May 26, 2006, 12:00 AM

Visa issues alert about increase in shopping cart data breaches

Visa U.S.A. has issued a security alert warning e-retailers of an increase in attacks by hackers using shopping carts to break into databases of confidential customer information.

Kurt Peters

Executive Editor

 

Visa U.S.A. has issued a security alert warning e-retailers of an increase in attacks by hackers using shopping carts to break into databases of confidential customer information.

Crooks are using so-called SQL (Structured Query Language) injection attacks that breach databases through shopping carts that are not properly patched, making them vulnerable to hacking, says Martin Elliott, director of corporate risk and compliance.

SQL is the coding that appears in the URL box after a consumer initiates a search on the merchant’s web site. Hackers use this string of data to query the database for information that should not be provided, Elliott says.

“We’ve seen an uptick in the bad guys using SQL injection attacks on shopping carts,” he says. “We want to give merchants these best practice recommendations to stay ahead of this and not have it turn into a large issue.”

To minimize the possibility of a SQL attack, Visa suggests that merchants:
• Use only a secure shopping cart, preferably technology validated against Visa’s Payment Application Best Practices. A list of PABP-compliant shopping carts is available at www.visa.com/cisp.
• Test susceptibility to SQL injection using automated tools or manual techniques.
• Adopt secure coding practices that include independent code reviews for proprietary or custom applications.
• Use only secure web servers. Merchant can refer to their vendors’ web sites for information.
• Ensure web servers are routinely updated with the current security patches from their vendors.
• Purge cardholder data when its no longer needed and make sure that CVV2 (card-validation) data is not stored subsequent to authorization of a transaction. “If a bad guy breaks into an empty house, they can’t steal anything,” Elliot says.

 

Comments

Sign In to Make a Comment

Comments are moderated by Internet Retailer and can be removed.

Not a member? Signup for free today!

Advertisement

Advertisement

Advertisement

Relevant Commentary

FPO

Jason Squardo / Mobile Commerce

Five tips for achieving high mobile search rankings

Searches on mobile devices will soon exceed those on computers, Google says. Retailers that keep ...

FPO

Sergio Pereira / B2B E-Commerce

Quill turns to its B2B customers for new ideas

Coming in April is a new section of Quill.com that will let customers and Quill ...

Advertisement