Millions of people shop online every day using payment cards. The move to e-commerce was accelerated by the pandemic, particularly in companies and areas where an online transactional presence was not originally seen as a priority. And, despite some early turbulence, we all now mostly trust e-commerce. Shopping online is generally safe, but under the surface, there’s a war going on to keep our payment card data secure.
The Evolution in Where Criminals Attack
When criminals first realized that they could steal cardholder data to make fraudulent transactions, their focus was stealing data from internet-connected point-of-sale (POS) systems. The industry reacted by creating the Payment Card Industry (PCI) Data Security Standard (DSS) that described the security measures that should be taken to protect payment card data from criminals.
As merchants put in place measures to protect their POS systems from internet attacks, the criminals moved to attack locations where cardholder data was stored or consolidated. Over-time companies removed legacy data stores and adopted the technical controls specified in PCI DSS to protect the locations where they stored, processed, or transmitted payment card data, making life harder for criminals.
The war between criminals and the payment industry has continued ever since. As security architecture and industry standards evolved, criminals found new ways to attack. In e-commerce, criminals have moved from attacking a merchant’s own e-commerce infrastructure to skimming payment card data from the consumer browser.
This is because they either found the merchant well protected (the general standard of cybersecurity has changed massively in the past ten years) or because the e-commerce merchant, like brick-and-mortar retailers before them, had decided that there’s no value in touching payment card data, and so a cardholder’s details are sent straight from the customer’s own browser to the payment processor, bypassing the merchant’s own systems.
This leaves the only remaining place of attack being the consumer’s own browser. The criminals’ aim is to capture the cardholder data at the same time as it is entered into the merchant’s webpage checkout.
Such attacks are invisible to both the cardholder and the merchant – the transaction happens as it is supposed to: the merchant gets the funds, the customer receives the goods or services they ordered, and the criminals get the customer’s payment card data.
When these attacks first happened, they made the news. NewEgg, Macy’s, Ticketmaster and British Airways are some that you may remember, or where you were notified that your own cardholder data was stolen. Just because these attacks are no longer newsworthy, doesn’t mean that they are not occurring – these so-called e-commerce skimming attacks represent the majority of attacks against payment card data.
The criminals’ methodology
The power of standards
Although some merchants have worked out how to best defend against these attacks, many others remain unaware. Luckily the payment card industry has a well-respected security standard that’s a contractual baseline for anyone that wants to accept payment cards – the Payment Card Industry (PCI) Data Security Standard (DSS). First released in 2006 the standard is revised every few years to take account of changes in technology and changes in the ways that criminals attack.
The newest iteration – version 4 – was released in March 2022 and will become applicable in 2024. And in this new version, the PCI SSC has included two requirements that aim to stop the rise in skimming attacks and provide the weapons that the merchants need to win the battle against the criminals. Each time a new version of the standard is released, and the industry adopts the requirements contained in it, classes of criminal attacks are significantly reduced. It is hoped that this trajectory continues!
The first new requirement aims to reduce the number of places that a criminal could attack to add their malicious scripts. It does this by requiring merchants to specifically authorize and minimize the number of individual scripts that are loaded on payment pages, with this information recorded in an inventory.
The second requirement is detective rather than preventative and wants to make sure that merchants are alerted when it is detected that new or changed scripts are present on the page where the consumer enters their cardholder data, allowing the merchant to validate the integrity of the new or changed script.
As merchants throughout the world transition to the new version of PCI DSS and implement these two new requirements, the advantage in the battle against criminals will shift in the merchants’ favor.