Buying goods online is second nature to most of us. Using our payment card whilst we shop online rarely gives us pause, and the many millions who buy online generally trust the system.
However, the recent busy shopping season means it’s a good time to remind ourselves that there is an ongoing battle to make sure that the payment card data of your customers remains secure.
The war between criminal gangs and the payment industry has been raging for some time. In the early days and now, criminals stole cardholder data from internet-connected point-of-sale (POS) systems to make their own fraudulent transactions. The payment industry responded to this type of attack by creating the Payment Card Industry (PCI) Data Security Standard (DSS). It outlined the security measures that should be in place to protect payment card data from criminals.
With merchants now more security savvy, they set out to bolster their POS systems against attacks. Criminals then sought out the locations where merchants stored cardholder data. However, merchants eventually got rid of such legacy data stores and selected PCI DSS technical controls to bolster security in locations where payment card data was now sorted and managed. Criminals went back to the drawing board.
This back-and-forth between criminal gangs and the payment industry continues to this day. Even as technology evolves favoring merchants, criminals always seem to bounce back with a new modus operandi — indeed, they have moved on from attacking merchants directly to skimming card data from the consumer browser.
Cybersecurity practices have come on in leaps and bounds in the last decade. Ecommerce merchants now typically send payment data from the customer’s own browser directly to the payment processor. This leaves the consumer’s browser as the most target-rich zone for cybercriminals.
These attacks are largely invisible to both the cardholder and the merchant, so criminals are still successful with them. Widely reported examples of such attacks include Macy’s where huge numbers of customers were notified that their cardholder data had been stolen. Ecommerce skimming attacks still make up the bulk of attacks against payment card data.
Standards to the Rescue?
The payment card industry has not sat still in the face of the threat of attack by criminal gangs. Their security standard (PCI DSS) is a contractual baseline for anyone that wants to accept payment cards, and is revised regularly to take into account both technological change and criminal attack methodology.
The latest iteration includes two requirements that are designed to curb the rise in skimming attacks. The first new requirement sets out to reduce the number of places that criminals are able to add malicious scripts. Merchants need to authorize and minimize the number of individual scripts that are loaded on payment pages and record all of this information within an inventory.
The second requirement relies on detection — a solution that can quickly detect malicious actors. It relies on making sure that merchants are alerted when new or changed scripts are detected in the page where the consumer enters their cardholder data. In this way, the merchant is able to validate the integrity of any new or changed script.
The new version of PCI DSS will give the advantage to merchants in their ongoing battle against cybercriminals. Better standards and improving technology are efficient weapons to thwart criminals in their endeavors. History has shown that when a new standard is released (and industry adopts the requirements accordingly), classes of criminal attacks are significantly reduced. This is positive news, but we can never rest against an enemy who is always looking to change tack.
John Elliott specializes in regulated security and data protection. He’s represented both Visa Europe and Mastercard on the PCI Security Standards Council and contributed to many of the PCI standards, including most recently PCI DSS v4. Elliott has led aviation and financial services InfoSec and data protection functions and has recently embraced the role of Security Advisor at Jscrambler.