PCI Compliance, SAQ A & the Hacked Website. Does tick box compliance ensure security?

They were right. With the increasing numbers of small to medium sized businesses getting hacked, as an industry, we’ve got to ask what is going on and what can we do better to help protect them?

What’s going on?

While the identities of hacked businesses in the European region tend to be protected by the merchants and their banks (nobody wants to say “hey everybody – we’ve been hacked, and no we weren’t really looking after our customers’ data very well, so it all got stolen too”), with the European Data Protection Directive due to come into being in 2017, they will be required by law to tell everyone that they have been hacked and were negligent with their client data (and are likely to receive a hefty penalty too).

So while there is little evidence to be seen of the growing numbers of hacked eCommerce businesses, you’ll have to go on our word that so far this year we have already done as many cases as we did in the whole of 2013 – we have a very active forensic team (one of the leading forensic teams globally) and 2013 was busy.

There is a growing problem in the eCommerce industry. 

The Hacked eCommerce Victim Perspective

The vast majority of hacked eCommerce businesses have a similar story to tell when they contact us:

• They usually had no idea that they had been hacked (prior to the call from their bank) – most do not believe it still.
• This is a potentially catastrophic event for their business and they need it fixed fast and as cheaply as possible.
• They had completed the Self Assessment Questionnaire and thought they were compliant.
• They thought their web developer was taking care of everything.

Unfortunately, in most cases the bank’s alert proves to be correct – the website has been hacked and a lot of payment card data has been stolen. It is expensive, hugely disruptive, exhausting and in some cases catastrophic for these businesses.

Some learn from the experience and others just want to be back up and running as soon as possible, viewing the forensic process as inconvenient bureaucracy. 

How do they end up being hacked?

If you think through the process of setting up an online business, it goes something like this:

1. Build a basic business plan.
2. Source funding (family and friends usually to start).
3. Register the company.
4. Register the domain.
5. Find a web developer and build website.
6. Find a payment processor.
7. Obtain a merchant account from an acquiring bank.
8. Complete PCI SAQ A or A-EP for the bank.
9. Source stock.
10. Sell stock.
11. Grow the business quickly and get into positive trading territory.

Yes, we’ve simplified the process somewhat… However, more often than not, the first time that security is usually considered is during the answering of the Self Assessment Questionnaire.

Of course, the web developer has a bit of security experience and aims to build a secure website. The right intentions are there, but going on the experience of our forensic team, web developers tend to have some of, or most of, the following challenges:

• They operate in a very competitive industry.
• They build highly effective, beautiful websites that sell their client’s products.
• They often use a platform (Magento, Drupal, OS Commerce) to expedite the build and ease the management process.
• Hosting is usually in a shared environment (cheap and it works).
• Most clients shy away from paying for ongoing maintenance – they’re start ups and cost is an issue – therefore once built, the websites do not generally receive a huge amount of attention until the client wants to make changes.
• Cash is king – the market is competitive and they need to keep building new websites to make money. Managing existing websites provide a low level of residual income, while new websites bring in the cash (we're focusing on SME websites here - not high street retailers).
• They know security needs to be in place and usually when the website goes live, it is in a pretty secure state.

So the website is PCI Compliant…

Let’s assume – for sake of simplicity that the web developer built the website with a redirect payment / hosted payment page at the chosen payment service provider. The website owner has completed the Self-Assessment Questionnaire – SAQ A. Given that most website owners are not hugely tech-savvy, SAQ A can still be challenging even though it is only dealing with Requirement 9 (Restricting Physical Access to Cardholder Data) and Requirement 12 (Maintain an Information Security Policy) – however, they cope with the questions, complete the SAQ and their bank gives them the nod of approval – happy days – they are PCI Compliant.

It’s what happens next that is usually where the issues start. 

And the website gets hacked…

In 2015, Magento released a patch to update their platform and close the Shoplift vulnerability (we wrote about it in June 2015). Many thousands of websites have fallen victim through this vulnerability and many more will (we still see roughly 10% of all websites that scan themselves using our free Magento scanner being vulnerable to Shoplift still). Why? 

