Safer online payments. Small business payment security survival guide

Transcription

1 Safer online payments Small business payment security survival guide 2015

2

3 2 Are you an e-retailer? If so, you re part of a growing trend in the UK In 2014, the UK saw online sales exceed 10bn per month, peaking in November as shoppers spent a whopping 10.1bn on their favourite websites 1. For small businesses, getting online is a great way to increase revenue. It can open up your business to new markets, drive profits and diversify your customer base. Increasing numbers are also tapping a growing demand for m-commerce with mobile payment pages to encourage customers to shop on-thego via their smartphones and tablets. Sales via smartphones and tablet devices also grew 55% compared to 2013, and nowadays over a third of online sales in the UK are made using a mobile device 2. Yet while tech-savvy customers are demanding faster, online ways to buy your products and services, they also want to be reassured it s safe to do business with you. The UK market is unique, because whilst security practices are similar across Europe, Worldpay data shows UK businesses tend to attract a large number of data breaches. Fraud losses on UK cards totalled 450.4m in 2013, up 16% on the previous year 3. According to the Centre for Retail Research, the UK leads online retail with 13.5% domestic market share, exceeding the US, Germany and other European countries. With over 580,000 new businesses starting up in the UK last year, it s vital small businesses protect their online profits 4. There s no escaping the fact that small e-retailers are most at risk of suffering a data breach and that breaches are increasing. During , Worldpay investigations saw 85.7% of card data breaches happen to small businesses 5. Almost all breaches happen online, rather than at the Point of Sale, with less than 1% of in-store breaches investigated by Worldpay in the last four years 5. Fail to secure your systems and it could be a costly mistake: 1. In lost custom, bad publicity and industry penalties, if your website is hacked, or 2. In being left out of pocket if someone buys from you, using stolen card details. In addition, Worldpay figures found British businesses paid out nearly a million pounds over the past four years in investigating and fixing security issues as a result of card breaches. Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is absolutely essential for any small business. Compliance will not only make it far less likely that you are breached, but it will also reduce your financial penalties if you happen to suffer a breach, especially if you have a track record of strong security practices. 1 Retail Week 2 CapGemini 3 Financial Fraud Action UK 4 Start Up Britain 5 Figures are based on card data breaches which occurred for Worldpay customers during

4 3 Key points about compliance: PCI DSS is a set of guidelines designed to keep card data safe and secure. It was created by the five major card brands American Express, JCB, MasterCard, Visa and Discover to combat the growing problem of card data theft and fraud. It s designed for any business that accepts credit and debit cards and stores, processes or sends card data. The 12 core steps of PCI DSS are designed to keep your business safe from most data breach incidents. Compliance will also excuse you from a potentially serious fine if you get hacked and lose card data 6. Right now, there is no legal obligation to tell your customers if you ve suffered a breach. However this is likely to change in the next few years as Europe introduces laws which will require businesses to tell their customers if their card details have been stolen. How does it all work? Many businesses don t understand why they should comply with the PCI security standard. This is understandable as most e-retailers aren t information security experts. With automated toolkits now available to hackers, they scan thousands of businesses every day, looking for card data. Sooner or later, if not already, your website will be probed for security holes. If you do nothing, taking the if it ain t broke don t fix it approach, then your security will soon be out of date and you ll become an easy target. All card data used for fraudulent transactions has to originate somewhere. Sometimes it can be a stolen card from a wallet, maybe an infected personal computer, but these represent only a very small number of cards. It s more likely that the origin of stolen card data is a business that has been hacked with hundreds, maybe thousands, of cards in the hacker s possession. Typically these details are sold to specialised criminals working on underground websites and attempting transactions with the stolen credentials. So as a business, even if you haven t suffered a breach, you ll be suffering part of the fallout every time you receive a fraud chargeback 7. 6 In the event your business suffers a single card data breach, Worldpay will waive our right to pass on any subsequent fines/charges up to 35,000 ( 43,000) for those customers who have complied with our PCI DSS programme i.e. completed the questionnaire and followed any steps needed to meet the standards. 7 A 'chargeback' is money you must pay back to a customer (via their bank) if for example, the customer claims a transaction was fraudulent, and their bank agrees.

