EC site protecting from attacks! About PCI DSS compliance and SHOPIFY's security

In recent years, the importance of security in the e-commerce market has rapidly increased.

In particular, the "payment application tampering" incident that occurred in 2024 at major coffee chain T Company

served as a major wake-up call for e-commerce business operators.

In this article, we will explain security measures that e-commerce sites will be required to address going forward.

This unauthorized access was discovered after being contacted by the police on May 20, 2024.

It is believed that the cause was a vulnerability in part of the online store system, which led to a "payment application tampering."

"Payment application tampering" refers to unauthorized intrusions or operations targeting payment applications (such as online shopping, POS systems, electronic money apps, etc.). These attacks are carried out with the aim of stealing customers' payment information or manipulating payments.

Specifically, customer information and credit card data are illegally stolen using the following methods.

Methods of "payment application tampering"

* Materials from the Ministry of Economy, Trade and Industry

https://www.meti.go.jp/shingikai/mono_info_service/credit_card_payment/pdf/002_03_00.pdf

“Payment application tampering” is characterized by being difficult to detect, which has resulted in many cases where information leaks have continued over a long period of time being reported.

In addition, such incidents have been on the rise in recent years, and multiple cases have been confirmed not only at major coffee chain T company, but also at other establishments.

Due to this attack, there is a possibility that personal information, including credit card information used on the company’s website between July 20, 2021 and May 20, 2024, may have been leaked.

As a result, at the time unauthorized access was detected, credit card transactions through the online store were suspended, and on May 23, the online store itself was temporarily shut down.

According to the announcement on October 3, investigations by a third-party research agency have revealed that there is a possibility that over 90,000 pieces of personal information and over 50,000 credit card records may have been leaked.

The payment application tampering incident that occurred at major coffee chain T Company has provided the following important lessons.

1. The importance of the JavaScript execution environment in payment systems

JavaScript is frequently used in browsers to enable payment UI and features, but if malicious code is injected, there is a risk that users’ credit card information could be stolen.

Cases are increasing where JavaScript snippets are used to intercept and steal information from payment screens, such as in Magecart attacks.

*What is a Magecart attack?

https://www.akamai.com/ja/glossary/what-is-magecart

Without proper sandboxing and integrity checks, it becomes much more difficult to prevent these kinds of attacks.

It is essential to monitor JavaScript code changes in real time and have mechanisms in place to detect anomalies.

2. The need for third-party code management and security monitoring

In most cases, payment systems rely on third-party services such as payment gateways, analytics tools, and advertising tracking.

If the code for these services is tampered with, the damage can be extensive.

When companies implement third-party code, it is essential to regularly conduct vulnerability scans and security assessments.

It is recommended to set up a policy called "Content Security Policy (CSP)" to prevent the execution of unauthorized scripts and restrict the operations of third-party code.

3. The Importance of a Comprehensive Approach to Protecting Payment Data

To prevent data leaks, multilayered security measures are indispensable. Specifically, these include data encryption,

the adoption of multi-factor authentication (MFA), and the implementation of intrusion detection systems (IDS), which are effective.

Additionally, adhering to international security standards such as PCI DSS v4.0 is crucial for protecting payment systems.

This enables businesses to respond to the latest security threats.

Prepare an incident response plan and establish a system for rapidly identifying causes through forensic investigations.

In the case of Company T, the swift suspension of card processing and prompt investigation after detection contributed to preventing further damage.

The case of Company T serves as an important lesson for how businesses should protect their settlement systems in today's increasingly digital environment.

It has become clear that ensuring a secure operating environment, managing third-party dependencies, and implementing comprehensive security approaches are essential elements for protecting personal information and maintaining corporate trust.

With traditional packaged software for EC sites, business operators themselves were responsible for managing servers and implementing security measures.

This gave rise to the following issues:

1. Ongoing application of security updates for all software in use, including the OS

2. Server vulnerability countermeasures

3. Maintaining payment system security

4. Significant effort and cost required for PCI DSS compliance

Especially with highly customized package software, adding proprietary payment modules or features can increase security risks for the following reasons:

1. Challenges in code quality management

・The quality of custom code depends on the skills of the developers performing the customization.

・Compliance with security best practices is left to the judgment of individual developers.

・Code reviews and security audits tend to be insufficient.

2. Risk of vulnerabilities being introduced

・In some cases, the quality assurance of third-party modules is inadequate.

・Unexpected vulnerabilities may arise from interactions between different modules.

・Use of non-recommended functions or insecure coding practices.

3. Unique risks in payment processing

・Improper handling of credit card information in custom payment modules.

・Potential for authentication bypass due to changes in payment processing flow.

・Risk of tampering with payment forms via JavaScript.

4. Increasing Complexity of Updates and Maintenance

・Competition between core system updates and customization

・Operational issues with existing customizations due to the application of security patches

・Risk of prioritizing updates due to compatibility issues during version upgrades

5. Challenges in the Testing Environment

・Unexpected vulnerabilities caused by differences between the production and testing environments

・Difficulty in fully implementing security tests for all customizations

・Insufficient vulnerability assessments before the release of new features

6. Complexity of Operations Management

・Increase in monitoring points as the number of customizations grows

・Difficulty in identifying root causes when incidents occur

・Security measures are more likely to be overlooked

According to a survey by the IPA (Information-technology Promotion Agency, Japan), many EC sites have suffered information leaks due to inadequate security measures, and it has been reported that in many cases, it takes several months to recover.

In particular, small and medium-sized EC sites face challenges such as delayed vulnerability management and slow adoption of security patches.

As a result, security measures required for EC businesses in Japan have been strengthened in recent years in response to the increase in cyberattacks.

