Miva Security Bulletin

Protect Your Store Now

Protect Your Store From the Threat of Credit Card Scraping.

Hackers stealing credit cards in bulk have redirected their efforts to ecommerce sites. The shift to online fraud is partially due to banks adding EMV chip technology to credit and debit cards - an effort to prevent mass credit card theft via point-of-sale systems (ie: Target and Home Depot security breaches).

As threat vectors evolve, it's important to educate our merchants and help them take action in protecting their customers and ecommerce businesses.

Hackers' Tools Are Evolving.

Traditionally, ecommerce platforms and content management systems that give merchants complete control of the checkout pages use a direct API connection to facilitate payment via the payment gateway. However, if a hacker gains access to the page templates of your checkout flow (on any platform where you have access to the base page HTML/CSS and JavaScript), they can install JavaScript designed to scrape off credit cards before they're sent to the gateway. This inconspicuous fraud process allows card numbers to be harvested without being noticed or breaking a checkout.

New Security Standards for Maximum Protection.

Last year, the Payment Card Industry (PCI) Security Council enacted new standards to assist in providing guidance to defending against the evolving hacker landscape. The increasing popularity of the JavaScript scraping attack vector resulted in the PCI Council updating the guidelines needed to achieve PCI Compliance via an SAQ-A.

What is an SAQ-A?

PCI SAQ-A is a one-page, 10-question PCI compliance process that is only available to merchants who use certain PCI Certified technologies. With proper implementation, merchants can protect their online store and reduce their potential liability.

How to Achieve PCI Compliance via an SAQ-A?

In order to qualify for using an SAQ-A while running Miva Merchant as your ecommerce platform, a PCI Certified iFrame must be used to transmit credit card details to your payment gateway. This iFrame method sends credit card details directly to the gateway without the credit card ever touching your checkout pages, even in memory. Therefore, this eliminates the risk of having the JavaScript scraped at that point of the process.

PCI Compliance can still be achieved via the direct connection method using an SAQ-D and an approved PCI Council on site auditor, which is different than simply being scanned (quarterly PCI scans that are often pushed by merchant account vendors do not provide any actual protection, guarantee of compliance, or limitation of liability). The full audit method is very expensive and onerous. Realistically, the largest online retailers that maintain and run their own hosting infrastructure only use a full audit method.

How to Protect Your Miva Store?

Miva offers three secure payment solutions native to our ecommerce platform that qualify for a PCI SAQ-A.

We're Here to Help

Contact your Account Manager or fill out the form below and and a member of our team will follow up with you to ensure your Miva store is PCI compliant.

Protect Your Store Now Contact us

Copyright © 1997 – 2024 Miva®, Miva Merchant®, MivaPay®, MivaCon®, Camp Miva®, Miva Connect®, Miva, Inc. All Rights Reserved.