Visa U.S.A. has issued a security alert warning e-retailers of an increase in attacks by hackers using shopping carts to break into databases of confidential customer information.
Crooks are using so-called SQL (Structured Query Language) injection attacks that breach databases through shopping carts that are not properly patched, making them vulnerable to hacking, says Martin Elliott, director of corporate risk and compliance.
SQL is the coding that appears in the URL box after a consumer initiates a search on the merchant’s web site. Hackers use this string of data to query the database for information that should not be provided, Elliott says.
“We’ve seen an uptick in the bad guys using SQL injection attacks on shopping carts,” he says. “We want to give merchants these best practice recommendations to stay ahead of this and not have it turn into a large issue.”
To minimize the possibility of a SQL attack, Visa suggests that merchants:
• Use only a secure shopping cart, preferably technology validated against Visa’s Payment Application Best Practices. A list of PABP-compliant shopping carts is available at www.visa.com/cisp.
• Test susceptibility to SQL injection using automated tools or manual techniques.
• Adopt secure coding practices that include independent code reviews for proprietary or custom applications.
• Use only secure web servers. Merchant can refer to their vendors’ web sites for information.
• Ensure web servers are routinely updated with the current security patches from their vendors.
• Purge cardholder data when its no longer needed and make sure that CVV2 (card-validation) data is not stored subsequent to authorization of a transaction. “If a bad guy breaks into an empty house, they can’t steal anything,” Elliot says.