In recent years we have seen a significant increase to online shopping as more and more retailers try to meet the needs of their consumers for lower cost, increased product choice, time savings, and convenience. According to US Census Bureau News, published May 17, 2019, e-Commerce sales totaled $137.7 billion. This represents a 12.4 percent increase over the same period in 2018. Additionally, nearly all e-Commerce transactions have one thing in common. The payment of goods and services is done by credit card. Needless to say, e-Commerce represents a significant opportunity for bad actors to obtain your credit card information during the payment process. This is why the Payment Card Industry Security Standards Council (PCI SCC) released a bulletin on August 2nd, 2019 regarding the Threat of Online Skimming to Payment Security.
Magecart Online Skimmer
The Difference Between a Physical Skimmer and an Online Skimmer
A physical skimmer is a device that may be attached directly to a credit card payment terminal, ATM machine, gas pump credit card reader, etc. These devices are utilized to capture information from the credit card magnetic stripe or embedded chip on the card, and even possibly record the PIN that is entered on a keypad. Hackers have been able to steal this information by use of a memory storage card with a Bluetooth enabled connection to siphon off this information or would come back later to recover the memory storage card that was installed.
One might wonder how we can best detect and prevent these actions from being performed. There are a number of PCI DSS controls that are associated to ensure that organizations are able to detect and help prevent both physical skimming devices and online skimming mechanisms. Some of those controls that would be evaluated in a PCI assessment include physical device inspections, code review, change management practices, access controls, vulnerability management, penetration testing, and security awareness training. However, the challenge with online skimming is that the malicious code has been seen to be as little as 22 lines of code, or less, and is often embedded in third party apps, not controlled by the e-Commerce provider. Unlike the attachment of a physical card skimmer, there is not a physical skimming device present.
Impact on PCI DSS Assessment for e-Commerce
The impact that Magecart will have on a merchants PCI assessment is yet to be determined. However, current PCI DSS standards is based on the delivery of the payment page and how it is protected. The reduced requirements based on SAQ A may not be enough since the e-Commerce site, itself, is at risk and may allow the exfiltration of personal and credit card data through the delivery of malicious code to their customer’s web browser. Due to the rise in online skimming, the PCI Council make changes to the SAQ A in order to protect cardholder data.
PCI SCC Recommendations for Detection and Prevention
The PCI SCC has made a number of recommendations that will assist you in the detection and prevention of the Magecart web-based or on-line skimming attack.
- Reviewing code in order to identify potential coding vulnerabilities (Req. 6)
- Use of vulnerability security assessment tools to test web applications for vulnerabilities (Req. 6)
- Audit logging and reviewing logs and security events for all system components to identify anomalies or suspicious activity (Req. 10)
- Use of file-integrity monitoring or change-detection software (Req. 11)
- Performing internal and external network vulnerability scans (Req. 11)
- Performing period penetration testing to identify security weaknesses (Req. 11)
- Disable unnecessary ports/services/functions and configure components securely in accordance with industry accepted system hardening standards (Req. 2)
- Implement malware protection and keep up to date (Req. 5) – Apply security patches for all software (Req. 6)
- Follow secure coding practices and perform code reviews (Req. 6)
- Restrict access to only what is absolutely needed and deny all other access by default (Req. 7)
- Use strong authentication for all access to system components (Req. 8)
- Implement intrusion-detection and/or intrusion-prevention to detect and prevent intrusions (Req. 11)
- Conduct proper due diligence prior to engagement of third-party service providers and monitor service providers’ PCI DSS compliance status (Req. 12)
- Additional controls for hosting service providers to protect their customers’ hosted environments and data (Appendix A1)
Finally, work with your QSA should you have any questions surrounding the PCI DSS requirements and how to best assess and secure your e-Commerce environment.