According to Visa, there have now been a significant number of successful attacks against merchants whom use hosted payment pages.
A hosted payment page is one that you can embed in your website, but directs all Customer transaction details to a third party – think Datacash, Cybersource et al.
Hosted payment pages offer two distinct advantages – firstly, a better transaction rate than you’d get directly off a bank and secondly, these environments are subject to SAQ-A (13 questions) as opposed to SAQ-D (225 questions). Combine with the marketing force and momentum of payment service providers and we have millions of merchants that now use hosted payment pages round the world.
The problem lies in that SAQ-A only covers physical security and information security policies. There is no scope for critical controls such as file integrity monitoring and anti-malware in SAQ-A, which would be the first line of defence in preventing hijacking of hosted payment pages.
I won’t walk you through an attack scenario, but lets just say if you send firstname.lastname@example.org a PDF entitled £1000 order, then chances are, it will get opened and the 0day you’ve planted in it will get you a remote console on an internal machine.
Without anti-malware, file-integrity monitoring, audit logging, IDS/IPS or even a properly configured firewall (which SAQ-A says you don’t need and hence merchants won’t buy), then I think we’ve only seen the tip of the iceberg…
Visa do suggest a mitigation strategy, but there’s no mandatory action on the merchant’s part, other than to fill in SAQ-A on an annual basis (even ASV scans aren’t required).
This problem is not going to go away – it’s going to get worse as more and more Merchants go to cloud-based payments, plus as there are no significant changes planned for SAQ-A for at least another 3 years it’s going to be a real tricky one to counter.
Visa’s guidance can be found here, under Hosted Payment Pages:
My advice to Merchants whom are outsourcing or considering the outsourcing payments is to read your contracts carefully. It’s not going to be a case of ‘oh well, they only told me to do SAQ-A, not my fault’, it’s going to be a case of negligence against data protection clauses. Risk assess, get more controls on your eCommerce servers, improve security awareness and prepare for the worst case scenario.
…and Service Providers? Well, you’re in a responsible position here and have the power to change things – educate your customers, elicit security awareness and work together to stem this issue before you all get a bad name.