In recent weeks, Visa Europe has begun to receive notification of a number of attacks against eCommerce merchants using hosted payment page solutions.  A hosted payment page describes a method of processing card transactions in which a merchant outsources payment processing to a third party web application designed to accept card payments.  Using this method, a merchant simply installs a small piece of code onto their website which will immediately allow the merchant to accept payment card transactions.

When it comes time for a customer to checkout and pay for goods, the code on the merchant’s website will automatically redirect the customer’s browser to the third party payment application where the customer will enter their payment card details.  The third party then transmits or processes the transaction on behalf of the merchant, while the merchant and merchant’s web server or website hosting provider never sees card data in the normal course of events.

Merchants using this type of configuration are being targeted by criminals who gain unauthorised access to the merchant’s website by directly exploiting vulnerabilities in either a merchant’s website or in the merchant web server.  Once compromised, hackers will modify the merchant’s code which links to the hosted payment page, redirecting customers to a counterfeit page that looks identical to the third party’s authentic hosted payment page.  As customers often cannot tell the difference, customers will be tricked into revealing their card details. The hacker will either immediately transmit this captured data to themselves, typically through email or FTP (file transfer protocol) or will create a temporary file (e.g., log file, output file, etc.) on the compromised web server where they will store captured payment card data until they can periodically retrieve it. This attack can be difficult to detect as the merchant and customer may not notice that anything suspicious has happened since the hacker’s code modification may also complete the transaction as normal.

Recommended Mitigation Strategy

§         eCommerce merchants should ensure that regular checks of their website are carried out for any new or unknown web-pages or files.  In particular, merchants should regularly check the code that redirects their customers to the third party hosted payment page is the same code that was provided to them by the third party and has not been modified.

§         If the code that links to the hosted payment page is integrated into a merchant’s shopping cart, eCommerce merchants should ensure that their shopping cart application is patched with the most up-to-date version available.

§         eCommerce merchants should discuss security with their web hosting provider and ensure they have secured their systems appropriately.  Web and database servers should be hardened to disable default settings and unnecessary services.  Many international system hardening standards exist such as those provided by the centre for Internet security - http://www.cisecurity.org/benchmarks.html and merchants should encourage their web host provider to adopt these standards.

§         eCommerce merchants that utilise web hosting providers or third party payment providers that store, process and/or transmit cardholder data MUST maintain on-going compliance to the Payment Card Industry Data Security Standard (PCI DSS).  eCommerce merchants should ensure that data security language is present in all contracts with entities that store, process and/or transmit cardholder data on their behalf and should clearly identify roles and responsibilities for cardholder data protection.

Please find attached some newly published Visa Europe fact sheets that we hope you find useful.  They go in to more detail with regards SQL Injection Attacks and also Default & Shared Credential.

If we receive any further updates with regards to this threat we will notify you as soon as possible.  If you suspect that your business has suffered an Account Data Compromise you should contact your acquirer immediately.  For further advice and contact information please go to http://www.rbsworldpay.com/pcidss/index.php?page=data&l=1.

PCI Security Standards Council: Release of PTS V3.0

The PCI Security Standards Council have announced, as of 12th May 2010, the release of PIN Transaction Security (PTS) Point of Interaction (POI) security requirements V3.0.

A culmination of the three-year lifecycle review process, incorporating feedback from hundreds of constituents, this latest version is designed to streamline and simplify testing and implementation by providing a single set of modular evaluation requirements for all Personal Identification Number (PIN) acceptance Point of Interaction terminals. It also includes three new modules for device vendors and their customers to secure sensitive card data. Version 3.0 is effective immediately, and version 2.0 will sunset on May 12th 2011.

Until now there were three separate sets of requirements for Point of Sale PIN Entry Devices (PED), Encrypting PIN Pads (EPP), and Unattended Payment Terminals (UPT). Version 3.0 simplifies the testing process and eliminates overlap of documentation by providing one modular security evaluation program for all terminals and a single reference listing of approved products.

The PCI SSC also invites Participating Organisations and the public to a webinar that covers the new PTS security requirements in greater depth, to be held on May 18 at 3:00 p.m. ET / noon PT, and May 19 at 11:00 a.m. ET / 8:00 a.m. PT. Registration details can be found here:

May 18: http://register.webcastgroup.com/l3/?wid=0800518105190
May 19: http://register.webcastgroup.com/l3/?wid=0800519105191

For further information, and for access to the new version of the standard, please go to https://www.pcisecuritystandards.org/security_standards/ped/index.shtml.

TrustWave webinar: Common PCI Failures and How to Avoid Them

The requirements of PCI DSS are varied and complex, making the compliance process for small merchants seem like an overwhelming task. But some requirements are more difficult than others, as discovered by the compromise investigations conducted by Trustwave’s security team in 2009.

May 19, 2010 11:00 am
Access code:          356 580 854
Event password:    S3cure!
Event address:       https://trustwave.webex.com/trustwave/onstage/g.php?t=a&d=356580854
Call number (UK):  +44 (0) 207 365 1860

The Q2 2010 edition of the full ‘Payment Security News’ is now out.  If you have not already seen please visit our website to view a copy - www.rbsworldpay.com/pcidss.

DOWNLOADS
Default & Shared Credential factsheet
SQL factsheet

RBSWorldPay
Global Transaction Services

This entry was posted on Wednesday, June 9th, 2010 at 9:45 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.