Guest Author: Derik Richards | VP, Product Management
Web security researchers have identified a bug that could potentially impact e-commerce businesses using popular shopping cart software WooCommerce. The defect could allow bad actors to access a website’s database and steal sensitive credentials, identifying personal information, and—for some—stored payment card data.
The WooCommerce team has published patches for all impacted versions and advises users to upgrade immediately.
WooCommerce stores continue to be a popular target for hackers, particularly due to the widespread adoption of all kinds of third-party plugins and tools. According to Source Defense, the average e-commerce website uses between 40 and 60 such third-party technologies. These tools almost always rely on JavaScript to facilitate interactivity with the e-commerce website, providing significant value in tracking visitor behavior, engagement, and more. However, this also introduces serious security flaws.
Some payment acceptance plugins for WooCommerce save card data directly to the website database. If done properly, this is permitted for merchants who have a legitimate business need to access this data. Unfortunately, there are several “offline” credit card processing plugins for WooCommerce that do not adhere to the Payment Card Industry Data Security Standard (PCI DSS).
Using these plugins, sensitive card data is captured during the WooCommerce checkout process, stored in the WordPress database, and presented in plaintext through the WordPress administrative interface where the card number is then manually keyed into another system or even a physical credit card terminal for authorization. In at least one such popular plugin, the card security code (aka CVV2 or CID) is also stored, which is expressly prohibited by the PCI DSS.
According to a BullGuard study, 60 percent of small and medium businesses (SMBs) do not think that they are likely targets for a data breach. And yet, the Verizon 2021 Data Breach Investigations Report shows that the number of confirmed breaches were almost the same for small companies as large companies—last year SMBs represented less than 50 percent of enterprise breach incidents. BullGuard found that once breached, a quarter of SMB owners spend $10,000 or more on resolution. In 2015, the National Cybersecurity Council estimated that 60 percent of SMBs that get breached ultimately go out of business.
If your business is using WooCommerce in conjunction with an “offline” credit card processing plugin, your e-commerce store might be a bigger target than you realize. Thankfully, the solution is simple: don’t store payment card data at all. Removing credit card numbers from your database won’t make it any harder for fraudsters to exploit vulnerabilities such as the one found last week, but it will mitigate the risk of hefty fines and fees that could put you out of business.
Beyond Pay for WooCommerce is a payment plugin that ensures card data stays out of your online store without disrupting the checkout experience. This is achieved by first capturing sensitive data like the card number in payment fields which looks it is part of your checkout form, however it’s actually hosted on the secure Beyond Pay gateway servers. Next, the card number is replaced with a non-sensitive “token” value which is returned to the client webpage and then passed to your web server for processing. This way, your web store never meets a card number, and you can potentially reduce your scope of PCI DSS compliance to the simplest level available for an e-commerce merchant.
With the speed of technology, it’s only a matter of time before financially motivated fraudsters try to hack your business’s website. If such an intrusion is successful, then using Beyond Pay for WooCommerce might mean the difference between cleaning up after some web vandalism or going out of business.
About the Author: Derik Richards | VP, Product Management
As VP, Product Management at Beyond, Derik leverages his comprehensive industry experience to understand and translate the needs of business owners and entrepreneurs into business solutions that provide enduring value. A consistently innovative force in payments, Derik always thinks outside the card. He strives to adapt to the dynamic FinTech marketplace, enable payment modalities across different industries and integration partners, and advance Beyond’s payment product roadmap while fostering a community of ISVs and other developers who want an honest, transparent, responsive payment partner. Derik is passionate about maintaining Beyond’s company culture of integrity in an industry whose ongoing competitive consolidation has driven deceptive price increases at a time when businesses cannot afford it.