5 4 How bad is the problem in the UK? The harsh reality is that: Card data breaches by industry sector % of data breaches happen to small businesses processing up to one million in-store payments per year per card brand (like Visa), or up to 20,000 online/mail order/telephone order payments 8. Across companies of all sizes, 99.3% of all breaches are online, rather than in-store 8. Every year there are two peak periods for data breaches between February-April, and August- October. Around this time of year Worldpay typically see data breaches increase by up to 80% 8. 97% of card data breaches are experienced by businesses hosting their own payment pages (using direct XML integration with a payment processor) 8. Data breaches are ALWAYS worse than you imagine; they interrupt normal business, and divert resources taking a lot of time and money to sort out. During , each breach exposed an average of 284 days worth of card payments Worldpay actually saw breaches lasting between 11-1,723 days 8. A breach for over 4.5 years might sound dramatic, but this isn t usually the case. If a business is storing card data, either by accident or on purpose, then hackers only need a few hours to steal it. 16.3% Clothing and Footwear 11.6% Jewellery, Beauty & Gifts 2.3% Electronics 23.3% Entertainment, Hobbies & Leisure 7% Food and Grocery 7% Motoring 9.3% Services 4.7% Travel 11.6% Homeware & DIY 7% Other 9 Figures are based on card data breaches which occurred for Worldpay customers during In 2014 the average fell to 251 days, showing that businesses are getting better at detecting when their website has been hacked 8. 8 Figures are based on card data breaches which occurred for Worldpay customers during

6 5 What are the most common causes of data breaches? Ever since data breaches first began, SQL Injection has been the most popular attack type, making up 15% of all card data breaches between 2011 and However, in 2013 this trend started to change, with malicious web shells emerging as the biggest threat to your business. In 2014 malicious web shells and malware were the most common types of attack, with SQL injection languishing in third place. Here s why you should care: On websites there is normally a free search text box you can use to enter words, with the expectation this will return pages on the website relating to the word(s) entered. Normally what this search function does is query the SQL database that sits behind the website to find matches. Without the proper controls in place hackers can enter SQL commands into the search function on your website and create error messages. The information in these error messages allows hackers to start piecing together how your SQL databases are built and then ask more directed queries, which results in extracting card data from your website. To prevent this type of attack you can use what is known as input validation. This restricts what can be entered into the search text box so hackers can t use malicious SQL commands.

7 6 In 2014, however, malicious web shells were the most common type of attack, accounting for 23.3% of all breaches. Unfortunately, these are harder to protect against, because hackers find vulnerability on your website, and then download a piece of software, usually in a type of code known as PHP, which sits there like a sleeper agent waiting to be woken up. Type of attack 9 The hackers then access the malicious web shell via a secret URL and ask it to perform activities like checking for card data on your website. The bad news is unless you are a cyber security expert you will struggle to prevent this. Using a reputable PCI DSS compliant web-hosting provider is an important step to protect against web shells. Although Worldpay doesn t have conclusive proof, we believe the surge in malicious web shell attacks was due to a single web hosting company being attacked, and a number of businesses suffering as a result. 2.3% 14% 23.3% 18.6% 11.6% 11.6% 11.6% 7% Third party provider Awaiting final report Malicious web shell(s) Malware Contaminated/destroyed crime scene or inconclusive investigation Investigated by another card processor SQL injection Business account closed 9 Figures are based on card data breaches which occurred for Worldpay customers during 2014.

8 7 What do I need to do to protect my business? It is your responsibility to keep the card payment data of your customers safe. Your payments provider will help provide guidance on how to do this. Once you have spoken with them, they should ask you to join a PCI DSS compliance program. To join the programme you ll need to complete a questionnaire, and take any follow-up steps, to reinforce your website. You ll be asked a range questions, between 14 and 288, depending on your website set-up. The more questions you are asked, the more risky the payments on your website are. Important: If you don t understand the questions being asked, then ask your payments provider for help confusing language should not stop you from protecting yourself. And answer the questions honestly if you skip or answer with a white lie this could show up in any forensic investigation if your website is hacked. What do I do if there s been a breach? The first thing to do is tell your payments provider. Once you ve done this, you ll need to: 1. Remove any old card data from all parts of your system 2. Outsource card payment processing to a PCI DSS-compliant third party provider 3. Provide a clean Approved Scanning Vendor scan; and 4. Complete a Self-Assessment Questionnaire (SAQ). You must get a PCI Security Standards Council approved PCI DSS Forensic Investigator to help you with these steps, and you have a 40 day deadline to complete them in.

