In the past few years, data center security and web server defense has improved significantly, making it a less feasible approach for an attack. Cyber criminals have taken note and are shifting their focus from performing spectacular bank data server attacks to skimming credit card information from a variety of ecommerce sites, unbeknownst to the website administrators. Although various credit card fraud related security exists nowadays on both the merchant and the payment vendor side, cyber criminals have found a lucrative blind spot that is yet to be plugged in.
Banks, Payment Card Industry (PCI, whose members include Visa, MasterCard, AmericanExpress and other large payment companies) and other financial institutions are the most regulated industries, both offline as well as their online practises, and rightly so. For online payments, the PCI and specifically the PCI Security Standards Council sets the regulations for data security and enforces compliance of best security practises, through the PCI Data Security Standard (DSS). These standards consist of twelve significant requirements including multiple sub-requirements, which contain numerous directives against which businesses may measure their own payment card security policies, procedures and guidelines. Failure to comply with the PCI DSS will lead to the members of the PCI pulling the plug on a merchant website and business.
The standard outlines how credit card details are collected, stored and transferred from a merchant’s website & servers, to the payment card vendor. This ensures that the sensitive data is handled with care, and also complies with any local regulations, such as GDPR. PCI formed these standards mainly to ensure that more people will be comfortable to pay online and to ensure that all these payments were secure. Since its inception in 2006, PCI DSS has helped improve the security posture of many websites, as well as ensure the secure experience of a consumer when they pay for goods.
However, over the past 4 years, a group of cyber criminals known as Magecart have figured out a way to exploit a weak spot in the standard’s enforcement : 3rd party vendors that are present on the merchant website. These 3rd party services generally help the merchant website with user analytics, advertisements and various other functionality. The PCI DSS mainly regulates the payment vendor and the website merchant, but does little to protect against attacks made by a 3rd party vendor that may be present on the website.
These standards are valued and widely used in firms such as Google, however their adoption beyond the Alexa Top 100 websites is quite low. This is especially concerning as the websites that are most often targeted by Magecart and similar groups, generally fall outside the Alexa Top 100 and do not have large sophisticated security teams. Most of the compromised website administrators are unfortunately not aware that such an attack vector can take place, even though they are following PCI DSS to the fullest. Furthermore, PCI vendors and the merchants are often liable for fraudulent payments that may occur with the stolen credit card details. As most of the Magecart attacks go unreported, the cost of reputation loss from the end user often falls on the payment card vendor unfortunately.
As adoption and awareness is the biggest hurdle to the widespread use of these protection mechanisms, PCI DSS needs to upgrade the standard to include protections against 3rd party vendors. Similar to how Google pushed the globe to adopt HTTPS over the past decade, PCI will need to take the lead to reward merchants that adopt the new age of security standards such as CSP & SRI, and appropriately penalize merchants that do not comply within a suitable time frame. Increased adoption of these standards will give merchant websites and payment vendors an edge in the fight against online credit card fraud.