Wednesday, 11 June 2008

Cotton Traders: Where’s the PCI DSS Compliance?

A couple of days ago a Manchester online clothing business, Cotton Traders, announced a data breach, which was brought about by a web application level "hack" on of their website. The breach resulted in the compromise of customer personal details and credit card details. The Cotton Traders data breach underlines two significant issues in the UK, one is the lack of UK breach disclosure laws, and the other is that companies are still avoiding or ignoring PCI DSS Compliance.

Lack of Disclosure
Although the breach was announced yesterday, the breach actually occurred way back in January 2008, and was suppose to be fixed in a matter of hours, so there was no reason to keep it from the public right after the breach occurred. That’s 6 months after breach it was announced to the public, don't we have a right to know? What’s more there has been a lot of smoke and mirrors about this data breach, in one statement it’s 38,000 credit card details were stolen, in another statement it was just one credit card, then another it was only customer names and addresses, this is pretty bad considering they had six months to figure out what went on and how, why can't they provide the clear facts of the matter? The upshot is the public can’t be certain to what data (especially if is their own) was compromised.

Furthermore there are no actual details of the cause of the breach; although it does appear to be an attack at the web application layer, I'd wager it was an SQL Injection attack. Whatever the type of the successful web application attack was, the real cause of the breach is not just the hacker, but it was Cotton Trader’s bad web application (web site) code and/or poor web site hosting. Think about it, it you left your windows open on your house before going on a two week holiday and then returned to find it burgled, you’d rightly blame yourself for not taking the security of home serious enough, same applies to companies writing web application code and hosting web application.

Another example of the smoke and mirrors is Cotton Traders stating “all of its customers' credit card information was encrypted on the website”, which is misleading, as this web application breach is not about the web site using session encryption (https), but whether the card details are encrypted on the backend database, and the specific type of encryption employed on the card storage and process arround it (key managment). Far too often companies think they can use “it was encrypted” as kind of a get out of jail card, without telling the public what the actual details around the encryption used was. Encryption is not the magic security bullet! For example using an https (encrypted) web session offers very little protection against web application level attack which is against the web site code and the backend database.

PCI DSS Compliance
Cotton Traders have said nothing about whether they were/are Payment Card Industry Data Security Standard (PCI DSS) Compliant. Any company which takes card payments online in the way Cotton Traders do must be PCI DSS Compliant, which came into force from June 2007. I have to assume Cotton Traders were not compliant at the time of the attack. Why? Well if they were I'm sure they would have stated that fact, and in such circumstances they would rightly hided behind PCI DSS and blame the PCI standard. Also if Cotton Traders were PCI DSS compliant the chance of a web application attack being successful would be very small. Why? Well as part of the PCI DSS compliance requires an annual web application penetration test and web application code review/webapp firewall, which used and acted upon, significantly reduces the risk of hacking vulnerabilities at the web application layer.

I don't know the facts about this breach because they haven't been disclosed, but if Cotton Traders were not PCI DSS Compliant, then many PCI experts would say they were being negligent.

Hacking Trends
The major big ecommerce operators are fully wise to web application security and operate in a secure professional manner, and are PCI DSS compliant. Because of this the hackers are targeting the lower hanging fruit, which are the smaller ecommerce companies like Cotton Traders, some of these don't understand the importance of public facing web site security and the significance of PCI DSS, and will be subject to these types of attacks and breaches.

5 comments:

Josh Weitzner said...

If I operate a small ecommerce website that sells recurring subscriptions using a proprietary shopping cart, how do I go about getting PCI compliant without it costing me an arm and a leg? I assume PCI wasn't implemented to put small ecom operations out of business due to the high cost of becoming compliant. Thanks for any insight.

Dave Whitelegg CISSP said...

For any merchant handling less than 6 million transactions annually will need to complete the PCI DSS Self Assessment Questionnaire. https://www.pcisecuritystandards.org/saq/instructions.shtml But this is not so straight forward, as the security overhead to meet PCI DSS requirements (i.e. web app scanning) for a small self run e-commerce website will be high.

So my recommendation is to outsource the payments to a third party payment provider, which affectively outsourcing all of the expensive security requirements, including web security, as well as the actual PCI DSS Compliance. As long as you don't handle any of the card payments any where else, you don't need to be PCI DSS compliant.

For example see Paypal - https://www.paypal.com/pcicompliance

john cowell said...

It migyht be a coincidence but we had our credit cards compromised at this time and they had to be re-issued with a new number. I feel that Cotton Traders have become complacent with their success as I recently ordered shoes which were at least 3 sizes too small although they said size 9 on them, they refunded but refused to pay my return postage. Their quality has, in our opinion, gone right down and goods have been very much "Far East" in quality! We have complained & cancelled their catalogues, but not a word of apology from them!!
John Cowell

Paul Grimster said...

If rather than taking a payment online, I ask for card details, then generate an e-mail containing these card details in 128-bit encrypted form, and then finally at my end use my personal encryption key to unencrypt the card details in the e-mail, does this violate PCI DSS. My understanding is that PCI DSS applies to the storage of card details online, which I am trying to avoid

pci compliance said...

It is certainly an issue of vulnerability wherein web applications are vulnerable to attacks. They stand to improve their security interface after this incident.