9 8 How much could a breach cost your business? Very small businesses (fewer than 20,000 Visa or MasterCard online transactions per year) can sometimes be eligible for a lite investigation. The average cost is 5,000 ( 4,000) plus any remediation costs, which could cost 3,000-4,000. The cost to a small business not eligible for a lite investigation (i.e. a business with more than two servers or 10,000 cards-at-risk) is much larger. A standard investigation can cost 7,500-15,000 depending on the size of the online payments facility. This type of breach can attract at least a 10,000 ( 8,000) penalty. The highest penalty Worldpay saw a small business face in 2014 was 17,500 ( 14,000) for a single breach in the clothing sector. This is obviously a great deal of money but the situation could have been even worse. Last year, small businesses in the UK could have faced penalties of 397,500 ( 315,000), but Worldpay managed to reduce this to 245,000 ( 195,000) through good breach management and negotiations. How can I avoid a card data breach? 1. Take security seriously. Understand how your business stores, processes and/or sends card data. 2. Check that the only people who can look at card data are the 'ones that need to know'. 3. Unless you know exactly what you re doing, outsource your website payment facility to a third party provider get an expert to do it for you. Use them for ongoing data security and maintenance. 4. Install the latest patches for all servers, operating systems, applications, frameworks (Java,.NET etc.), content management systems and anything else running your online business. 5. If you don t need to run any of the above technology, then don t. Check you re not using unnecessary systems, as these could be forgotten about until hackers come poking around for holes. 6. Don t store any card data you don t need to, and encrypt any card data you need to keep. Don't store the three digit 'CVC' number on the back of the card. It's prohibited. 7. Change default passwords to make them as strong as possible. Don t use common words or anything that could be guessable. Instead, use numbers and a mix of upper and lower case letters and symbols. 8. Check your systems can only be accessed from a few sources e.g. approved static IP addresses. 9. Securely destroy all card data files and records when they re no longer needed (i.e. by pulping/ shredding/incinerating), or for electronic data, use software to properly delete information. 10. Test your firewalls at least every three months, or get a security professional to test them for you. Whilst there are no guarantees against hackers, taking these steps will help reduce the risk of your business suffering a card data security breach.

10 9 Points of interest: Business X was running a bespoke e-commerce platform which allowed for the storage of Sensitive Authentication Data. A genuine case study SME: Fewer than 20,000 card transactions per year Business X sold vehicle entertainment equipment. Initially a red flag was raised by one of its customers, who informed their bank of fraudulent spend on their card following a legitimate purchase with business X. The matter was passed on to the Financial Fraud Bureau, part of the UK Cards Association, and then to the Worldpay Payment Security Team. Business X was not PCI DSS compliant at the time of the incident. The business opted to engage the services of a PCI DSS approved Forensic Investigator (PFI) to complete a PFI-lite investigation, as the business was small and the number of cards at risk was low. The initial attack path was via malicious web shells which had been inserted into business X s website. The web shells ultimately allowed access to the database server, where the attacker downloaded a complete back-up copy of the server, which was believed to include around 100,000 encrypted card records. Log files were only kept for three months not a full 12 months needed by PCI DSS. At the time of the breach there were several websites running on the same server with limited segregation between them. The company was using a bespoke, non-pci compliant e-commerce platform, when it should have been using a payment page that met PCI DSS standards, which would not have stored card data. The investigation was complicated because the business hadn t maintained adequate log files, which should have been kept for at least 12 months. Multiple websites were running on one box and there was little in the way of network segregation, which meant hackers could have had access to multiple batches of card data. It took business X around six months to complete the investigation and reinforce their website to protect themselves from other hackers. As a result of the investigation and remediation activities they had to undertake, they were also left around 7,000 out of pocket, not to mention the time this took them away from running their business.

11

12 Worldpay is the leading payments provider in the UK and Europe. In 2013, Worldpay processed 44% of all UK card transactions (based on market data provided by the UK Payments Administration). Whilst Worldpay has fewer businesses suffering data breaches, compared to our market size, we have a unique oversight on most UK card data breaches. Contact information If you believe that you have been subject to a card data breach you should contact Worldpay for guidance. Worldpay UK Limited paymentsecurity@worldpay.com Worldpay All rights reserved. This report was compiled by Tim Lansdale, Head of Payment Security, and Graham Hutchings, Senior Data Breach Manager at Worldpay, who between them have over 14 years investigating card data breaches. This report is compiled entirely of first hand data, relating to the UK only. Any card data breaches outside of the UK are excluded, so this is an accurate reflection of the security you need to consider in this market. This document is for information purposes only of the intended recipient. We have taken care in the preparation of the information in this document but will not be responsible for any losses or damages including loss of profits, indirect, special or consequential losses arising as a result of any information in this document or reliance on it (other than in respect of fraud or death or personal injury caused by negligence). Terms and conditions apply to all our services. Worldpay (UK) Limited. Registered in England No Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AF. Worldpay (UK) Limited is authorised by the Financial Conduct Authority under the Payment Service Regulations 2009 (No ) for the provision of payment services and is authorised and regulated by the Financial Conduct Authority for consumer credit activities. Worldpay, the logo and any associated branding names are all trade marks of the Worldpay group of companies.