Resolving a Suspected Breach
We understand the stress that comes with realizing your customer’s payment data is being stolen.
However, there are steps that you can take to make your breach process less stressful. We have helped numerous merchants successfully resolve their data incidents. Drawing from our 20+ years of experience, this document assists merchants who are suspected of losing payment data.
Identifying Payment Data Theft
When criminals use stolen payment data to obtain goods or services, and the actual cardholder reports it, these fraudulent purchases are reported to the card brands who use the data to identify likely merchants whose card data may have been stolen. These merchants are commonly labeled a Common Point of Purchase or CPP.
Today, merchants who offer ecommerce or internet purchasing are one of the most targeted organizations for payment data theft.
Card brands have a duty to protect their customers from having their data stolen or fraud perpetrated against their account. Identifying the sources of stolen payment card data is part of their approach. The PCI Data Security Standards are in place to help prevent this data from being stolen, but when it’s stolen the card brands are obligated to stop further data losses.
Payment Industry - Response Approaches
Payment brands want to stop further payment data loss as soon as possible.
Between the major payment card brands, merchants are commonly required to complete one of four possible approaches (i.e., questionnaire, Shopping Cart Inspect, incident response forensics, official PCI forensic investigation) in order to resolve a suspected payment data breach.
If one approach does not yield the desired success, a subsequent approach is commonly requested. Each successive approach brings increased technical assistance to help the merchant and potentially higher costs to the merchant. The objective for merchants is to permanently resolve payment data losses as early as possible, as the last of these approaches can include a collection of additional fees and costs.
The card brands are under no obligation to require these approaches in cost-progressive order. They make their own determinations depending on the volume of suspected card losses, fraud losses, a merchant’s cooperation, or any other criteria they deem appropriate.
Filling out the payment card brand questionnaires is typically the first step when merchants are suspected of having their payment data stolen. The payment card brand’s questionnaires have some similarities, and all have the desired objective that merchants will identify and resolve all issues related to their suspected breach and report accordingly.
2. Shopping Cart Inspect
If an ecommerce merchant responds to the questionnaire and payment data continues to be lost, a card brand may require the organization to use Shopping Cart Inspect. Other acquirers may also recommend this service for merchants struggling to identify what contributing factors led to a compromise.
Shopping Cart Inspect uses patented processes to analyze an online purchase within customers’ browsers. It also checks for misdirected or redirected credit card data which is a clear indication of a breach.
Shopping Cart Inspect has a track record of identifying key vulnerabilities which other cyber security services do not find. Shopping Cart Inspect costs much less than an Incident Response Forensics investigation, with the added benefit of having nothing to install.
3. Incident Response Forensics
This forensics service is often requested by merchants who have answered the questionnaire, yet who continue to lose credit card data (but the losses do not yet require an official PCI Forensics investigation).
They should use a qualified forensics firm to help identify contributing issues to their data loss and to consult with the merchants regarding how to eradicate further payment data losses. Many payment processors request that merchants use an authorized PFI organization for this investigation.
EU merchants may have certain reporting requirements if a specific EU payment brand is involved. Other regions are not known to have formal reporting requirements other than acknowledging and reporting they have completed their investigation.
4. Official PCI Forensics Investigation
Commonly, this investigation is required when certain significant thresholds of data are identified as having been exposed by or stolen from a merchant, when the card brands determine it to be a requirement, or when the other steps (i.e., questionnaire, Shopping Cart Inspect, incident response forensics) have been performed and data continues to be lost by a merchant.
This investigation must be performed in accordance with documentation created by the PCI Security Standards Council (PCI SSC). This investigation can only be performed by an authorized PCI Forensic Investigation (PFI) vendor that the PCI SSC certifies and manages.
This is normally the most expensive possible step for merchants as the investigation costs are higher and are potentially accompanied by fees and penalties from the payment brands.
Participate Fully to Resolve the Issue
SecurityMetrics recommends that organizations cooperate fully with those who have been designated to approach the merchant with these cases and subsequent requirements. Your payment processor or card brand may have their own requirements to resolve these cases.
Non-cooperation can have negative financial consequences on merchants. For example, merchants can have their right to receive electronic payments removed.
Incident Response Approach Options
There are three important issues to consider and resolve with cases where criminals have gained unauthorized access to your payment data.
How was access to the data attained? Identify which vulnerabilities were exploited, giving the attacker access to your systems. These vulnerabilities must be identified, hardened, and remediated to not allow further exploitation.
How was the data stolen? Even if you stop further exploitation of software vulnerabilities, the attacker still may have modified your systems by installing malware to steal and transmit stolen data to criminals. A thorough search for malware needs to be conducted. Discovered malware needs to be removed to stop further loss of payment data.
Were any additional access methods installed? Once a criminal gains access, they may install additional methods of entry into your system. This is what’s known as Back Doors, which are typically well-hidden attacks that may require special training, tools, or professional assistance to identify.
If any of these three issues continue to exist and are not resolved, hackers will continue to steal your data.
Three resolution approaches exist to address exploited software or systems:
Investigate and remediate existing systems:
This approach has the potential to be the least costly and fastest to resolve; depending on the nature of the attack and the sophistication of the attackers.
However, low cost and speedy resolutions are not guaranteed as hackers’ attack methods and obfuscation tactics regularly become more sophisticated.
Change or discontinue electronic/online payment acceptance:Changing to a full redirect for payment acceptance may be needed. A full redirect for payment acceptance is where the consumer is sent to a separate, third-party website for payment.
