Charge Anywhere, a New Jersey-based payment processor, divulged late last night that it had been hacked, and that cyberattackers may have been quietly yet efficiently taking unencrypted data from them for up to five years. (Five years!)
There’s so much wrong with that sentence that it's hard to know where to start.
First, payment processors are typically one of the most trusted parts of the payment process. While data breaches like the ones at Target and Home Depot have exposed the limitations of point of sale terminals, those problems can be fixed by simply upgrading your POS terminal. Yesterday, we wrote about the advantages for in-store purchases of the new EMV standard being slowly adopted by the US, but warned that fraud will shift to e-commerce.
This hack is a different beast — it almost completely falls on the payment processor. Merchants trust their processor to handle their customers’ credit card information securely. However, thanks to the lack of foresight by this payment processor, the hackers gained access to the customer name, card number, expiration date, and verification code for transactions conducted over the last five years. That’s…a lot, to say the least.
A full list of merchants isn’t available because, as The Hill writes, “it’s difficult to know which consumers are potentially affected since Charge Anywhere works with so many partners.” The company has created a searchable database because so many merchants may be involved.
However, multiple news outlets have attempted to get a few names of the merchants in this database, and the company has yet to respond to their requests. SecurityWeek writes that their customer base includes “large enterprises, developers, and independent sales organizations.”
The more alarming bit of the news is that Charge Anywhere is using unencrypted credit card data, which is akin to playing with fire. Yes, some of their data is encrypted, but, as the company’s press release notes, the hackers found ways to get around that.
Security expert Brian Krebs writes “the incident is the latest reminder of what happens to businesses that handle credit card data and other sensitive information and yet fail to fully encrypt the data as it traverses their network.” As a payment processor, Charge Anywhere (and others), should be utilizing the most advanced security they can get their hands on. Using unencrypted data for payment information is highly irresponsible on Charge Anywhere’s part.