Unencrypted credit card storage on the rise

More websites stored unencrypted credit card payment information than ever this year, according to a recent report. I thought we had this figured out? Obviously this is a direct violation of Payment Card Industry Data Security Standard (PCI DSS) requirements. But seriously, this stuff is simple for the developers to fix, so why don’t they?

Also, if an estimated 71% of the websites in the study were found to store unencrypted payment information this year, up 8%, they are also strong candidates for things like SQL injection attacks from improper form security, which could then handily exploit the plain text credit card information.

This year ESET security researchers are compiling observations from our “crystal ball” about what might hit the threatscape in 2012. But this report indicates we haven’t fixed some of the things we already know about. This threat has nothing to do with new, innovative, or particularly interesting attack vectors, it’s just plain obvious, and easily fixed. And the developers of the offending websites probably already know there is a problem.

A few years ago I was asked to review the code on the website of one of the more popular brick-and-mortar stores near where I live – a store in business since 1976 – and the owners are personal friends. After poking around a bit at their request, I let them know that they were in violation of their merchant account providers Terms of Service, along with PCI DSS, not to mention their customers’ expectation of safekeeping of their online order information. That, after a cursory review that showed plain text credit card information dating back years stored in a simple database. They responded by saying they were too busy to do anything right away but would get around to it.

Just for grins, I asked about the situation almost a year later – no change. Of course, we understand that if they had a breach, the modestly-sized shop would be vastly under-gunned defending itself amidst the ensuing scrutiny. A security breach would have very real and long-lasting impact, damage the bottom line, and possibly result in staff layoffs during tough economic times.

Still they do nothing. And they’re not alone. I’ll ask them again in the coming months, even offer to help, despite them not showing an interest in help previously. It can’t happen to them right?

Polite dinner conversation this year at non-geek events seems to focus on cybersecurity more and more. People want to know how safe their information is online, given all the headlines about criminal hacking, and what they can do about it. They want to know which websites are to be trusted, and how can they be sure. While the usual advice is to shop with familiar vendors with a long track record without security breaches, my friend’s store would meet both of those tests, and they even use a valid SSL to encrypt traffic to the site. Does this mean they’re secure?

So before you spend the whole IT budget on the latest packet-sniffing security gadgets, it might be wise to look at the lower hanging fruit where big reductions in risk might cost you very little to implement. Encrypting credit card details is easy to do. Breaches are not easy to undo. So for the New Year, first focus on the simple. The price is right and we’ll all sleep better, including your customers if they're better protected.

Author , ESET

  • Jim

    VERY good article! Thanks for talking about the small/medium business situation. I'm SURE there are MANY more stories that are similar.

  • Cameron Camp

    Thanks for the kinds words Jim. If the the little guys did just a little more, we'd all be much safer.

  • Phil W

    It's not clear to me that there are any significant consequences from failing to encrypt credit card numbers. I may be biased by media reports that frequently refer to credit card database hacking but don't report punishment. But hotels, for example, seem particularly prone to this, so we're not talking about the more visible cases of 40 million stolen numbers. That's part of the problem, of course. If you give me your credit card and I lose it, you're the one that's in the lurch, not me, unless there's some real enforced consequences for me. Is the PCI DSS enforcement lax? Rhetorical question, I suppose, but 71% sure seems like more could be done.

  • Cameron Camp

    PCI expects merchants to encrypt, and asks them if they do. But normally after that the merchants are on the honor system for doing it, unless there's a breach, then auditors will want to know.

  • Tim K.

    I use disposable credit card numbers from Discover.  If a number is compromised, it's no big deal for me.  I highly recommend using disposable numbers for the very reason you mention in your post.  This "no time" to fix it mentality is not just prevalent in the SMB sector, it's in Fortune 500 companies too.  All companies have layed off and gotten so thin that there literally are no resources to even deploy applications correctly let alone "fix" existing applications.

Follow us

Copyright © 2017 ESET, All Rights Reserved.