Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Compromises of e-commerce websites are increasingly common. In our 2012 Global Security Report we reported that 20% of our incident response investigations related to e-commerce sites. This was up from 9% the year before. In my part of the world (Asia-Pacific), this figure is closer to 40%. In almost all of these cases the motive was simple - the theft of credit card data.
In order to better defend against e-commerce attacks, we must first understand them better. In our experience, there are three common methods for e-commerce sites to accept payment cards.
This is the most common method for smaller merchants, especially those that have augmented their pre-existing physical store with an e-commerce outlet. These merchants already have a method of accepting payment card transactions in their store. Instead of getting a second merchant facility for their website, they download the payment card data relating to new orders from their server and manually enter this into their existing facility. As a result of this, payment card data has to be stored somewhere, usually on their web server.
Larger merchants tend to favour this option, as it gives them a seamless customer experience and enables them to authorise payment cards at the time of purchase. The customer submits their payment card data to the merchant's website during the checkout process. The merchant's website then passes this directly onto a third-party for authorisation. Using this method there is no reason for payment card data to be stored on the merchant's server nor is there any need for a customer to be redirected away from the merchant's website.
The goal of hosted and direct payment models is to ensure that the merchant's web server never sees payment card data. In a hosted model, the customer is redirected to a third-party during the check out process. This third party then presents the customer with a form to enter their card data into, processes this transaction and redirects the customer back to the merchant site.
A direct payment model is very similar, except that the credit card form is actually hosted on the merchant's website, but when the customer submits this form the data is sent directly to the third-party instead of back to the merchant.
All of these methods are susceptible to attack in certain circumstances. In general we see three different styles of attack:
This blog post has given you an introduction into how most merchants accept payments and how most bad guys steal this data. In part 2 I'll delve into the misconceptions about e-commerce security that we hear every day.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.