5

My fiancee was browsing a website (www.medievalbridalfashions.com) and about to make a purchase when I noticed something. During checkout, everything appeared to be getting sent over plain HTTP.

I made a dummy account, went through the checkout process, fired up Wireshark and looked at the packet that was sent and the CC info was in plain text, along with expiration date, and security code.

Is this as big of a problem as I'm making it out to be? I am by no means a security expert, but sending unencrypted credit card information over the Internet makes me a bit uneasy.

EDIT: I appreciate everyone's answers. We're going to call her bank tomorrow to get a new card issued. We'll also try to contact the merchant and notify them. Thanks!

TylerZPD
  • 59
  • 1
  • 3
  • 1
    Although the risk of the data being caught is relatively low, this is a credit card account we're talking about. If someone happens to be using this website on an unprotected or shared wifi, their credit card information could easily be abused. So yes, I'd say it's a very legitimate concern and you should notify them about this. Depending on the country, I can imagine a victim could sue them for neglect or something along those lines. – Luc Jan 10 '14 at 00:26
  • @Luc To expand on your last point, if they are breaking PCI DSS the acquiring bank may pass fines down: http://www.pcicomplianceguide.org/pcifaqs.php#11 – itscooper Jan 10 '14 at 00:54
  • Answers to your question already exist at ["Is it compulsory to have https on e-commerce site?"](http://security.stackexchange.com/questions/33783/is-it-compulsory-to-have-https-on-e-commerce-site) and ["Securing an E-commerce site"](http://security.stackexchange.com/questions/1215/securing-an-e-commerce-site) – Adi Jan 10 '14 at 02:03

5 Answers5

6

Yes, it's a big problem. It's insecure, and it's a violation of PCI DSS 4.1:

4.1 Use strong cryptography and security 
protocols (for example, SSL/TLS, IPSEC, 
SSH, etc.) to safeguard sensitive 
cardholder data during transmission over 
open, public networks. 

You can notify them that they're out of compliance, but the odds are they already know that. If you can determine who their acquirer or processor is, you can try and notify them, as they're the ones who actually get fined if a breach occurs (...and they then pass fines down to the merchant(s) involved). Overall, though, the PCI DSS structure is designed to encourage security and punish responsible parties, not to enforce security.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
3

The First Commandment of E-Commerce is:

Thou shalt use HTTPS.

PCI DSS requires that cardholder information sent over open, public networks be appropriately encrypted (§ 4.1).

For SSL/TLS implementations, examine system configurations to verify that SSL/TLS is enabled whenever cardholder data is transmitted or received. For example, for browser-based implementations:

  • “HTTPS” appears as the browser Universal Record Locator (URL) protocol, and
  • Cardholder data is only requested if “HTTPS” appears as part of the URL.

Fail to do this, and anyone anywhere between the two endpoints (you and the web site, in this case) can snatch your credit card information off the wire.

This is almost certainly a violation of the merchant's agreement with their merchant account provider/bank.

Michael Hampton
  • 3,877
  • 1
  • 22
  • 32
1

Yes, this is a serious problem. Not only is the data easily accessible by anyone sniffing the connection, but using HTTPS is such a basic measure, that not using0 it indicates that they have no idea what they're doing, and there is a very good chance that even bigger issues may also be present. For instance, I'd expect a website that accepted credit card data over HTTP to be storing it in a similarly stupid and unsafe manner. I'd stay far, far away from any merchant that could implement something so basic as this.

Additional, as @itscooper mentioned in the comment, this is a clear PCI-DSS violation, and they could be fined, or lose their merchant account (and ability to accept credit cards) over it.

Xander
  • 35,525
  • 27
  • 113
  • 141
1

From a technical perspective it presents a significant security risk to cardholder data. It will be transported across the internet in cleartext. Any malicious entity that is monitoring traffic along this path would be able to capture the PAN and other card details. Persons making payments whilst on public/open networks or compromised private networks (e.g. home/work) would be most vulnerable.

From a compliance perspective, all entities that process, store or transmit cardholder data are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). Requirement 4.1 is as follows:

Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks...

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

As I understand it, the acquiring bank can be fined for breaking these requirements, which they are likely to pass down to the merchant.

itscooper
  • 2,230
  • 13
  • 15
0

It is definitely a problem. Not only is it putting the customer's card data at risk (yours) but it is a violation of the merchant's agreement with their card processor which always requires PCI compliance and one of the requirements is that card data be encrypted when going over public networks.

Tracy Reed
  • 618
  • 4
  • 5