Martin McKeay

Excuse me sir, did you know your site's compromised?

By Martin McKeay
September 28, 2006 10:33 AM EDT
I'd hate to have been one of the merchants who got a phone call from Brian Krebs recently.  While doing research for a Washington Post article , Brian found the names of four ecommerce sites that had been compromised and had credit cards stolen but just didn't know it yet.  The sites were compromised in such a way that the attackers not only had access to the inofromation already in the database, they also had a tunnel back into the sites to pick up new credit card information as customers sign in.

I feel for the people who've had their credit card information stolen, but I also understand the feeling of horror the merchants experienced when Brian Krebs called.  I'm sure that their websites are a main source of the income for these smaller online merchants.   Being told that their site's been compromised and that the credit card information they've been collecting is for sale on the Internet has to be a major blow, possibly a killing blow, to their business.

The Payment Card Industry (PCI) Data Security Standards were created to combat this exact sort of situation; but if less than 30% of the Tier 1 merchants, those with 6 million or more credit card transactions a year have become PCI compliant, who could expect a greater percentage of lower tier merchants to be compliant.  The truth of the matter is many of the lower tier merchants have never heard of PCI and are making little or no effort to become complaint.  After all, that takes money, and what small merchant has money to spare.

Brian's closing comments about CVV2 data don't surprise me in the least.  The CVV2 data is the three or four digit code on your credit card that's used for additional verification for the authenticity of your card.  The PCI requirements state that this data, as well as magnetic stripe data in a 'card present' transaction, should never be stored in the databases used by merchants.  But Visa and MasterCard also offer up a slight discount to merchants who include the CVV2 data as part of the authentication process.  And since merchants need to collect the CVV2 data for authentication purposes, they might as well keep it in case they need it in the future.  I wonder if any of the credit card data on the affected sites had been encrypted?

Visa and MasterCard have taken great strides by introducing the PCI requirements but awareness of the program is still spotty and they are sending merchants mixed signals by encouraging the use of the CVV2 data.  There are stiff penalties for violating the PCI requirements, but if merchants don't know they exist, they'll never take the requirements into account.  I would suggest they change the system so that there's a financial incentive for merchants to become complaint, rather than a penalty for not being compliant.  It's obvious to me merchants respond better to incentives they know they''ll get than penalties they might some day have to pay.

I love the work Brian Krebs does, but I'm beginning to hope I never get a phone call from him, either as a consumer or as a security professional.