The server side of this negotiation is now predominantly secured. The consumer facing section is where companies are effectively handing out skeleton keys. Because these third parties generally invest less in security protocols than the website itself, they become the target for attacks. The benefit for the hackers is clear. Once they break the third party’s security, they have access to every single website that uses that service. In this case, Magecart.
No matter how rigid your internal pen testing, code reviews and so on are, if you rely on a third party to process credit cards, you are susceptible to all attacks that hit them.
Fortunately, there are steps you can – and should – take if you are relying on any third party to make your site function.
Constantly monitor all third party scripts on your site. Yes, this will take up some resources, and yes, it will not fix the problem, but without monitoring you are left totally in the dark.
Be very cautious when selecting third party tools to use on your website. Closely examine the security processes and protocols of any company you are looking to work with. Only shortlist vendors with fully comprehensive security features.
Tightly control access and permissions any third party tool has. The utilisation of security prevention technology will insulate a website or application, its owners, visitors and user data from any insecure behaviour from compromised third parties. This has two advantages for an enterprise. Firstly, it secures they company. Secondly, it adds a layer of data control that is now required by compliance laws such as the recent GDPR.
All of this takes time and resource away from scaling your company in order to make sure it is secure. Which is why many large and smaller organisations will look to a Managed Service Provider to deliver a security suite, allowing an internal IT team to concentrate on value-added projects and growing the business.