continued, “as has been the case for more than 15 years, poor coding and data storage practices have left sites vulnerable to SQL injection, which could potentially open up access to cardholder data stored in databases.”

The May 2014 data breach at eBay, one of the largest and most utilized ecommerce platforms in the world, illustrates the last point. Over a 100 million usernames, passwords, phone numbers and addresses were stolen including supposedly encrypted hashed passwords. Security expert Mark Litchfield discovered the attack by successfully manipulating the company’s interface. As a result, he was able to tap into a highly sensitive system component that assists online vendors and merchants in managing their PayFlow accounts.

In our next blog, Part II, we discuss the costs associated with compliance. Find out why they’re escalating…and who’s expected to shoulder them.