Considering the ongoing onslaught of payment system breaches, one of the things that operators of online shopping systems might want to evaluate is the security of their own shopping cart software.
Certainly it ought to be a very difficult thing to infiltrate a retail store’s ostensibly private network of point of sale terminals, and yet, we’ve seen it happen time and time again over the past year. Now imagine the much simpler task of infiltrating a website where the front door is already open to the world’s most ambitious criminals.
In fact, last month our stalwart source of information on these breaches, Brian Krebs, found himself reporting on a breach of his own publisher’s online bookstore, specifically the shopping cart software. You can be sure that there will be more to follow.
Why are shopping carts problematic?
Shopping cart software for websites is probably one of the most ubiquitous components of a website available for the taking, and that may be a major problem. It’s fairly simple software from a design perspective, but its simplicity may well be a contributing factor to its lack of security. Dozens of individual developers and small development companies have written shopping cart software.
However, generally speaking, it’s difficult to write very secure software and shopping cart software has additional special needs. Because it contains credit card information, personally identifiable information (names, billing addresses, etc.), and purchasing history — which in certain circumstances could be valuable to some attackers — shopping cart software needs to be especially impervious to a breach.
Making highly secure software requires investment, the kind of investment that individual software developers and even small startups may not be able to afford. Getting secure shopping cart software may also require a more significant investment on the part of online store operators as well.
Not just the software, the hardware too
Another consideration is the environment in which a shopping cart is running. Unlike point of sale networks, which, as noted, should be on private networks (but apparently aren’t in many cases), a shopping cart does not have the luxury of being on an isolated network; it has to be “Internet accessible.” So, not just the software, but also the related systems carry a notable amount of risk.
How chip-based cards will shift the focus
Finally, with the coming shift to chip-based cards, there’s a strong probability that cybercriminals will look for easier targets than retailers. In fact, looking at other Group of Twenty countries who have implemented chip-based cards, that’s exactly what’s happened—the attacks moved to online sellers.
The question becomes, is the risk significant enough that perhaps it’s time to outsource the shopping cart components of your online store? At the very least, it’s worth some serious consideration. Outsourcing to a service provider who’s equipped to make the necessary investments in infrastructure and software security, plus who can properly deal with the requirements of PCI-DSS compliance and accept the requirements and risks of providing proper credit card data security, is one way to perhaps stay one step ahead of the cat and mouse game of cybersecurity.
If not outsourced, at least monitor!
If you do choose to continue to maintain your own online shopping cart system, be sure to equip that environment with the necessary auditing and monitoring tools so that if you are attacked, you’ll know about it when it starts, rather than months after your entire customer database has been dumped to a bad guy’s desktop. The only thing I find more disgusting than the existence of these breaches is that most of the organizations that have been attacked were clueless about the breach until long after the damage was done.