PCI DSS: The Dangers Of SAQ A Compliance
PCI DSS is a master catalogue of security controls, designed to provide a baseline for the protection of payment card operations. Based upon the risks to a particular payment channel, an organisation may be eligible for lighter touch control sets (based upon the perceived risks being lower).
The easiest for compliance being to fully outsource the payment card operations to a PCI DSS compliant Payment Services Provider (PSP) and, thus, reducing the compliance from circa 330 controls to a maximum of 22 controls:
Self Assessment Questionnaire (SAQ) A.
However, in recent years we have seen the rise of the Magecart Group style cyber attacks, where they seek to circumvent the PSP, by redirecting the customers payment journey through the injection of malicious code into a non-payment web page (before the customer gets to the PSP interface).
As a result, eCommerce operations that are eligible for validation of their PCI DSS compliance through assessment against the 22 controls, from the SAQ A, can be deemed as being compliant but are still running a significant risk.
This risk became so significant that a number of large scale breaches have occurred (e.g. TicketMaster, NewEgg, British Airways, etc.), which led to the PCI SSC making a special announcement to warn businesses of this risk:
Unfortunately, it would appear that this press release has not encouraged businesses with eCommerce payment operations to change their approach and just recently we have seen online fashion outlets being victim to malicious injection code attacks:
Coincidentally, this attack occurred just after they closed their physical retail stores (as the result of the COVID19 pandemic), which indicates that other eCommerce operations are likely to fall victim.
In order for an eCommerce or Mail Order Telephone Order (MOTO) operation to be eligible for completion of an SAQ A, they MUST meet the following criteria:
As you can see, this does not reduce the risk of any attacker exploiting vulnerabilities that exist on the out-of-scope web pages, which leads the customer towards the redirect to the PCI DSS compliant PSP (where the customer enters their payment card details and other personal data to complete the payment and checkout process).
Consequently, if the attacker is able to redirect the customer through their systems it is possible for the attackers to carry out clandestine harvesting of this sensitive information.
As a PCI DSS compliant (SAQ A) eCommerce/MOTO business, I would recommend that you start looking at your payment interfaces through the eyes of your attacker and apply additional measures that align with the early stages of Carbon Black's Cognitive Attack Loop (Recon & Infiltrate):
Recon your digital footprint
Do you understand the interconnections and complexities of your web pages and have you confirmed the legitimacy of any scripts contained within?
Plot the customer journeys, on their way towards the redirect to the PCI DSS compliant PSP.
Identify Infiltration Opportunities
Having identified the complexities of your digital footprint, include vulnerability scanning of the web pages that could be used to redirect the customers' journey, toward the payment interface.
Identify any potential 3rd party scripts that could be used as opportunities to infiltrate and undermine the payment process.
Implement tracking of vulnerabilities and prioritised remediation, based upon the potential risks.
As you can see from the SecurityScorecard analysis, had Claire's been carrying out automated vulnerability scans of their out-of-scope environments they would have observed that their digital footprint (their Shop Window) was a significant risk for them.
Additionally, they would have identified a substantial drop in their security score, right before they were subject to a successful cyber attack.
Note: Despite all card payments having been outsourced to a PCI DSS compliant PSP: NO electronic storage, processing, or transmission of ANY cardholder data on the business entities systems or premises, but entirely relient on a third party(s) to handle all these functions. The SAQ A still includes the requirement to 'Maintain A Vulnerability Program'.
It is extremely likely that the release of PCI DSS version 4 will bring with it some considerable changes for the eligibility for eCommerce and MOTO businesses, using entirely outsourced operations.
However, to reduce the risks from the Magecart Group style attacks and to improve the integrity of your shop window, you can take proactive action now by applying some additional PCI DSS requirements to your out-of scope environments.
6.1. Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.
12.2 Implement a risk-assessment process.
Remember, in the event of a data breach (even when deemed to be compliant against SAQ A) your organisation will likely to become liable for the following:
Costs of a forensic investigation,
Be deemed to be a level 1 Merchant (Requiring a period of onsite validation of compliance, conducted by a PCI DSS Qualified Security Assessor (QSA))
Be deemed to become a Designated Entity (Requiring additional Appendix 3 controls):
A3.1 - Implement a PCI DSS compliance program.
A3.2 - Document and validate PCI DSS scope.
A3.3 - Validate PCI DSS is incorporated into business-as-usual (BAU) activities.
A3.4 - Control and manage logical access to the cardholder data environment.
A3.5 - Identify and respond to suspicious events.
As a result, a small investment in establishing an effective vulnerability management program can prove to yield a considerable Return On Investment (ROI), both in terms of reducing potential Brand damage and financial impact (e.g. regulatory fines (GDPR, CCPA, PIPEDA, etc.), drop in share price, loss of customer trust, etc.).
For this, and other useful insights, why not get yourself a copy of my 'PCI DSS: An Integrated Data Security Standard Guide'?