A Case Study on PCI DSS Compliance and eSkimming Security (Client Side)
By Source Defense
The recent data theft at the Oregon Zoo, which came to light on August 22, 2024, is a stark reminder of the critical importance of robust cybersecurity measures in digital transactions. This incident, which The payment card details of over 117,000 visitors may have been compromisedhighlights the ongoing challenges organizations face in meeting Payment Card Industry Data Security Standard (PCI DSS) requirements and protecting against sophisticated client-side eSkimming attacks.
The violation and its consequences
- Period: December 2023 to June 2024
- discovery: 26 June 2024
- Data affected: Names, card numbers, CVV codes and expiration dates
- Attack vector: Compromised online ticket system
The breach, which can be traced to unauthorized activity in the zoo’s third-party ticketing system, has all the hallmarks of a traditional eSkimming attack. These types of attacks have become increasingly common, as highlighted in the Coalfire paper on holistic approaches to protecting credit card payment flows – as evidenced by repeated warnings from credit card associations such as Visa and Verizon, as well as the PCI Security Standards Council’s actions to include eSkimming controls in PCI DSS v.4.0.
PCI DSS v4.0 Compliance and the Violation
The timing of this breach is particularly significant as we approach the March 2025 deadline for PCI DSS v4.0. Two critical requirements in PCI DSS v4.0 are directly relevant to this incident:
- Requirement 6.4.3: Requires comprehensive management of all payment page scripts accessed in consumer browsers, including inventory, authorization, integrity assurance, and written justification for the business purpose of each script.
- Requirement 11.6.1: Requires the implementation of a mechanism to detect and report unauthorized changes to HTTP headers and HTML content of payment pages as displayed in the customer’s browser. Checks must be performed at least weekly, or more frequently based on a risk analysis.
The role of eSkimming security (client side)
Credit card fraud has shifted significantly towards e-commerce since the EMV (Europay, Mastercard and Visa) liability shift in October 2015, which shifted responsibility for fraudulent transactions from card issuers to merchants who have not moved to EMV-compliant systems. This trend highlights the critical importance of implementing robust eSkimming (client-side) security measures, especially for companies that handle sensitive financial data during online transactions. As cybercriminals adapt their tactics to exploit vulnerabilities in digital payment systems, companies must prioritize comprehensive protection of their web applications and customer data entry points to mitigate the evolving risks in the e-commerce environment.
Key points relevant to this breach and highlighting best practices in cybersecurity include:
- Holistic approach: Protecting sensitive data requires a comprehensive strategy that includes both server-side and client-side security.
- Real-time threat detection: Real-time solutions that can detect and contain threats are essential. Many of these eSkimming attacks are “low and slow” and last for an extended period of time, simply because these types of solutions are not widely available. .
- Managing third-party scripts: There is an urgent need to manage and control third-party scripts as they were likely the attack vectors in the Oregon Zoo break-in.
Preventive measures and best practices
To prevent similar incidents, organizations should consider the following:
- Implement eSkimming security solutions (client-side): Deploy platforms that provide comprehensive visibility and control over client-side threats.
- Regular safety checks: Conduct regular risk analysis and penetration testing of web applications.
- Third-party management: Implement strict controls and audits for third-party scripts and services.
- PCI DSS v4.0 Compliance: Prioritize compliance with the new requirements, particularly 6.4.3 and 11.6.1, in time for the March 2025 deadline.
The Oregon Zoo data theft highlights the critical importance of robust (client-side) eSkimming security measures in modern eCommerce. Companies increasingly rely on third-party scripts and complex web applications, so they must deploy comprehensive security solutions to effectively protect against sophisticated attacks such as eSkimming.
Source Defense offers a powerful solution to these challenges:
- Real-time protection: Source Defense technology provides real-time monitoring and protection against client-side attacks, enabling organizations to detect and contain threats as they arise.
- Managing third-party scripts: By providing granular control over third-party scripts, Source Defense helps organizations minimize the risks associated with executing external code on their websites.
- Compliance support: Source Defense solutions comply with PCI DSS requirements, specifically 6.4.3 and 11.6.1, helping organizations maintain compliance while improving their security posture.
- Behavioral analysis: By leveraging advanced behavioral analytics, Source Defense can identify and block malicious activity that could evade traditional security measures.
- Reduced operating costs: By automating many aspects of client-side security, Source Defense helps organizations improve their protection without significantly increasing their operational workload.
Implementing a solution like Source Defense can prevent all forms of client-side attacks. With cyber threats constantly evolving, adopting such advanced, behavior-based web application defense solutions is not only a best practice, but a necessity for organizations that handle sensitive customer data.
The post Data breach at Oregon Zoo exposes payment card information appeared first on Source Defense.
***This is a Security Bloggers Network syndicated blog from Blog | Source Defense, written by Scott Fiesel. Read the original post at: https://sourcedefense.com/resources/oregon-zoo-data-breach-exposes-payment-card-information/
