The PCI Security Standards Council and Retail and Hospitality ISAC have joined forces to highlight the growing threat of online skimming attacks, such as Magecart.
“These attacks infect e-commerce websites with malicious code, known as sniffers or JavaScript sniffers and are very difficult to detect,” an alert stated. “Once a website is infected, payment card information is ‘skimmed’ during a transaction without the merchant or consumer being aware that the information has been compromised.”
As the attacks either directly impact e-commerce websites or a third party’s software libraries, which merchants rely upon “these service providers may not be aware of the risk they create for their customers if they are not focused on security and the potential threats targeting them.”
Troy Leach, chief technology officer, PCI Security Standards Council, said: “We have heard from many of our stakeholders in the payment community that these types of attacks are a growing trend for many businesses, large and small. We felt, as a leader in payment security, now was the time to issue a bulletin with our friends and colleagues from the retail and hospitality sector who battle these threats daily.”
The alert warned that any e-commerce implementation that does not have effective security controls in place is potentially vulnerable. “There are ways to prevent these difficult-to-detect attacks however,” said Leach. “A defense-in-depth approach with ongoing commitment to security, especially by third-party partners, will help guard against becoming a victim of this threat.”
Carlos Kizzee, vice-president, intelligence at the Retail and Hospitality ISAC, added that these attack techniques are of increasing significance to the retail and hospitality industry, and it is important that businesses grow their awareness of the nature of these attacks and of the security controls necessary to detect and defeat them.
Kizzee said: “The bulletin we are jointly issuing today should be a call to action to those in the business community to enhance their awareness of and vigilance against these techniques. No one should presume that they couldn’t or won’t be used to target their enterprise.
“We must endeavor to ensure that focused attention, commitment and peer collaboration in e-commerce cybersecurity efforts within the retail and hospitality industry outpaces the growth and evolution of threats such as these.”