Website Payment Information Keeps Getting Hacked

We keep getting customers calling up saying that there card was stolen from our website.



I have applied all recent updates to the website that cs-cart has provided.

Even making sure credit card numbers are deleted after an order has been completed but

we are still getting customers calling up telling us there cards were stolen.



What else do I need to do to prevent these attacks? or to stop our customers cards being stolen.

I'd talk to your hosting company. Certainly changing your admin and server pw is the first thing, but it seems like they are getting into your database.



Jack

How do you know card data was stolen from your website?

Who are you using for a payment processor?

Well we have changed all passwords to the host website, all admin logins to the actual website, we changed the admin page name.



I think we use Comerce bank. Our payment processing is not automatic. We still key it in by hang

[quote name='harpersmoto' timestamp='1405532939' post='187676']Our payment processing is not automatic. We still key it in by hang

[/quote]



So people call you and give you credit card details and you enter them on the web site?

No. Customers place there orders through our website and enter the payment information on the site. But we then take that credit card number and then manually enter it into a charge card scanner to charge the customer.

Would suggest you buy an hour of time from myself or one of the other developers here that are active in the security threads to have them review a few common things on your site. If you have been intruded upon it may not be obvious what to look for. But there are some common things one can do to evaluate whether you have any known intrusions on your site. And if you do, they can be removed.



If you are storing CC data than I'm assuming you are getting PCI scans and that they are passing. However, they will probably not detect and existing intrusion.



You might also want to consider doing more automated processing and NOT holding CC info on your site.



I would strongly suggest you purchase our EZ Admin Tools addon and enable the file monitoring and monitor what changes on your site at least every day to ensure that it all makes sense. If you have a stable site, the files to review will be quite small. If you are actively updating products/categories then you'll get a lot of thumbnail directory activity and will quickly learn what to look for as normal and what's not. The important thing is to be aware of what's changing on your site and what's normal and what's not.

Everything Tony says, with an emphasis on not storing credit card data. I would never sleep at night if we were doing that. Unless you are Amazon or Wal-Mart, that's just not a good idea.

Or Target and we know how that went… :-)

The easiest PCI compliance test I ever took:



Bank - Do you store credit card data?

Me - No

Bank - You pass, here's your merchant account



But Harpersmoto, it is quite likely that your website has had some intrusion that left behind a process that is absconding with the payment data your customers are providing on checkout. No amount of changing passwords will help that problem. Take Tony's advice and PAY someone to find where the compromised code is. Tony knows the most likely places to look - hence only one hour of analysis is quoted.

Consumer confidence is almost impossible to regain once lost.

We really cant do automated process's because we dont have a way to calculate shipping cost for the website yet. I know there is an option to do it on the site but we have over 30,000 items on the site we have to edit and add dimensions and weights to them to calculate shipping cost.





Tbirnseth. what would you charge for an hour then I guess?

@harpersmoto - I don't quote publicly so you will have to request a quote (use the link in my signature).



Again I would ask what your PCI scans show…

Also check the obvious, who is entering and has access to the credit card data. Also if you are entering credit card data on another computer to charge the client make sure that computer is not compromised. I know you said you have a [color=#282828][font=arial, verdana, tahoma, sans-serif]charge card scanner just covering to all directions.[/font][/color]



Also be careful of what 3rd party addons you may have installed and other software is installed on the same server. I had a serious issue where I had a wordpress blog off the root directory and it was compromised which infected some other directories.



Scott

Problem cause of this security issue:

Re: Critical Security Vulnerability In Cs-Cart And Multi-Vendor 2.x.x To 4.1.2 - Security - CS-Cart Community Forums



If you fix this security issue before maybe your website have still some shells files. You must scan manualy your files in your server.

The credit card data is basically being stolen right after the customer places the order on our website. The card information is being used in Canada, Europe, and China.



I dont know what PCI scans are and no idea how to even get you that information.





Also, we dont enter any credit card data in on the computers. The customer enters there CC info on our website, we then take that CC number and manually type it into one of those card scanners.



ANd yes, I installed those updates after the attacks started to happen.

Idk how to scan my files for this kind of stuff.

Strongly suggest you hire someone to help you. I'm surprised your merchant account provider is allowing you to keep doing business with this not being corrected.



Contact me via my site (ez merchant solutions:contact us) and I'll be happy to discuss this issue(s) with you and your options.

A PCI scan is where a security company (such as McAfee for example) scans your website for vulnerabilities related to the transmission of sensitive data used in ecommerce transactions. The scanning company will detail the vulnerabilities and suggest ways to fix them.



To be honest, if what is happening to your site was happening to mine, I'd completely shut the site down, have the server scanned and cleaned up, and then find a way to start up business again WITHOUT storing credit card data on the server.

While on this subject.

I only accept PayPal and Bank transfer and do not accept or store credit

card information at all.

Does this PCI compliance stuff apply to me ?

It only applies to credit cards. PCI stands for Payment Card Industry.