The Ministry of Economy, Trade and Industry and the IPA (Information-technology Promotion Agency, Japan) have taken steps to ensure the security of EC sites by

issuing the "EC Site Construction and Operation Security Guidelines" and recommending that all EC businesses implement EMV 3-D Secure (an authentication technology) by the end of March 2025.

These security measures are essential not only to protect customer data, but also to ensure business continuity.

EC businesses are required to promptly implement necessary measures and comply with the latest guidelines.

[Main Security Requirements]

1. Conducting Vulnerability Assessments

EC sites must perform vulnerability assessments during both development and operation, and are required to respond swiftly to any vulnerabilities found.

During operation, it is necessary to conduct platform assessments every six months, as well as assessments whenever system modifications are made.

 2. Implementation of EMV 3-D Secure

To prevent unauthorized use of credit cards, all EC businesses are encouraged to implement EMV 3-D Secure (an authentication technology) by the end of March 2025.

This will strengthen the security of card information and, for consumers, enable the use of features such as one-time passwords for dynamic authentication.

The use of dynamic authentication is being promoted.

 3. Recommendation for PCI DSS Compliance

EC sites that handle credit card information are encouraged to comply with PCI DSS, the international standard.

In addition, EC businesses are required to provide proof that security measures have been implemented when entering into new contracts.

(Intermediary between EC businesses and credit card companies) or

PSP (Payment Service Provider: companies that provide online payment services, not limited to credit cards)

are required to report to the relevant company.

For further details, please refer to the official guidelines from the Ministry of Economy, Trade and Industry or materials provided by the IPA.

* IPA’s EC Site Security Guidelines

https://www.ipa.go.jp/security/guide/vuln/guideforecsite.html

* Guidelines from the Ministry of Economy, Trade and Industry

https://www.meti.go.jp/policy/netsecurity/guideforecsite.html

Below, we explain compliance with PCI DSS v4, which is one of the main security requirements mentioned above.

About “PCI DSS v4”

PCI DSS v4.0 is a global security standard aimed at protecting credit card information.

PCI DSS (Payment Card Industry Data Security Standard) is the latest version.

PCI DSS is a set of standards that define the requirements companies handling credit card transactions must follow to prevent unauthorized access and data breaches.

It was established in 2004 by five international card brands: American Express, Discover, JCB, MasterCard, and VISA.

Currently, these five companies jointly operate and manage the organization known as the PCI SSC (PCI Security Standards Council).

With the official release of v4.0 on March 31, 2022, updates have been made to address the security environment of today’s increasingly digital world.

These updates are being implemented to ensure compliance with the evolving security landscape.

We will explain the benefits and specific architecture of Shopify's security compliance.

Security Benefits

1. 24/7 security monitoring by a team of experts

2. Automatic security updates

3. Reduced burden of PCI DSS compliance

Shopify is already compliant with the latest PCI DSS v4, meeting the following requirements:

・Maintaining secure networks and systems

・Protecting cardholder data

・Maintaining a vulnerability management program

・Implementing strong access control measures

・Regular monitoring and testing of networks

・Maintaining an information security policy

4. Global-scale threat intelligence

Operational Benefits

1. Free yourself from infrastructure management

    2. Automatic management of security certificates

    3. Automated backups

    4. Enhanced scalability

 Specific security measures in Shopify

JavaScript execution is restricted in sandbox environments (separate virtual environments) as part of Shopify's security measures.

Restricting JavaScript execution in sandbox environments

Shopify Checkout Extensibility is equipped with multiple layers of security features to prevent unauthorized JavaScript execution and data tampering.

This framework leverages sandbox environments to strictly control operations within the system,

minimizing risk.

Specifically, advanced security is ensured through the following architectural features:

1. Overview of sandbox architecture

・Isolated execution with Web Worker base:

By using Web Workers, the JavaScript execution environment is separated from the browser's main thread.

・Setting Content Security Policy (CSP):

Strict policies are applied to prevent unnecessary external resources and scripts from being loaded.

・Control with iframe sandbox:

JavaScript is executed in an iframe environment to minimize interference from the host.

・Use of Custom Bridge API:

Allows communication between code inside the sandbox and external systems only for permitted operations.

2. Script Execution Control System

Verification through static analysis:

Analyzes code structure using AST (Abstract Syntax Tree) to detect dangerous patterns (such as eval or new Function)

and identifies them.

3. Remote DOM Architecture

Differential updates using virtual DOM:

Utilizes a virtual DOM called Remote DOM developed by Shopify, updating only the necessary parts efficiently.

4. Enhanced Security Features

Transaction signing and real-time verification:

Prevents tampering with transaction data and ensures the integrity of exchanges.

5. Monitoring and Detection System

Real-time monitoring and anomaly detection:

Collects runtime metrics and detects irregularities based on patterns.

These multilayered security measures utilize sandbox environments and Remote DOM architecture, effectively preventing unauthorized execution and tampering of JavaScript.

Furthermore, by optimizing performance, we provide a secure yet high-speed user experience.

As a result, the risk of malicious code injection, such as "payment application tampering," is significantly reduced.

In the e-commerce industry, security is one of the most crucial elements.

As demonstrated by the case of major coffee chain Company T, vulnerabilities in payment systems can lead to serious business risks and may greatly impact a company's trustworthiness and the protection of customer information.

In particular, restricting JavaScript execution in sandbox environments and adhering to PCI DSS v4 standards are essential security requirements for modern e-commerce sites.

Security measures are not just a simple cost, but an essential investment for business continuity.

Protecting customer data and providing a safe shopping experience are fundamental responsibilities for any e-commerce business.

As security requirements are expected to become increasingly stringent in the future, adopting a cloud-based platform like Shopify is likely to be a rational and effective choice.