EC site protecting from attacks! About PCI DSS compliance and SHOPIFY's security

by STAFF GO RIDE

At the beginning

In recent years, security has been rapidly increasing in the EC market.

In particular, the "Payment application tampering" incident that occurred at a major coffee chain store T in 2024

I heard a big alarm for the EC site operator.

In this article, I will explain the security measures of e -commerce sites that are required to respond in the future.

Lessons learned from the outflow incident of a major coffee chain store T

This unauthorized access was discovered by being contacted by the Metropolitan Police Department on May 20, 2024.

It is said that the "Payment application tampering" was performed due to the vulnerability in part of the online store system.

What is "Payment of Payment Applications"?

"Payment of Payment Applications" refers to unauthorized intervention and operation for payment applications (eg, online shopping, POS system, electronic money app, etc.). This is an attack that is performed for the purpose of stealing and operating customer payment information.

Specifically, the following tricks are fraudulently steal customer information and credit card information.

"Palance of Payment application" tricks

* Materials of the Ministry of Economy, Trade and Industry

https://www.meti.go.jp/shingikai/mono_info_service/credit_card_payment/pdf/002_03_00.pdf


"Payment of Payment applications" has a characteristic that it is difficult to detect, and there are many cases where information continues to leak over a long period of time.


In addition, similar damage has been expanding in recent years, and multiple cases have been confirmed other than major coffee chain stores T.


The attack may have leaked personal information, including credit card information used on the company on July 20, 2021 and May 20, 2024.

Therefore, when the unauthorized access was discovered, the card payment was stopped at the online store, and on May 23, the online store itself was temporarily closed.


The publication on October 3 stated that a third -party research organization surveyed that more than 90,000 personal information, more than 50,000 credit card information, may have been leaked.


The tampering incidents of the payment application that occurred at the major coffee chain store T brought the following important lessons:


1. Importance of the execution environment of the JavaScript code in the payment system

JavaScript on the browser is frequently used to operate the UI and functions of payment, but if malicious code is incorporated, the user's credit card information may be stolen.

Like MageCart attacks, more and more cases of stealing settlement screen information via JavaScript snippets.

* What is MageCart attack?

https://www.akamai.com/ja/glossary/what-is-magecart


If the appropriate sandboxes or consistency are not checked, it will be difficult to prevent these attacks.

A mechanism to monitor the change in the JavaScript code in real time and detect abnormalities.



2. Need for third -party code management and security monitoring

The payment system is often a third -party service (payment gateway, analysis tool,

It depends on advertising tracking). When these code is tampered with, the damage increases.

Companies need to perform regular vulnerability scanning and security evaluation when introducing third -party code.

It is recommended to set the "Content Security Policy (CSP)" policy to prevent unauthorized scripts from execution and limit the operation of third -party code.


3. The importance of comprehensive approaches in protecting payment data

To prevent leakage, multilayer security measures are essential. Specifically, data encryption,

The introduction of multi -factor authentication (MFA) and "invasion detection system (IDS)" is effective.

In addition, it is important to use international security standards, such as PCI DSS V4.0, to protect the payment system.

This allows business operators to respond to the latest security threats.


It is also essential to develop an incident response plan and quickly identify the cause in the forensic survey.

In the case of Company T, the prompt card payment suspension and surveys after discoveries contributed to prevent damage.


Company T's case is an important lesson that shows how companies should protect their payment systems in the modern age of digitalization.

It has become clear that securing a secure execution environment, a third -party -dependent risk management, and a comprehensive security project is an essential factor for protecting personal information and maintaining the trust of companies.


Tradition of conventional EC site

In conventional package software, businesses themselves needed to manage servers and security measures.

This has the following issues:


1. Continuous application of security updates to all software in use including OS


2. Server vulnerability measures


3. Maintain security of payment system


4. A great deal of effort and cost for PCI DSS compliance


In particular, high -customizable package software may increase security risks for the following reasons with its own payment modules and functions.


1. Code quality control issues

・ The quality of the custom code depends on the skills of developers who customize

・ Compliance with security best practices is entrusted to individual developers.

・ Code reviews and security audits are likely to be insufficient


2. Directual contamination risk

・ It may be insufficient quality verification of third party modules

・ The occurrence of unexpected vulnerabilities due to interaction between different modules

・ Use of non -recommended functions and non -safe coding methods


3. Unique risks in payment processing

・ Inappropriate handling of credit card information in custom payment modules

・ Possibility of authentication bypass due to modification of payment processing flow

・ Risk of falsification of payment form by JavaScript


4. Complexity of updates and maintenance

・ Core system update and customization competition

・ Promotion of existing customization by applying security patch

・ Risk of postponing updates due to compatibility issues at the time of upgrade


5. Verification environment issues

・ Unexpected vulnerabilities due to differences between production environment and verification environment

・ Difficult to implement sufficient security tests for all customization

・ Insufficient vulnerability diagnosis before the release of new functions


6. Complexity of operation management

・ Increase in monitoring points due to the increase in customization points

・ Causes when incident occurs

・ Leakage of security measures is likely to occur



About security measures required by EC operators


According to an IPA (Independent Administrative Corporation Information Processing Agency), many EC sites have been affected by information leakage due to lack of security measures, and it is reported that there are many months to recover. 。

Especially on small and medium -sized EC sites, the problem is that the application of vulnerability management and security patches is delayed.

For this reason, security measures required by EC operators in Japan have been strengthened due to the recent increase in cyber attacks.

The Ministry of Economy, Trade and Industry and the IPA (Independent Administrative Corporation Information Processing Promotion Organization) to ensure the security of EC sites

It is recommended that all EC sites will introduce EMV 3-D security (personal authentication technology) by the end of March 2025.

