Why the security of customer data should always come first
Customers have told you that their credit card details have been compromised and they think it happened on your website? Then you have a problem – or rather: at least two problems!
There is always a first time: my credit card details were stolen (skimming)
Last summer I ordered a pair of new running shoes from my running shop’s online shop. Everything went wonderfully: my brand and model were available, off to the checkout, pay and – please, pay again, what?
Here I immediately became suspicious. I had already entered my credit card details. Directly on the website, that is, in the online shop (or so I thought). Now I was asked again to enter my data on another payment page. No, something is definitely wrong here! Process stopped.
Two days later the owner of the shop called me. He wanted to send my shoes, but he has not seen a successful payment from me yet and would I please do so. Now all (my QIR) alarm bells definitely went off.
I transferred the amount to him, I didn’t pay by card again. I had my credit card blocked immediately, but it was too late: around USD 2,500 had already been debited (by a wellness hotel in Mexico). Fortunately, I got the money back from my bank, so I didn’t have any monetary damage.
I also informed the shop owner immediately. He had his online shop checked and discovered that when the payment process started, the customers had been redirected to another page. This foreign site was built in exactly the same design as his site. He couldn’t say how many of his customers were affected, but he had already noticed the “strange” payment behaviour of his customers (many orders without card payment).
The problem: User ID and password for the online shop had never been changed
Why couldn’t this retailer ensure the security of customer data?
Since setting up the online shop, he had never changed the password. In addition, the admin access was still running on the default user ID.
The merchant had never thought about changing the password and even more about another user ID. The online shop was set up, ran well and caused no problems.
Everything went smoothly for me here, but also for the merchant?
The online shop was taken offline for a few days for “maintenance work”, this gateway for hackers was closed and the problem resolved.
For me, everything was ok. I got my running shoes and the fraudulent charge on my credit card was refunded by my bank.
The retailer had a slight drop in sales, but this stabilised again after a few weeks. His reputation didn’t seem to have suffered either. A lucky fellow indeed!
But what could have happened since he could not guarantee the security of customer data? (here they are, the “at least two problems”):
- loss of regular customers
- no/less new customers
- sharp drop in sales (and with that losing lots of money)
- as well as a potential penalty from the card schemes (Visa, Mastercard & Co.)
- or in the worst case, loss of the ability to accept card payments.
As already written: it turned out well for him, he was really lucky and hardly anything happened.
How do you ensure the security of customer data?
Not only in the area of e-commerce / online shops, but in general and with regard to all data, it is extremely important that you as a merchant can guarantee the security of customer data. Be it credit card or other payment data, names, addresses, date of birth, order history, etc. – customer data must not fall into the wrong hands.
Among other things, in this article about online skimming (this is what happened to me as described above), I explain what important measures you as a merchant can take to protect customer data .
In this case above: the default user ID and default password used by software manufacturers must be changed after the initial installation.
Did you find this article by chance or were you specifically looking for it?
Hopefully you do not have a specific reason to have searched for and found this article. If so, are you a merchant who has been the victim of an attack and whose customer data has been compromised? Are you concerned about the security of your online shop?
As a QIR certified by the PCI SSC, I will be happy to help, contact me via these channels or via the comment function.
I hope the above and my other PCI-related articles have been of some help to you!