Discontinuing online payment acceptance is the least common approach. We have only seen this in cases of extremely low transaction quantities and/or very exclusive products or services. Many consumers expect simplicity when purchasing online.
Rebuild your solution:WARNING: If you choose this approach, ensure that all software for the new system is verifiably clean and free of potential malware. If a new system is built and one or more infected portions of the previous system (including any database server) are copied into the new system (or continued to be used from a third party), you may continue to suffer data losses.
This most often occurs where the existing solution is known to be reliant upon an old or known-vulnerable technology, and a major technology uplift is required. It is commonly avoided due to the extent of labor and cost associated with bringing this new solution online.
Common Attack Scenarios
Here are three common attack scenarios that might have been the cause of the data breach:
Exploited Software or Systems
The most common exploitation SecurityMetrics observes arises from software vulnerabilities within a merchant’s ecommerce system which are identified to steal payment and/or other personal identifiable information from your customers.
Common attack methods after exploiting a vulnerability include:
Injecting scripts that steal the payment data from the customer’s browser experience
Capturing payment data passing through the web server’s system memory
Infected third-party applications
Many cyber security tools exist to identify vulnerabilities or malware activity. Consider using a broad cross section of tools and experts to identify system and software weaknesses, then fix all identified weaknesses.
Cyber forensics tools and/or services may be needed to identify the specific attacks being perpetrated in your systems. Where possible, research the breadth and depth of cyber forensics vendors as you consider assistance.
Important Note: Ecommerce merchants who have been validating PCI compliance using
SecurityMetrics recommends that you begin with a PCI ASV scan to potentially identify security issues within your website. If any serious issues are identified, work expeditiously to get these resolved.
You can also review the new PCI DSS 4.0 SAQ A or even SAQ A-EP for an enhanced list of security practices that could strengthen the security of your website and even potentially thwart further abuse of your ecommerce solution.
A growing number of cases involve criminals creating and advertising duplicate websites of a merchant’s own ecommerce store to trick consumers into purchasing products from the rogue website.
After harvesting the customer's confidential payment information, the spoofed site will facilitate passing purchase data to the merchant’s processor or will use automation to process the customer’s order on the merchant's website.
To begin identifying a spoofed website, search for alternative purchase options for your products and services. This may be a look-alike site, similar to your ecommerce website.
Once you locate a spoofed site, conduct a technology review to ascertain how the valid transaction data is being passed to the merchant’s systems.
Remediation is then a case of changing system behaviors to identify or thwart acceptance of the transaction data from the criminals.
If you discover a spoofed website, report it to:
For US organizations, the FTC (https://reportfraud.ftc.gov/#/)
For UK merchants, the National Cyber Security Centre (https://www.ncsc.gov.uk/section/about-this-website/report-scam-website)
Human Physical Access
It is possible that company staff, vendors, or someone with physical access to sensitive systems or data may be stealing or facilitating access to payment data.
Anyone with direct physical access to (or protects access to) systems that handle sensitive data may be able to introduce software into the system to facilitate the theft of sensitive data.
This type of investigation involves working to cross reference human activity with access to stolen data from physical cards or human activity with access to systems involved in card data theft.
Be sure to record all evidence of a breach, as criminal proceedings could follow and may require this data.
SecurityMetrics Forensics Solutions
SecurityMetrics has provided cyber forensics assistance since 2001.
SecurityMetrics provides free advice to those suspected of a breach, as well as paid forensics services for merchants and service providers.
Suspected Breach Advisor (Free): The objective is to point you in the right direction to further investigate a source of breach.
This service is simply a telephone or video chat with our team. This document is foundational to our advice.
SecurityMetrics Shopping Cart Inspect ($): The objective of this forensics service is to identify irrefutable evidence of a breach or key issues, which if resolved, will strengthen the security of the website and contribute to stopping further data losses.
This service is an analysis of only the client/browser data from an ecommerce experience.
Incident Response Forensics ($$): The objective of this investigation is to identify sufficient issues that, when remediated, will prevent further data losses.
The investigation includes an analysis of the web server and client/browser environments, components, functionality, and logs. Minimal formal reporting is performed, if needed.
Official PCI Forensics Investigation ($$$$): While stopping further data losses is the primary objective, accompanying PCI SSC requirements significantly increase the breadth, depth, and expense of this investigation.
The components of this investigation are dictated by the Payment Card Industry Security Standards Council (PCI SSC and must use the PCI official Final PFI Report template.
Numerous merchants of all sizes have gone through the process of dealing with a compromise. We encourage you to be methodical, thorough, and honest with yourselves regarding your security situation.
Feel free to reach out to us should you wish to learn more about tools, techniques, and solutions to protect the technology portion of your business.
For forensics-related discussions with SecurityMetrics, please call 801-705-5683 or email firstname.lastname@example.org.
We secure peace of mind for organizations that handle sensitive data. We hold our tools, training, and support to a higher, more thorough standard of performance and service. Never have a false sense of security.™
We are a PCI certified Approved Scanning Vendor (ASV), Qualified Security Assessor (QSA), PCI Certified Forensic Investigator (PFI), and Managed Security provider with over 20 years of data security experience. From local shops to some of the world’s largest brands, we help all businesses achieve data security through managed services and compliance mandates (PCI, HIPAA, GDPR, HITRUST). We have tested over 1 million systems for data security and compliance. We are privately held and are headquartered in Orem, Utah, where we maintain a Security Operations Center (SOC) and 24/7 multilingual technical support.