Read to learn how you can successfully resolve a data breach.
We understand the stress that comes with realizing your customer’s payment data is being stolen.
However, there are steps that you can take to make your breach process less stressful. We have helped numerous merchants successfully resolve their data incidents. Drawing from our 20+ years of experience, this document assists merchants who are suspected of losing payment data.
When criminals use stolen payment data to obtain goods or services, and the actual cardholder reports it, these fraudulent purchases are reported to the card brands who use the data to identify likely merchants whose card data may have been stolen. These merchants are commonly labeled a Common Point of Purchase or CPP.
Today, merchants who offer ecommerce or internet purchasing are one of the most targeted organizations for payment data theft.
Card brands have a duty to protect their customers from having their data stolen or fraud perpetrated against their account. Identifying the sources of stolen payment card data is part of their approach. The PCI Data Security Standards are in place to help prevent this data from being stolen, but when it’s stolen the card brands are obligated to stop further data losses.
Payment brands want to stop further payment data loss as soon as possible.
Between the major payment card brands, merchants are commonly required to complete one of four possible approaches (i.e., questionnaire, Shopping Cart Inspect, incident response forensics, official PCI forensic investigation) in order to resolve a suspected payment data breach.
If one approach does not yield the desired success, a subsequent approach is commonly requested. Each successive approach brings increased technical assistance to help the merchant and potentially higher costs to the merchant. The objective for merchants is to permanently resolve payment data losses as early as possible, as the last of these approaches can include a collection of additional fees and costs.
The card brands are under no obligation to require these approaches in cost-progressive order. They make their own determinations depending on the volume of suspected card losses, fraud losses, a merchant’s cooperation, or any other criteria they deem appropriate.
Filling out the payment card brand questionnaires is typically the first step when merchants are suspected of having their payment data stolen. The payment card brand’s questionnaires have some similarities, and all have the desired objective that merchants will identify and resolve all issues related to their suspected breach and report accordingly.
If an ecommerce merchant responds to the questionnaire and payment data continues to be lost, a card brand may require the organization to use Shopping Cart Inspect. Other acquirers may also recommend this service for merchants struggling to identify what contributing factors led to a compromise.
Shopping Cart Inspect uses patented processes to analyze an online purchase within customers’ browsers. It also checks for misdirected or redirected credit card data which is a clear indication of a breach.
Shopping Cart Inspect has a track record of identifying key vulnerabilities which other cyber security services do not find. Shopping Cart Inspect costs much less than an Incident Response Forensics investigation, with the added benefit of having nothing to install.
This forensics service is often requested by merchants who have answered the questionnaire, yet who continue to lose credit card data (but the losses do not yet require an official PCI Forensics investigation).
They should use a qualified forensics firm to help identify contributing issues to their data loss and to consult with the merchants regarding how to eradicate further payment data losses. Many payment processors request that merchants use an authorized PFI organization for this investigation.
EU merchants may have certain reporting requirements if a specific EU payment brand is involved. Other regions are not known to have formal reporting requirements other than acknowledging and reporting they have completed their investigation.
Commonly, this investigation is required when certain significant thresholds of data are identified as having been exposed by or stolen from a merchant, when the card brands determine it to be a requirement, or when the other steps (i.e., questionnaire, Shopping Cart Inspect, incident response forensics) have been performed and data continues to be lost by a merchant.
This investigation must be performed in accordance with documentation created by the PCI Security Standards Council (PCI SSC). This investigation can only be performed by an authorized PCI Forensic Investigation (PFI) vendor that the PCI SSC certifies and manages.
This is normally the most expensive possible step for merchants as the investigation costs are higher and are potentially accompanied by fees and penalties from the payment brands.
SecurityMetrics recommends that organizations cooperate fully with those who have been designated to approach the merchant with these cases and subsequent requirements. Your payment processor or card brand may have their own requirements to resolve these cases.
