Protect Your Store Now
Contact us
Hackers stealing credit cards in bulk have redirected their efforts to ecommerce sites. The shift to online fraud is partially due to banks adding EMV chip technology to credit and debit cards - an effort to prevent mass credit card theft via point-of-sale systems (ie: Target and Home Depot security breaches).
As threat vectors evolve, it's important to educate our merchants and help them take action in protecting their customers and ecommerce businesses.
Traditionally, ecommerce platforms and content management systems that give merchants complete control of the checkout pages use a direct API connection to facilitate payment via the payment gateway. However, if a hacker gains access to the page templates of your checkout flow (on any platform where you have access to the base page HTML/CSS and JavaScript), they can install JavaScript designed to scrape off credit cards before they're sent to the gateway. This inconspicuous fraud process allows card numbers to be harvested without being noticed or breaking a checkout.
Last year, the Payment Card Industry (PCI) Security Council enacted new standards to assist in providing guidance to defending against the evolving hacker landscape. The increasing popularity of the JavaScript scraping attack vector resulted in the PCI Council updating the guidelines needed to achieve PCI Compliance via an SAQ-A.
PCI SAQ-A is a one-page, 10-question PCI compliance process that is only available to merchants who use certain PCI Certified technologies. With proper implementation, merchants can protect their online store and reduce their potential liability.
In order to qualify for using an SAQ-A while running Miva Merchant as your ecommerce platform, a PCI Certified iFrame must be used to transmit credit card details to your payment gateway. This iFrame method sends credit card details directly to the gateway without the credit card ever touching your checkout pages, even in memory. Therefore, this eliminates the risk of having the JavaScript scraped at that point of the process.
PCI Compliance can still be achieved via the direct connection method using an SAQ-D and an approved PCI Council on site auditor, which is different than simply being scanned (quarterly PCI scans that are often pushed by merchant account vendors do not provide any actual protection, guarantee of compliance, or limitation of liability). The full audit method is very expensive and onerous. Realistically, the largest online retailers that maintain and run their own hosting infrastructure only use a full audit method.
Miva offers three secure payment solutions native to our ecommerce platform that qualify for a PCI SAQ-A.
Contact your Account Manager or fill out the form below and and a member of our team will follow up with you to ensure your Miva store is PCI compliant.