As people practice social distancing to limit the spread of COVID-19, they’re also changing the way they shop. Instead of going to stores, consumers are taking to the internet. In fact, there was a 209 percent increase in general retail online sales in the month of April, compared to 2019.1 Many experts expect that shopping habits will change permanently even after society returns to some type of normal.
With more people making online purchases, it’s a good time for online retailers to:
- Consider the cyber risks associated with e-commerce
- Verify that they’re compliant with payment card industry regulations
- Ensure that they’re appropriately protected against potential cyber attacks
Cyber Risks Faced By Online Retailers
In these times of ransomware and social engineering fraud, it’s easy to forget that data breaches remain the all-time most expensive type of cybercrime, and payment card breaches are at the top of that scale. While the introduction of EMV technology (chip card) has reduced fraud at the point of sale, criminals have turned their attention to online transactions and the market for stolen payment card information continues to flourish on the dark web as a result. In fact, the demand for card-not-present data stolen in attacks against online retailers has pushed the prices for such data up dramatically, which in turn has led to an increase in online breaches.2
Cyber criminals use a variety of methods to steal payment card information from websites, but the most common types of attacks are Cross-Site Scripting and SQL Injection.
Cross-Site Scripting and Web Skimmers
Criminals gain access to websites either directly or via third-party services by injecting malicious code into online payment forms, typically checkout pages, and using a web skimmer to collect payment card information entered by online shoppers. One of the most effective web-skimmers is Magecart, which attackers used in several high-profile payment card breaches in 2019.3
While this is an older attack method it’s still widely used because of widespread coding errors in the underlying databases that store information entered into web applications. Hackers enter specifically crafted commands into data entry fields used by shoppers to gain control of the database storing credit card information.
Denial of Service (DoS) Attacks
Another threat to online retailers is Denial of Service (DoS) attacks. These attacks aim to cause interruption rather than steal data. There are many ways of making a website’s service unavailable to users. The most common and effective method is a distributed denial of service attack. Hackers use hundreds or thousands of hijacked devices, known as botnets, to send traffic to a website, causing the site to crash. These attacks are sometimes used to divert attention from a data breach in progress.
What Is the Impact of a Payment Card Breach on Businesses?
When a payment card breach is discovered or suspected a forensic investigation will determine:
- If a card theft actually occurred
- How much information was stolen
- If the online retailer complied with the payment card industry regulations
What happens after is a complex process of adding up the costs of any fraud associated with the stolen card data and issuing new cards to affected cardholders. Some or all of these costs are passed on to the online retailer as penalties in accordance with contractual provisions in merchant services agreements and card association regulations. The penalties can range from a few thousand dollars to tens of millions of dollars.
In addition businesses may also face other costs related to:
- Legal advice
- Notification of affected cardholders
- Credit monitoring
- Regulatory fines
- Privacy class actions
- Reputational loss
To estimate the potential loss from a data breach, policyholders can utilize a free data breach cost calculator within The Hartford Cyber Center. The Hartford Cyber Center is a digital cyber risk management portal that provides sample policies, research tools, cyber and privacy industry publications, as well as the latest cyber intelligence, all free to policyholders. (Login required – suscribirse if you don't have an account).
Compliance With Payment Card Industry Security Requirements Is Key
El documento Payment Card Industry Data Security Standard (PCI-DSS) is a set of security requirements that applies to any business accepting payment with cards from any of the major card brands. Since its introduction over 15 years ago, PCI-DSS has evolved into a robust security framework that involves an annual compliance attestation process. Compliant businesses may not face penalties should they fall victim to a data breach.
Unfortunately, there are still many misconceptions about PCI-DSS compliance requirements. Some include:
- Outsourcing payment processing automatically leads to compliance
- PCI-DSS doesn’t apply to small businesses
- Only businesses that store payment card data need to comply with PCI-DSS
- Using the wrong self-assessment form
- The payment processor is liable for any costs associated with a data breach
Compliance has also been declining since peaking in 2016. In its 2019 Payment Security Report, Verizon found that just over one-third of all companies were fully compliant.4 This means many businesses will be in for an expensive surprise if they’re hit with a data breach.
Businesses should waste no time in working toward PCI compliance to make sure that they’re adequately protected against payment card breaches and able to control the costs should a breach happen.
Maintaining Secure Payment Applications
Compliance with PCI regulations doesn’t make businesses immune to attacks and challenges exist particularly in the area of vendor risk. Few businesses develop or fully maintain their payment applications in-house and most e-commerce therefore involves some level of outsourcing. The majority of attacks exploit code vulnerabilities in payment applications and businesses should follow these recommendations when choosing and maintaining their payment solution:
- Use a PA-DSS (PCI) validated payment application or PCI-DSS compliant e-commerce hosting solution. If the application is custom or developed in-house ensure PA-DSS is used as a guide.
- Payment card applications should be implemented by a PCI Qualified Integrator & Reseller.
- Apply security patches in a timely manner. Apply WAP analysis and monitor the application for file changes.
- Obtain contractual indemnification from the payment solutions provider for any payment card breach resulting from application code vulnerabilities.
- Ask the payment solutions provider for proof of technology errors and omissions (E&O) and cyber risk insurance.
Role of Insurance
Even with a strong security in place, businesses can still be victims of costly cyber attacks. That’s why cyber risk coverage is important to help protect a business.
The Hartford has arranged for data privacy and cybersecurity legal experts to provide a one-hour consultation at no cost to The Hartford’s policyholders. Take advantage of the opportunity now.
As a policyholder of The Hartford, select Failsafe and CyberChoice customers can also receive complimentary ransomware prevention services.6 These services can help protect businesses against phishing attacks and open ports vulnerabilities, the root causes of nearly 90% of ransomware attacks.
Prevent phishing incidents with Mimecast training,7 a service that will train employees and provide phishing tests in whimsical yet impactful fashion. To help identify and address open port vulnerabilities, insureds have access to a Bitsight report, providing a measurement of a company’s cybersecurity performance. Bitsight offers policyholders a complimentary consultation to help a business understand and respond to the results where needed. For more information, contact an agent from The Hartford or visit our CyberChoice product page. For technology focused businesses, please visit the FailSafe Technology E&O site.
1 ACI Worldwide, “COVID-19: Global eCommerce Sales are likely to rise beyond the crisis and businesses need to prepare accordingly”
5 Part of The Hartford’s broad Cyber Services Portfolio.
7 Free access to security training from Mimecast is available for select insureds through Sept. 30, 2021.