Bibliofind, the Amazon.com Inc. subsidiary for buyers and sellers of used and hard-to-find books, last week disclosed that 98,000 customer credit card numbers it stored in its servers were repeatedly stolen between last October and this February.
It took a defacement to its Web site by a hacker last month to compel Bibliofind to undertake the investigation of its network logs and servers, which uncovered that a hacker had been breaking in to steal customer data for at least five months. The company doesn't process credit card transactions, but stored the customer card data to provide to sellers. Due to the card theft, Bibliofind has stopped storing customer card data and is waiving the US$25 fee it was charging booksellers for the service.
The hacker break-in - which may be an inside job, Bibliofind acknowledges - forced the company to distribute a mass e-mail apology last week to customers, breaking the bad news that their credit card numbers had been stolen. The incident comes as Visa International Inc. is trying to get e-commerce merchants by May to undergo a systematic security check of their networks, as detailed in a 12-point plan.
Visa's demand, first articulated last fall, is for e-merchants to follow 12 security procedures, including encrypting stored credit card data, using antivirus software and tracking access to data by a unique ID. Visa wants to certify compliance on an ongoing basis by having security firms make on-site visits and run remote network scans.
Because banks provide Visa services directly to merchants, Visa has been pressing banks to get e-merchants to undergo the audit, which can be done by any security firm. Visa has a list of preferred providers, though, including Internet Security Systems Inc. (ISS), the Big Five accounting firms, Global Integrity and Exodus Communications Inc., which bought its way into security by acquiring the professional practices arm of Network-1 Security Solutions Inc.
"Right now, we're focusing on the top 100 e-commerce merchants because they represent 70 percent of Visa card business online," says Jean Bruesewitz, a Visa senior vice president. "We expect every single one of them to be in compliance by May." Later, Visa will start pressing smaller companies and international e-commerce firms to undergo security audits.
If there's unwillingness to comply, it could mean that restrictions will be imposed on Visa card use at their sites, Bruesewitz warns.
So far, none of the large e-commerce merchants, such as Amazon.com, have managed to make it through Visa's security check, though some began the process in November.
ISS, which worked out a special group-plan rate with Visa for conducting the security inspection of e-merchants, offers some insight as to why this is so.
The types of vulnerability testing that ISS routinely conducts for internal systems and at the firewall would reveal technical weaknesses that can usually be remedied fairly quickly, according to Greg Grant, ISS director of marketing programs and strategic alliances.
"But policies and procedures, which we review under the audit, can take much longer," he says. "And if they don't have hardened physical security around server rooms where credit cards are stored - something Visa expects - it can take several months, plus at least $100,000, to do that."
Under the group plan with Visa, ISS is offering discounts of between 35 percent and 85 percent for the assessment, which might otherwise cost up to $60,000, without separate fees for a battery of technical scans.
In the next few months, Visa will press ISPs, card transaction services and others that routinely handle credit cards online to undergo security audits, too.
Visa often declined to discuss details about online credit card fraud in the past, but now underscores how serious the problem is.
While the overall fraud rate accounts for 7 cents out of each $100 in sales, the rate is believed to be three or four times higher for e-commerce transactions.
Sometimes it's hard to know if a card-based transaction originated on the Internet, but Visa now requires merchants and service providers to use an "electronic-commerce indicator" to mark the transaction as originating online.