Warning: Fully hosted checkouts are NOT as safe as you might believe…

20 August 2021

If you operate an online checkout on your website, it’s possible that you handle hundreds of thousands of sales each year. Whatever your transaction volume is, it is fundamentally important to remember that your customers are trusting you with their private data, and it’s your duty as a ‘data processor’ to manage this information securely. Failure to do so can result in significant penalties if you are identified as the victim of a data breach or are found to be non-compliant with the Payment Card Industry Data Security Standard (PCI DSS) requirements… not to mention the financial and reputational costs of such a violation.

Many companies genuinely consider that fully hosted checkouts are the answer, believing that they provide users with all the security needed to manage cardholder data securely. The assumption is that because the code is hosted by a third party your data is completely safe.

Unfortunately, this not the case. As with many other areas of technology, attack methods have evolved. You may not be directly processing card details anymore, but your card payment flow can still be attacked. You must implement security measures to protect the entire workflow and combat malicious attackers. To help and support you on your PCI compliance journey, we have compiled a list of the security measures you should instigate to protect cardholder data workflow.

1. Know exactly which third parties interact with your website

It’s an essential first step to know exactly who and what is coming in and out of your site. This doesn’t mean access to the website, instead it means what actually feeds into the website. For example, many websites have links to social media platforms such as Facebook, LinkedIn, YouTube as well as Google tracking and so forth.

Merchants should know what third parties are interacting with their website. Best practice is to keep a record or whitelist of ‘good’ or trusted third parties to use. This would ultimately be a good reference point to have.

2. Utilise a web application firewall

It’s important to utilise a web application firewall (WAP) on your web server. A web application firewall is similar to a physical firewall, but instead it only focuses on the application levels, such as the software that’s running a website. It searches for indicators of compromise (IOCs) on your behalf, along with specific attacks and the traffic that’s coming in and out of your webpage.

3. Invest in good anti-virus software

It’s a case of going back to basics, but you would be amazed at how many companies do not have anti-virus (AV) software on their web servers. Antivirus software is olden but golden.

The all-too-common assumption is that if you’re using another operating system, such as Mac or Linux, you won’t be affected by malware. Another common mistake is thinking that if you’re not using or running a desktop, you won’t need AV. Because of this, many merchants who don’t have AV on their web servers frequently contact us in a panic when things have gone wrong.

AV software is useful in many ways, but perhaps most importantly for picking up malicious domains which could be useful for hackers wishing to use a skimming code. Finance is of course a significant factor when it comes to cyber security, but there are numerous effective open-source software solutions available on the market.

4. Conduct file integrity monitoring wherever possible

This cyber security software solution monitors core files and ensures that they haven’t changed and/or that no substantial changes have been made to them.

Generally, file integrity monitoring (FIM) software will alert you if changes have been made, but the main idea is that a developer should know if they haven’t made a change and they then receive an alert that a change is made. This is an immediate flag of suspicious activity.

There are many solutions out there that can be set up to send email notifications when a change has been detected. In addition to FIM software, it’s a good idea to keep an eye on your files and ensure that only legitimate ones are making their way into or around your web server. This can assist with suspicious items being added to payment pages.

There are also ‘seasonal opportunities’ for attackers that you should be aware of. Around Christmas time, for example, hackers commonly hide malware in sales banners added to the bottom of a website. Often this involves providing customers with a discount code for use at checkout. Whatever page you go onto on a website, the same banner can still be visible at the bottom. You can input a code to ensure that this banner runs on every page across your entire website, or the unsuspecting checkout user could fall prey to this hack.

5. Employ test transactions regularly

Viewing the checkout on your live website should be an essential piece of your regular security housekeeping regime. This should be conducted on a regular basis, bi-weekly or monthly is the recommended amount. You should be reviewing your website via a browser, just as a customer would, and you should go through and analyse the checkout process.

This sounds obvious, but we have dealt with cases where fake checkouts have been installed and no-one has noticed because people are not checking their own website. Remember, a customer doesn’t necessarily know what the checkout should look like.

Broad knowledge and understanding of your own system – knowing exactly what’s going on and what’s ‘normal’ – could be the only thing standing between your company and a costly PCI penalty breach. Good housekeeping is a crucial part of ensuring that you remain on top of your checkout process, and there are many automated services to help alleviate the pressure from you.


IntaForensics provides a comprehensive range of cyber security services designed to prevent, monitor, and respond to security breaches.

We boast a team of 50 cyber security and digital forensic experts and a growing market presence. Our consultants will be able to assist with all digital forensic investigations, PCI DSS QSA and PFI, cyber security and incident response.

Quality underpins everything we do, and we are proud to be UKAS 17025:2017 accredited and ISO/IEC 27001:2013, ISO 9001:2015 and ISO 14001:2015 certified.

To find out more about our services Tel: 0247 77 17780 to speak with a member of our team or fill-in our online contact form.

Talk to our consultation team today

Contact Us

I can honestly say that your excellent customer service and communication has made our forensic instructions to you exceptionally easy. I am very conscious of the amount of time I must have taken up with various queries, requests, and then changed requests but you have always been very patient, polite and extremely helpful.

Case Review Manager - Criminal Cases Review Commission