A quick look at the recent news headlines reveals that the payments industry has been under attack. When I delved deeper into this story, I found a recent survey that also revealed that a mass majority (84%) of payments industry professionals believe payments fraud is going to get worse – and soon.
Smaller companies that process online payments are enlisting the help of payment processors – like Stripe, Square, or PayPal – to help them meet stringent compliance standards like PCI DSS. But, recent attacks suggest that this would still be a significant security risk that is currently missing from PCI compliance.
“The fact that the malware targets sites using a variety of payment gateway providers calls into question the effectiveness of PCI DSS security standards for online businesses, in particular, the absence of a requirement for businesses to know and manage all third-party code present on their sites and apps.” wrote Michael Bittner, digital security and operations manager at The Media Trust.
tCell researchers discovered that hackers can use Cross Site Scripting (XSS) to steal payment information. Any web application component (like a chat window) can become a possible attack vector, but very few non-payment-related components will have recognized the need to implement a PCI-style deep security program.
This is no longer just a theoretical attack — recently this approach was used on Magento e-commerce customers. And the British Airways hack used this same approach as well. I invited Matthew Gast from tCell onto my daily tech podcast to find out more about what companies can do to protect customers visiting their website or application from Cross Site Scripting (XSS)
- Connect with Matthew Gast on LinkedIn and Twitter
- Learn more about tCell by Rapid7
- Follow tCell on LinkedIn, Facebook and Twitter
If you want to gather around a virtual campfire and have a chat or ask me a question, you can message me, leave a virtual voicemail or even buy your friendly podcast host a coffee.