E-commerce websites that collect credit card information directly must comply with the Payment Card Industry’s (PCI) Data Security Standard (DSS). If such a site does not meet the PCI security requirements, most major card providers such as VISA, MASTER CARD, AMEX, etc. will not allow their credit card to be used on the site. Complying with the PCI standard correctly is a significant task, and many e-commerce websites do a poor job of it. To prove this point, I can show you how you can break many e-commerce sites’ PCI compliance in just a few seconds!
Critical Requirements of PCI DSS: PAN Security
An e-commerce website that accepts credit cards through its web applications such as a shopping cart, must not store the primary account number (PAN), which is the credit card number, as-is in the database. If a PAN must be stored in a database, it must be stored using high-grade encryption in a secure database.
Breaking PCI DSS Compliance in 30 Seconds
Here I will describe how you can easily break an e-commerce website’s PCI compliance in 30 seconds.
Step 1: Find a form on your e-commerce site
This form can be a customer contact form, a return processing form, or any other form outside their normal shopping cart process.
Step 2: Grab a realistic but fake card number
There is no need to use your credit card for this experiment. Just grab a phony credit number from http://www.getcreditcardnumbers.com.
Step 3: Fill out the form and submit
Now enter the fake credit card number in the message area or large free-form text area meant to provide the message, feedback, or other details. Submit the form with whatever information is required.
Congrats! You Just Broke the Site’s PCI Compliance!
If the site accepted the data you sent with the fake credit card number, it has sent that information to customer service or stored it in a ticketing system and eventually in a database.
Many sites have contact forms and other non-shopping cart-related forms that can be filled out by customers. Allowing a visitor to enter a credit card number on a form and then sending that out to customer service staff or storing in the database creates a non-compliant system.
You may be wondering why would someone willingly enter a credit card number in such a form, right? Well, people do. They do it for various reasons. It does not matter why. What matters is that the system accepted the card and possibly shared it with people who should not see such information.
A naive customer may not know that a site is not protecting them when they are contacting a site’s staff to help them resolve a card issue. So the burden of protection falls on the site, not on the customer.
Am I Joking?
Nope. A site that allows credit card numbers to be emailed or stored in a ticketing system or some third-party customer service tool is just asking for it! Customers often think their data will be protected since many sites brag about HTTPS or show a security seal from another security vendor. They often believe that these things are enough to protect them, and all communication is secure. They are not!
By entering a credit card in an unintended form is a way to get the site in trouble with PCI compliance.
How to Stop This?
Simple. Make sure all data entering an e-commerce site has a LUHN test performed on the input data. This means that the site should apply a check on the input to see if a credit number was entered or not. If a credit card number was entered, it needs to take appropriate action to redact such a number for non-shopping cart modules like customer service or feedback tool or whatever else. Most sites do not practice such safety measures and, therefore, can be quickly become non-compliant with PCI.