Magento – eBay’s e-commerce platform – is becoming an increasingly attractive target for criminals. In April, I reported on a critical remote code execution vulnerability affecting up to 200,000 eBay stores, which allowed attackers to gain access to stores’ databases – including payment card data. Now, it emerges that criminals are stealing payment card data from Magento using a variety of code injection attacks.
Sucuri’s Peter Gramantik reports that criminals are “exploiting a vulnerability in Magento core or some widely used module/extension. Using this vector, the attacker is able to inject malicious code into the Magento core file.” Once the code has been injected, the attacker “gets the content of every POST request”, which contain “data being sent to the server for storage” – including cardholder data.
PCI DSS compliance
The Payment Card Industry Data Security Standard (PCI DSS) was set up by the payment brands Visa, MasterCard, Discover and JCB to reduce payment card fraud. The Standard sets out security requirements for storing, processing and transmitting cardholder data.
As the Payment Card Industry Security Standards Council (PCI SSC) says: “Small merchants are prime targets for data thieves. It’s your job to protect cardholder data at the point-of-sale.” This means that merchants who use Magento are responsible for the cardholder data they process – even if they outsource the payment process to a third party such as PayPal.
(For more information on outsourced e-commerce and the PCI DSS, see this blog by IT Governance’s head of technical services, Geraint Williams.)
IT Governance is a PCI QSA (Qualified Security Assessor), and provides a range of solutions to help merchants comply with their security obligations. Whether you need guide books or consultancy, training or toolkits, IT Governance has all you need to ensure your PCI DSS compliance.
For more information on the PCI DSS, download our free green paper PCI DSS v3.0 & 3.1: What has changed?, visit our PCI DSS webpages, or call us on +44 (0)845 070 1750 or email email@example.com to discuss your PCI DSS needs.