It’s a fairly simple vulnerability that can allow attackers to gain complete control of a website. Web developers can protect against this type of attack through a number of ways – here are a couple of examples:

• Staying on top of security alerts and patching systems as soon as an update comes out.
• Monitoring for changes to their client websites – as soon as an attacker gains access through a vulnerability such as Shoplift, they tend to install a web shell – like Filesman. This gives them easy access from that point forward – even if the web developer patches the system.
• Installing a web application firewall to protect the website from the outset – this will defend against a wide range of attacks, passing clean traffic through to the website and filtering out aggressive/attack traffic. 

The issues here are that the web developers are usually too busy building new websites to monitor existing ones, don’t have appropriate monitoring in place or have not installed a web application firewall as their client was on a budget and perhaps the monthly cost of a web application firewall seemed to much of an extravangance – “besides who would be interested in attacking this new website?”

Its not personal…

We often have business owners asking “why me? Why my business?” The fact is that it is very rarely a personal attack.

Have you ever checked your website logs? If you have, you will know that your website is being scanned multiple times per day. 

The average time between attacks across our clients' websites is under 5 minutes - every 5 minutes they are getting attacked.

Indexing the top 1 million eCommerce websites is a simple process – the full list of websites is publicly available. Our forensic team conducted an experiment 18 months ago where they scanned the top 1 million eCommerce websites to detect a particular malware attack that had been successfully used in multiple cases to steal payment card data.

Clearly it is a relatively simple process to carry out these external scans – and you can be sure that any attacker worth their salt will have done the same – indexing which websites use which platforms. This is handy to know – especially when a zero day vulnerability is announced on a particular platform/technology. If you have indexed the top 1 million eCommerce websites, you automatically know who your potential targets are and can get to work immediately.

It’s not personal – it’s business as usual for the attackers.

So here you have the scenario where the small/medium eCommerce business has completed the PCI Self-Assessment Questionnaire A (SAQ A) and validated that they are compliant.

They have outsourced their payments to a PCI Compliant payment service provider and are using a redirect payment page.

And yet they’ve been hacked.

How does a PCI Compliant SAQ A eCommerce Business get Hacked?

Quite easily is the answer.

If you read our recent blogs on:

• Malware Alert: iFrame Interception attack; and
• Magento Malware Alert: Malicious Client Side Javascript

You’ll see that even with the industry-recommended outsourced payment models for eCommerce, if a website is not secure itself, then the payment process can easily be intercepted or manipulated and payment card data stolen. 

Visa Europe identified this issue as far back as 2010 and issued an alert, which you can read here.

Simply put – in order to protect your customer data, you need to secure your website.

Securing a website does not have to be difficult

If you’re a website owner, you need to work closely with your web developers – they are in a great position to provide the vital security monitoring that your website needs to keep being successful. 

Here are a couple of the key controls:

• File change monitoring – developers need to understand what is changing on the website from day to day. Changes made by one of your team = GOOD. Other changes = BAD. Likely to be attacker activity. Check any code that has changed and that you are not aware of.
• Malware Detection - Malware stands for “MALicious softWARE” – a term for all sorts of software used for criminal activity. Of all the websites we assist following a breach, around 90% have had malware introduced into their website to: 
  • Provide a back door for later access.
  • Load up other malicious software.
  • Enable stealthy reconnaissance.
  • Provide interactive access for the attackers.
  • Steal credit card data.
  • Steal personal data.
  • Or all of the above…

Some malware is detectable by doing an external scan (have a look at our free Magento scanner) however, most of the malware we have encountered is well hidden within a website – evading detection by even some of the most vigilant web admins.

We recommend daily checks using an advanced malware detection solution as a highly effective defence against malware attacks. 

• Patching – ensure your software is kept up to date. Example, the Magento Shoplift has been out for over a year with patches available to plug the vulnerability. Websites who patched quickly were not hacked. Websites who have been slow to patch are perfect targets for attackers to focus on. In fact if you have not patched your website for the Magento Shoploft vulnerability, there is a good chance your site has been attacked and compromised by now.
• Web application firewall – for those who may be unable to quickly deploy software updates, a web application firewall provides an additional layer of protection to a website and may be the difference between getting attacked and getting compromised.

 You can read more on our blog article: 11 Steps to Improve your Website Security

If you’re a web developer, please get in touch with us using the form below. Our FGX-Web technology will "bake the security into your websites" and give you the ability to have our expert team working for you, taking care of your clients’ website security.