Website owners which rely solely on the industry standard card payment scheme – the PCI DSS – could still be leaving themselves open to a major hack attack, as there are many more ways to get the data.
That is the damning verdict of a security expert working for security firm Trustwave’s SpiderLabs, who claims the rise in sophisticated malware means websites are much more vulnerable to attacks via the backdoor.
Currently, organisations such as retailers that handle card payment data are required by the major credit card companies to comply with the PCI DSS standard, but Trustwave director of penetration testing Rob Havelt reckons this does not guarantee the security of payment data.
He said that businesses typically make so many other mistakes in other parts of their operations, getting from one part of the network to the segment with the payment-card data can be a simple matter.
He warned: “It’s not even just finding a vulnerability and throwing an exploit (targeted software) against it. There are things that people just do wrong that make it possible for an attacker to get in.”
He added that if attackers really wanted card details from an organisation, they would start by using one of the common methods to find a way onto the network such as using custom malware, weak passwords or malicious attachments. Then they could navigate onto the part of the network where the sensitive data is stored.
“It’s simple to do and it can be devastating,” he concluded.