Non-cooperation can have negative financial consequences on merchants. For example, merchants can have their right to receive electronic payments removed.
There are three important issues to consider and resolve with cases where criminals have gained unauthorized access to your payment data.
If any of these three issues continue to exist and are not resolved, hackers will continue to steal your data.
Three resolution approaches exist to address exploited software or systems:
Here are three common attack scenarios that might have been the cause of the data breach:
The most common exploitation SecurityMetrics observes arises from software vulnerabilities within a merchant’s ecommerce system which are identified to steal payment and/or other personal identifiable information from your customers.
Common attack methods after exploiting a vulnerability include:
Many cyber security tools exist to identify vulnerabilities or malware activity. Consider using a broad cross section of tools and experts to identify system and software weaknesses, then fix all identified weaknesses.
Cyber forensics tools and/or services may be needed to identify the specific attacks being perpetrated in your systems. Where possible, research the breadth and depth of cyber forensics vendors as you consider assistance.
Important Note: Ecommerce merchants who have been validating PCI compliance using
SAQ A prior to PCI DSS 4.0 (effective March 31, 2024) often have security weaknesses within their web solution. PCI DSS v4.0 SAQ A contains additional requirements to address sophisticated hacking attacks.
SecurityMetrics recommends that you begin with a PCI ASV scan to potentially identify security issues within your website. If any serious issues are identified, work expeditiously to get these resolved.
You can also review the new PCI DSS 4.0 SAQ A or even SAQ A-EP for an enhanced list of security practices that could strengthen the security of your website and even potentially thwart further abuse of your ecommerce solution.
A growing number of cases involve criminals creating and advertising duplicate websites of a merchant’s own ecommerce store to trick consumers into purchasing products from the rogue website.
After harvesting the customer's confidential payment information, the spoofed site will facilitate passing purchase data to the merchant’s processor or will use automation to process the customer’s order on the merchant's website.
To begin identifying a spoofed website, search for alternative purchase options for your products and services. This may be a look-alike site, similar to your ecommerce website.
Once you locate a spoofed site, conduct a technology review to ascertain how the valid transaction data is being passed to the merchant’s systems.
Remediation is then a case of changing system behaviors to identify or thwart acceptance of the transaction data from the criminals.
If you discover a spoofed website, report it to:
It is possible that company staff, vendors, or someone with physical access to sensitive systems or data may be stealing or facilitating access to payment data.
Anyone with direct physical access to (or protects access to) systems that handle sensitive data may be able to introduce software into the system to facilitate the theft of sensitive data.
This type of investigation involves working to cross reference human activity with access to stolen data from physical cards or human activity with access to systems involved in card data theft.
Be sure to record all evidence of a breach, as criminal proceedings could follow and may require this data.
SecurityMetrics has provided cyber forensics assistance since 2001.
SecurityMetrics provides free advice to those suspected of a breach, as well as paid forensics services for merchants and service providers.
Numerous merchants of all sizes have gone through the process of dealing with a compromise. We encourage you to be methodical, thorough, and honest with yourselves regarding your security situation.
Feel free to reach out to us should you wish to learn more about tools, techniques, and solutions to protect the technology portion of your business.
For forensics-related discussions with SecurityMetrics, please call 801-705-5683 or email bradleys@securitymetrics.com.
We secure peace of mind for organizations that handle sensitive data. We hold our tools, training, and support to a higher, more thorough standard of performance and service. Never have a false sense of security.™
We are a PCI certified Approved Scanning Vendor (ASV), Qualified Security Assessor (QSA), PCI Certified Forensic Investigator (PFI), and Managed Security provider with over 20 years of data security experience. From local shops to some of the world’s largest brands, we help all businesses achieve data security through managed services and compliance mandates (PCI, HIPAA, GDPR, HITRUST). We have tested over 1 million systems for data security and compliance. We are privately held and are headquartered in Orem, Utah, where we maintain a Security Operations Center (SOC) and 24/7 multilingual technical support.
.svg)
