Oct 29, 2018
A quick look at the recent news headlines reveales that the payments industry has been under attack. When I delved deeper into this story, I found a recent survey that also revealed that a mass majority (84%) of payments industry professionals believe payments fraud is going to get worse – and soon.
Smaller companies that process online payments are enlisting the help of payment processors - like Stripe, Square, or PayPal - to help them meet stringent compliance standards like PCI DSS. But are they opening themselves up into a security risk?
“The fact that the malware targets sites using a variety of payment gateway providers calls into question the effectiveness of PCI DSS security standards for online businesses, in particular, the absence of a requirement for businesses to know and manage all third-party code present on their sites and apps,” wrote Michael Bittner, digital security and operations manager at The Media Trust.
tCell researchers discovered that hackers can use Cross Site Scripting (XSS) to steal payment information. Any web application component (like a chat window) can become a possible attack vector, but very few non-payment-related components will have recognized the need to implement a PCI-style deep security program.
This is no longer just a theoretical attack -- recently this approach was used on Magento e-commerce customers. And the British Airways hack used this same approach as well.
I invited Matthew Gast from tCell onto my daily tech podcast to find out more about what companies can do to protect customers visiting their website or application from Cross Site Scripting (XSS)