These security measures are essential not only for protecting customer data but also for ensuring business continuity.

EC operators are required to take the necessary measures immediately and follow the latest guidelines.


[Main security measures requirements]

1. Implementation of vulnerability diagnosis

The EC site is required to make a vulnerability diagnosis during and operated and operate, and to respond quickly to the found vulnerability.

At the time of operation, it is necessary to make a diagnosis every quarter and make a diagnosis each time during the system renovation.

 2. Introduction of EMV 3-D security

It is recommended that all EC operators to introduce EMV 3-D security (personal authentication technology) by the end of March 2025 to prevent the use of credit cards.

As a result, the safety of card information has been enhanced, and consumers have one -time passwords, etc.

The use of dynamic authentication is recommended.



 3. Recommended for pci DSS compliant

EC sites that handle credit card information are recommended to comply with PCI DSS, an international standard.

In addition to this, the EC business operators said that they had implemented security measures during a new contract.

(EC business and broker of credit card company) or

PSP (Payment Service Provider: Online payment service, not limited to credit cards

It is necessary to report to the provided company).


For more information, see the Ministry of Economy, Trade and Industry's official guidelines and materials provided by IPA.

* IPA EC site security guidelines

https://www.ipa.go.jp/security/guide/vuln/guideforecsite.html

* Ministry of Economy, Trade and Industry's guidelines

https://www.meti.go.jp/policy/netsecurity/guideforecsite.html


Compatibility with PCI DSS V4

This section describes the compliance to PCI DSS V4, one of the main requirements for the main security measures.

What is "PCI DSS V4"?

PCI DSS V4.0 is a global security standard for the protection of credit card information.

The latest version of PCI DSS (Payment Card Industry Data Security Standard).

PCI DSS is a standard to define the requirements that credit card trading companies should protect and prevent unauthorized access and information leakage.


In 2004, it was formulated by five companies: international card brand American Express, Discover, JCB, MasterCard, and Visa.

Currently, it is operated / managed by PCI SSC (PCI Security Standards Council), a jointly established organization.


In V4.0, which was officially released on March 31, 2022, it is a modern security environment where digitalization is progressing.

The revision has been made to respond.

About security response of SHOPIFY

I will explain the merits and concrete architecture about SHOPIFY's security response.


Security benefits

1. 24 hours 365 days security monitoring by expert teams


2. Automatic security update


3. Reducing the burden on PCI DSS compliant

SHOPIFY is already compliant with the latest PCI DSS V4 and meets the following requirements:

・ Maintenance of safe networks and systems

・ Protection of card membership data

・ Maintenance of vulnerability management program

・ Implementation of powerful access control means

・ Regular monitoring and testing of networks

・ Maintenance of information security policy


4. Global threat intelligence


Advantages in terms of operation

1. Release from infrastructure management

    2. Automatic management of security certificates

    3. Automation of backup

    4. Improvement of scalability


 SHOPIFY specific security correspondence

JavaScript execution is restricted by the sandbox environment (another virtual environment) as Shopify's security.


Restrictions on execution of JavaScript by sandbox environment

Shopify's CHECKOUT EXTENSIBITY has a multi -layered security function to prevent javascript fraudulent execution and data falsification.

This mechanism uses a sandbox environment to strictly control operations in the system.

Minimize the risk.

Specifically, the following architecture ensures high security.


1. Overview of sandbox architecture

・ Web Worker base separation execution:

Use Web Worker to separate the execution environment of JavaScript from the main thread of the browser.


・ Setting CSP (Content Security Policy):

Apply a strict policy so that unnecessary external resources and scripts are not loaded.


・ Control by IFRAME SANDBOX:

Run JavaScript in the iFrame environment to minimize the interference from the host.


・ Use of Custom Bridge API:

Pass the communication between the cords in the sandbox and the external system only.


2. Script execution control system

Verification by static analysis:

Analyze the code structure using AST (abstract syntax wood) and dangerous patterns (EVAL and New Function)

Is detected.


3. Remote DOM architecture

Difference update by virtual DOM:

Use a virtual DOM called Remote Dom developed by Shopify to update only the necessary parts.


4. Security enhancement function

Transaction signature and real -time verification:

Prevents falsification of payment data and guarantees the perfection of transactions.


5. Surveillance / detection system

Real -time monitoring and abnormal detection:

Collect execution -time metrics and detect fraud on a pattern basis.



These multi -layered security measures are effective in preventing JavaScript's fraudulent execution and payment processing from falsification by utilizing the sandbox environment and the Remote Dom architecture.

In addition, optimizing performance provides a secure and high -speed user experience.

This greatly reduces the risk of malicious chord injection, such as "palsy of pay application".


summary

In the EC business, security is one of the most important factors.

As shown by the case of the major coffee chain store T, the vulnerability of the payment system can lead to serious business risks, which can have a significant impact on corporate trust and customer information.


In particular, JavaScript execution restrictions and PCI DSS V4 compliance in sandbox environments are important factors for satisfying the security requirements that are essential for modern EC sites.


lastly

Security measures are not just costs, but an indispensable investment for business continuity.

It can be said that protecting your data and providing a safe shopping experience is a basic responsibility as an EC business.

As the security requirements are becoming increasingly stricter in the future, adoption of cloud -based platforms such as SHOPIFY will be a rational and effective option.


Go Ride

Go Ride is a digital creative house that supports EC businesses at Yokohama and LA as SHOPIFY official "SHOPIFY PLUS PARTNER".

この著者の記事一覧

Request for materials

Providing one-stop service from e-commerce development to advertising management.

Download Whitepaper inquiry