How does a payment data breach occur through an e-commerce site?

According to Identity Theft Resource Center (ITRC), the majority of data breaches in 2016 was due to hacking/skimming/phishing (29.5%). Data types that were siphoned off were mostly personally identifiable information (PII) such as social security numbers (SSN), names, and date of birth, as well as sensitive payment data. Data breaches have become regular news in the security world, and it is not a matter of if an organization will suffer a data breach but when.

The latest victim was Gamestop.com who was targeted by hackers via their website. Sensitive credit card information was stolen as well as PII customer data. Brian Krebs mentioned on his security website that “based on a few sources, Gamestop.com was likely compromised by intruders between mid-September 2016 and the first week of February 2017.” It can’t be a coincidence that this breach occurred during the busy holiday shopping season. He also mentioned that in addition to the names and addresses taken, the hackers took credit card numbers with expiration dates, and the card verification number (CVC2/CVV2, the three digit security number).

How do these breaches occur?

One way is that hackers siphon these types of data sets from the merchant’s website by placing malicious software (or malware) into their e-commerce site, so the data is taken when the customer enters the data and before it reaches the business’s back-end web servers.

You might think, how does this happen? If you are security savvy, you would think that the business must have used a secure transport channel such as Secure Sockets Layer (SSL) / Transport Layer Security (TLS), or more commonly known as SSL/TLS, which is the standard security measure that any organization would have implemented. It is imperative for enterprises to understand that while businesses may use standard secure transport channels, it is just not enough to protect the data.

Security layers such as SSL/TLS are cryptographic protocols that provide communications security through a network. However, what is important in this context is that while they do provide the secure transport tunnel for data to flow through, it is only from one point to another. Once the data reaches the other side(application/server/load balancer) that data gets decrypted and is in clear text as it transverses the infrastructure, ripe for the taking. Also, while SSL/TLS does provide the security for the data on the move, it is also not completely foolproof since there have been quite a few vulnerabilities that have been reported.

What can be done?

How can businesses mitigate these data breaches? Data-centric security is the right strategy to ensure that the data is secure when entered in the source (web browser/mobile or any other application). Data needs to be secured through its complete flow, both in-motion and at-rest. The best approach for data protection is to encrypt the data when in-motion and tokenize when at-rest. This way, in the event of a breach, the data is encrypted and therefore useless to the hackers.

Format-Preserving Encryption (FPE) is a security algorithm that has a way of encrypting data by preserving the data format. It transforms data that is formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format and length as the original data. FPE is based on strong FFX or Feistal-based encryption modes. FF1 is NIST approved encryption standards that is derived from AES 128-bit block algorithm.

HPE SecureData Web and HPE SecureData Mobile are based on FPE data-centric technology and the patented HPE Page-Integrated Encryption (PIE). PIE encrypts the sensitive payment data using a random key generated by the back-end server that is loaded through a JavaScript at the merchant payment browser or through native mobile OS (iOS and Android) libraries integrated into the merchant mobile application. This enables end-to-end data protection from the source end-point of the application until it reaches the trusted back-end host. This could be combined with a Hardware Security Module (HSM) to ensure maximum secure root of trust.

HPE SecureData Web and HPE SecureData Mobile have been technically assessed by Coalfire Systems Inc. as a respected Payment Card Industry (PCI) Qualified Security Assessor (QSA) with respect PCI DSS 3.2. Based on their assessment these solutions provide approximately 70% – 94% PCI scope reduction depending upon a properly designed and deployed solution. The best part of this solution is that encryption occurs transparent to the user (consumer), hence not changing the consumer shopping experience in anyway. Merchants could host this solution to help gain PCI scope reduction as well as enabling flexibility without tying them to a specific payment gateway, therefore having more control over their security.

In conclusion, we understand data security is a complex challenge and it is hard to know if you are following the right security strategy to protect your enterprise, data and business. We at HPE Security – Data Security understand the challenges associated and have solutions to help you and your enterprise. Adoption of data-centric security helps you by enabling mitigation against a potential data breach and also providing PCI scope reduction. Your name in public should be associated with growth rather than a breach.

Leave a Reply

Your email address will not be published. Required fields are marked *