Ecommerce Malware Spread Indicates Widespread Failure To Follow Core Security Guidelines Warns RandomStorm
Compliance and security management specialist, RandomStorm, has commented on the spread of malware on ecommerce sites that indicate organisations are still failing to heed the core requirements of the Payment Card Industry Data Security Standard (PCI DSS).
Security researchers at Armorize reported that more than 8 million ecommerce websites have been infected by malware. The malware exploits a known vulnerability in version 2.2 of the popular osCommerce platform, used by many smaller online retailers. A patch was made available in 2010 and the rapid spread of the malware indicates that merchants are not patching common applications with the latest security updates.
Andrew Mason, co-founder and Technical Director of RandomStorm, commented: “The rapid spread of the Willysy ecommerce malware, is very worrying as it indicates that merchants are not following two of the core requirements of the PCI DSS: to ‘develop and maintain secure systems and applications’ and to ‘regularly test systems and processes’ to identify any new vulnerabilities and to apply patches as soon as they are released. If they’re not doing this, it leads me to wonder whether they are following the other ten core requirements for securing customers’ payment card data”, warns Mason.
RandomStorm is a government approved CESG CHECK scheme member. CHECK qualified staff undertake vulnerability testing on public sector IT systems that store protectively marked information up to and including ‘Confidential’ information. The company has also been certified as a Qualified Security Assessor by the Payment Card Industry Security Standards Council, enabling RandomStorm personnel to carry out audits to ensure that merchants comply with the Payment Card Industry Data Security Standard (PCI DSS).
About Paul Bessant
