‘Heartbreaking’ tale of sloppy e-tail security
Too few SMEs know about vital requirements for protecting online sales, writes Chris Keall
Pandemic lockdowns have seen a boom in online retail.
But Declan Ingram, deputy director of the Crown’s Computer Emergency Response Team (Cert NZ), is warning small businesses not to cut corners in their rush to reach customers over the internet.
Ingram says a case in point is a North Island small business — which prefers not to share its shame — that came a cropper after failing to follow a key payment processing standard. Keep reading.
It pre-dates the pandemic, but holds valuable lessons for those caught in the Covid rush to organise an “e-tail” presence.
It began when the business’ owners noticed people had started to complain that their website’s payment page was behaving oddly.
“An attacker had got into their website and changed the payment process,” Ingram says.
“So when someone entered information into their cart for the things that they wanted to buy, and then clicked pay, it took them to the attacker’s website, which was skinned to look exactly the same as the real website — but they intercepted and took all of the payment card details.”
One of the owners — who requested anonymity — says, “fortunately we identified the breach quickly and were able to act fast, meaning only a small number of our customers were affected. And by working with our bank we were able to avoid any financial loss for customers.”
But the episode still left him around $100,000 out of pocket, which was made up of:
● Around $30,000 to rebuild the website. They did a lot of the work themselves, otherwise, it would have cost them a lot more
● Around $30,000 to get the necessary security measures in place so the website would be protected and secure (and meet PCI DSS requirements), such as contracting someone for ongoing penetration testing
● Lost revenue from being diverted from the work they normally do to grow their business
● Lost revenue from a halt in online sales
There was also un-tallied reputational damage from its site being offline — “as it can be perceived that the business is not . . . reliable”.
The business owners’ initial DIY efforts to repel the cyber attacker seemed to go well. The malicious code that had been inserted into their website was identified and removed.
But the hackers continued to access the website in a relentless attack.
After a few sleepless nights, it became apparent the attackers were not going away. The owners were forced to delete their website and begin the expensive process of starting again.
But at least this time they did it right.
“It was a heartbreaking decision to make after years of building our online business, but we knew it was the right thing to do to protect our customers,” the owner says.
However, after talking further with their bank the business owner learned there were further steps they could have taken to prevent a cyber-attack by meeting Payment Card Industry Data Security Standard (PCI DSS) requirements — a term they had never heard before.
That puts our small business owners in good company.
A recent Colmar Brunton survey of 508 small businesses (around half with fewer than 20 staff and half with fewer than five), found 61 per cent had no knowledge at all about PCI DSS requirements. Only 17 per cent had a reasonable knowledge.
Of those who had an online store, 39 per cent had never heard of PCI DSS compliance. A further 16 per cent had heard of it, but didn’t undersand what it was.
Established by an independent global body of major credit card companies in 2006, PCI DSS compliance is an international requirement for any organisation that accepts, transfers or stores customer payment data. It states that website owners are responsible for protecting customers’ card information, even when they use a third party payment gateway. PCI DSS is a list of requirements that, when followed, will put organisations in a strong position to defend themselves against attackers trying to steal customers’ credit card details, Ingram says. For a business owner, this means taking the guesswork out of what they need to do, and having specific measures in place and documented to share with service providers, detailing exactly what is needed for security.
A small business owner should talk to their bank to be clear about their PCI DSS obligations, and whether their e-commerce site meets them, Ingram says.
“It’s important to know that, as your business grows, so too do your website security requirements,” says the owner. “Your web developers and third-party providers are not responsible for your website’s security, you are by ensuring you meet PCI DSS requirements.”
It may take a bit of effort to protect a business website, Ingram says, but this is a drop in the ocean compared to the time and money it takes to come back from a cyber-attack.
As your business grows, so too do your website security requirements. small business owner