One of the biggest challenges of SaaS startups is how they can accept payments online. We have already covered the major payment gateways that startups in US, Europe, Australia and Asia can use. However, some companies opt to store their customers’ credit data in-house. Why would you want to use an in-house database as your credit card vault? And is using a database to store credit card information safe?
Some startups like 37 Signals switched from using third party payment processors to custom in-house systems. However, other companies have tried using in-house systems with disastrous consequences. Many times, headlines detail companies crippled by a breach of data security. Whether it is a large-scale attack or simply a case of an employee abusing access to sensitive cardholder information, the results can be devastating.
Cardholder data stored in a company’s database is exposed to a number of internal and external risks. Companies that fail to safeguard cardholder data not only lose their customers’ confidence, but can also be slapped with heavy fines for being non-PCI compliant and face other legal problems.
Risk of Storing Credit Card Data in Databases
According to the 2012 Verizon Data Breach Report (PDF), databases have the highest rate of breaches among all business assets. The report shows that approximately 96% of records breached are from databases. On the same note, the Open Security Foundation revealed that 242.6 million records were potentially compromised in 2012.
Hackers and malicious insiders target databases for one simple reason; it is where customer records and other confidential business data are stored. When malicious third parties access cardholder data, they can quickly extract value, impact business operations or cause massive damages.
Many startups do not invest in database security as they should. According to the IDC, companies spent less than 5% of 27 billion on security products related to addressing database security in 2011. The vulnerability of databases is based on its technology. Below are some reasons why you should not use your database as a credit card vault.
i) Unused or Excessive Privileges
When employees are given more privileges than their job functions require, they can abuse the privileges. For example, a customer success team member whose job function requires the ability to change customer contact information may take advantage of excess privileges and increase a customer’s account balance.
On the same note, companies often forget to revoke access to database privileges of employees who leave them. If the employees depart in bad terms, they can use their former privileges to inflict damage or steal high value data.
ii) Privilege Abuse
Authorized users may abuse database privileges for unauthorized use. For example, an employee may be granted access to the database with certain limitations such as disabled printing and saving of electronic copies. However, these limitations can be circumvented by connecting the database with an alternative client such as Excel, enabling retrieval and printing of the data in the database.
iii) SQL Injection
SQL injections are usually deployed by hackers and can provide them unrestricted access to databases. For SaaS companies, this is even dangerous given that the injections can be deployed through a vulnerable web app or stored procedure. When the malicious statements are injected and executed, the data stored can be viewed, copied or altered.
Another common practice that compromises databases is use of malware. These are usually used by spies, state-sponsored hackers and cybercriminals and include spear phishing emails sent to steal data. Usually, the malware will be deployed through a file and executed when an unaware user opens the file.
v) Weak Audit Trail
Part of the database deployment should be automated recording of transactions involving cardholder data. Failure to collect detailed audit records can be risky to your startup in many ways. For example, you may find your business on the wrong side of government and industry regulatory requirements. In particular, companies that accept credit card payments online are required to be PCI-compliant. Failure to be in compliant can result in heavy fines.
vi) Storage Media Exposure
Any data that is stored in a backup storage media is often completely exposed to an attack. There are many cases where security breaches have involved theft of database backup tapes and disks. Recent notable cases include Swisscom and Science Applications International Corporation (SAIC) database thefts. While no credit card data were stolen in the two cases, imagine how the situation would have been if this was the case.
vii) Exploitation of Misconfigured Databases
It is common to find databases that still have default configurations and accounts. Attackers know how to exploit these vulnerabilities to get data from the databases. Most organizations do not patch their databases with the latest security upgrades in time. In most cases, it takes several months for a database to be patched, especially if it contains enormous data and the patch may lead to some downtime. During the period that the database remains un-patched, attackers can launch attacks.
A 2012 report by the Independent Oracle User Group (IOUG) indicates that 28 percent of Oracle users have never applied an important security patch or are not sure whether they have done so. Moreover, 10 percent of users say they take a year or longer to apply security patches.
viii) Limited Security and Expertise Education
The online security environment is constantly evolving and service providers strive to stay ahead of hackers. However, the internal security controls at most businesses are not keeping pace with data growth and security technologies. Most companies are ill-equipped to deal with a security breach. This is often due to the lack of expertise required to implement training, policies and security controls.
The 2012 Information Security Breaches Survey report by PWC indicated that 54% of small businesses do not educate their staff about database security risks. On the same note, 75% of organizations surveyed experienced staff-related breaches due to poorly understood security policies.
Keeping Credit Card Data Safe
The cost of keeping credit card data safe is enormous for any starting company. Developing your own billing system can delay your launch date by months and significantly increase your costs. Moreover, there are many robust third payment online gateways that will fit your requirements. We already covered the pros and cons of building vs. buying an existing payment billing system.
When choosing a billing system, there are a couple of things you should consider. The most important one is whether the service provider is PCI-compliant. Apart from this, you can look at other factors such as transaction charges, set up and related transaction fees, ability to customize the checkout pages, among others.
Most third party gateway systems will enable you to start receiving payments within a few hours to a few days. In fact, some providers only require you to add a line of code on your pages to integrate their payment gateway.