Despite several attempts to establish different e-payment solutions, credit cards still remain the currency of choice when it comes to shopping on the Web. Some estimates expect that by the year 2014 online sales will be in the range of over $250 million with no signs of slowing down.
With so much money changing hands over the Internet, credit card theft has become a tempting target for cyber criminals from every corner of the globe. So while credit cards may be the cornerstone to any successful e-commerce site, they may also be the biggest concern for many online retailers.
While great strides have been taken to help protect against credit card fraud, retailers cannot afford to be complacent when it comes to credit card security. Although the life line of any e-commerce site, the ability to process credit cards also comes with a number of risks.
In order to process credit card payments, the retailer must employ an application on their web site that can collect, process, and often store the credit card data in order to complete the transaction. Like any other web application, those that handle credit card transactions are threatened by a number of vulnerabilities such as:
Unlike the early days of e-commerce where an attacker had to have a certain degree of programming skill to carry out a successful attack, the use of large armies of bots have made it easy for an attacker with a minimal amount of skill to launch a large scale, coordinated attack against multiple retail web sites to harvest thousands of credit cards.
Just a few short years ago over 130 million credit and debit cards were stole by Albert Gonzalez that cost Heartland Payment Systems $12.6 million. Prior to this, Gonzalez successfully exploited vulnerabilities in the TJX (TJ Maxx) network to harvest over 45 million cards from them and other retailers causing losses that exceeded $70 million due to fraud and a lawsuit filed against TJX by over 300 banks. The vulnerability that gave him and his crew access to the credit card data: SQL Injection.
One of the most worrisome issues when dealing with credit cards is a chargeback. These occur when a buyer disputes a charge. In cases where fraud is suspected, the credit card company almost always sides with the buyer leaving the merchant to take the loss, not the credit card company itself. In addition to lost revenue, some companies issue fees against a merchant when a fraudulent transaction is recorded on their site. Companies who are found to have too many chargebacks may even find that the credit card company will terminate the retailer’s ability to accept that card any longer.
To combat the fraud and theft, five different credit card security programs merged to form the Payment Card Industry Security Standards Council (PCI SSC) in 2004. The intent of these companies, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, was to provide additional protection to card issuers making sure that all merchants meet basic levels of security when storing, processing, and transmitting cardholder data.
The PCI standards are required of both online retailers and brick and motar shops alike. Some of the requirements that merchants are expected to abide by include:
Companies that fail to comply with the PCI compliance standards risk losing the ability to process credit card payments and may be subjected to audits and fines.
Aside from the loss due to chargebacks, there are often legal fees and other fines that a company faces if they have allowed credit card data to be stolen from their site. While these often have a significant impact on a company’s revenue, once shoppers have it in their mind that their credit card may not be safe when shopping sales are sure to plunge. Brand damage after a data breach is often worse for the bottom line than any combination of fees and fines.
With the application layer being the soft spot that many cyber criminals choose to concentrate their attacks on, the PCI Data Security Standards specifically address what a Web Site needs to do in order to properly protect its web applications.
In what is known as requirement 6.6, web site owners who process credit cards are given two options for compliance. Option one requires a code review to be done by an internal employee or a trusted third-party source and must consist of one of the four methods:
Code reviews are a surgical approach to protecting web applications against attacks that can compromise credit card data. They involve a reviewer, or team of reviewers, going through an application’s code looking for possible vulnerabilities. While on the surface they may seem like the ideal way to approach PCI compliance, they are a costly approach that is not without drawbacks.
As with anything that involves human eyes, there is the possibility that something may be missed due to any number of reasons: negligence, ignorance, or a simple mistake. Alongside the possibility of human error, code reviews protect against known vulnerabilities. Once a code review is complete, future exploits may be found that were unknown at the time of the review. Add to this the fact that often times, vulnerabilities found in code reviews are not adequately patched and it is easy to see where a code review alone is not always the best solution.
The second option given by the PCI DSS allows for a company to implement a web application firewall solution in place of regular code reviews. A web application firewall, either a hardware appliance or software solution, is placed in between the client end point and the web application. Unlike traditional firewalls and intrusion prevention systems, web application firewalls, or WAFs, understand the application layer logic that is necessary to protect cardholder data.
Web application firewalls protect against the unknown threats as well. With a WAF, all web layer traffic is inspected looking for packets that are meant to exploit known vulnerabilities as well as patterns that may suggest a zero-day exploit is being launched against the application. This works to prevent attacks that will not be found in a code review alone.
Properly configured, web application firewalls protect against:
... and many more threats that can compromise credit card data.
When it comes to protecting your customers’ credit card data from cyber criminals, finding the right solution needs to be a top priority, but it also needs to be one that your company can afford. Entering in to a code review, it is almost impossible to accurately gauge the total cost as resources must be spent to engage in the code review and then, it is necessary to dedicate manpower and money to patching any vulnerabilities found.
By acting as a Security-as-a-Service solution, dotDefender is able to provide protection to web applications used to process credit card payments whether the admin has an extensive background in security or just a minimal amount of knowledge on the subject.
Architected as plug & play software, dotDefender provides optimal out-of-the-box protection against the common threats that the PCI Data Security Standards were put in place to protect against without being concerned of scope creep increasing the solution’s cost.
The reasons dotDefender offers such a comprehensive solution to your web application security needs are:
dotDefender's unique security approach eliminates the need to learn the specific threats that exist on each web application. The software that runs dotDefender focuses on analyzing each request to the web server and the impact it has on the application. If the analysis finds something that could be a threat to your web application, it is stopped in its tracks and the activity is logged.
With its predefined rule set, dotDefender installation takes only 10 clicks to have a solution in place that is easily managed through a browser-based interface with virtually no impact on your server or web site’s performance.