Hacked eCommerce Websites and Self-Notification
The number of hacked websites losing payment card data is rising rapidly - and the attacks are becoming more sophisticated, stealthy and continue to remain very lucrative for criminals. You've all probably heard this before and are tired of the rhetoric. What you may not have heard before is what it means for your online business if your website gets hacked and loses payment card data. What are the potential liabilities and what is the industry doing to try to curb the loss of payment card data?
In May 2016, Visa released a new mandate to the European acquiring banks regarding data compromises and penalties. The new mandate is aimed at encouraging the payment card industry to focus on proactive security management and better risk management.
This mandate is not published publicly, however, we have had feedback from acquiring banks and a detailed presentation delivered by an industry insider, Neira Jones. Neira was previously Director of Payment Security & Fraud at Barclaycard and subsequently holds board positions with several prominant payment companies and security businesses. Neira understands the payment card industry and is very well connected with the industry, therefore we're happy to trust the information provided by Neira and consequently are happy to share it with you.
Let me explain how Visa is encouraging/incentivising proactive security and risk management:
New Penalty Structure for Data Breaches
As of the 1st May, the following rules apply to data breaches involving Visa payment card data:
- A Breach Charge per data breach investigation will be levied.
- Penalties are based on the number of cards breached, including CVV numbers.
- Penalties of EUR 18/card stolen.
While the penalty structure shows how the costs could stack up in the event of a data breach, Visa has set out a number of ways for a merchant to reduce those penalties - this information is not publicly available, but we have managed to get a feel for the numbers and if you watch Neira's presentation you will glean a bit more info. From what we do know, the penalty reductions support Visa's approach to risk management and their encouragement of proactive security management.
While there are a few different conditions for penalty reductions, the following two are the ones that we feel merchants need to be aware of:
- PCI Compliance - if the merchant is found to be non-PCI Compliant during the forensic investigation, but had been PCI Compliant within the last 6 months, then the fine reductions could be signifcant (we have heard it could be up to 75%). A big incentive/encouragement to complete your PCI DSS project.
- Self-Notification of the breach and being found to be non-compliant with the PCI DSS in the forensic investigation can also result in significant reductions (we have heard it could be up to a 50% reduction in penalties). A significant incentive to manage security proactively.
Of course, many businesses will read this and assume that they will not be breached - that these penalties are not relevant to them as they will not be one of those companies that get hacked.
How many people look at health stats and believe that they will be better than average, live longer than average? The honest answer is that most of us think like this, especially if we're taking active steps to keep fit, eat well etc. We are an optimistic species (mostly) and tend to think that we can beat the odds.
Well, just like the health stats, if you take care of your website "health" ie keep it secure, you will stand much better chance of beat the odds and the penalty scenarios outlined above are unlikely to happen to you.
The Importance of Self-Notification
The fact is that on average, data breaches involve active theft of payment card data for 6 months before detection. It usually goes like this:
- Detection is usually via the card brands - ie Visa/MasterCard receive notifications that there is fraud on a number of cards.
- The card brands correlate the data and work out that a Common Point of Purchase for all the cards with fraud is a specific merchant.
- They contact the merchant's acquiring bank and request a forensic investigation to identify what happened, how much payment card data was stolen, who stole it and to contain the breach (no more leaking card data).
- The acquiring bank contacts the merchant who is usually completely oblivious to the breach and delivers a shocking message that it is highly likely that they have been robbed - and they weren't even of it.
This process usually takes, on average, 6 months. That means there is, on average, 6 months of data stolen. Do the maths for your business - how many transactions do you process in 6 months. Multiply that number by EUR 18 and you start to get the scale of the potential liabilities your business could face in the typical scenario.
Self-Notification on the other hand can reduce that liability by up to 50%.
How do you self-notify?
Well, firstly, you need to have a very good idea of what is happening on your website. We're not talking about Google Analytics. We're talking about good security monitoring:
- File change monitoring - what changes are being made to the website. Are they your changes, or not?
- Log monitoring - who is accessing your website.
- Daily scans for backdoors, webshells and other malware that attackers use to gain access to websites and steal payment data.
- Web Application Firewall - while you're putting in the security monitoring, why not put in protection too.
If you have these kinds of security checks and balances taking place multiple times per day on your website, you will pick up attacker activity very quickly. If you are checking daily and notice an attack/compromise of payment data, you can take the average of 6 months to identify a breach down to less than 24 hours.
This enables you to Self-Notify and limit your liability. Added to this, if you do have daily checks, then the most you are likely to lose is 1 day of transaction data - compared with the average of 6 months. That is a significant improvement.
Self-Notification involves calling your bank and letting them know you have had an incident. Follow this up with an email outlining what you found and what you are doing to fix the issue. Your bank will then manage the notifications with the card brands on your behalf.
What can you do to get started with securing your website?
Firstly, understanding the security posture of your website is useful. Go to webscan.foregenix.com to run a free scan against your website to identify any known issues, externally visible malware, indicators of compromise.
Its free - you can run the scan anonymously for a summarised onscreen report. Or you can put in your email and we will send you a more detailed PDF report with recommendations.
Secondly, if you would like to do some further reading on the appropriate security controls for securing a website, we have a free ebook available for download: