Beyond PCI: Digital Downloads and Security

December 14, 2011

‘Tis the season to be wary. There’s a lot of reports going around about how to be more secure and safe in your holiday shopping. Credit card scams and debit card scams are being looked out for. And shoppers are being careful. But the criminals are adapting and the danger goes beyond just phishing e-mails and retail shopping. So today, The Official Merchant Services Blog is here to talk about a particularly interesting development in security issues: video games.

We are in the midst of a very brisk holiday shopping season. Credit cards and debit cards are being swiped at record rates. Black Friday turned into Cyber Monday which then turned into Cyber Week. E-commerce, particularly mobile payments, were breaking sales records. Among this purchasing frenzy, blockbuster new video games are getting snapped up quickly. Games like Skyrim and Star Wars: The Old Republic are being rabidly purchased as gifts for gamers.

But these new video games come with some big picture concerns that consumers need to pay attention to –– namely, security breaches that compromise their credit card information.

And that danger is related less to the video game itself and far more to the way the game is purchased, activated and enhanced. Digital downloads, virtual in-game items purchased with real money, micro-payments, are all rapidly rising trends in the video game landscape. Hackers are taking advantage of this trend by trying to find weaknesses in the security around where that information is stored.

A Brief History of Crime

Security Breaches for video game companies have been happening frequently this year. The biggest breach happened to Sony, affecting their Playstation customers as well as their PC gaming customers not once, but many times this year.

In April of 2011, the Playstation Network was hacked, compromising the vital information of 77 million accounts, and 24.5 million Sony Online Entertainment accounts. This has been touted as the largest personal data heist recorded in history, and prompted Sony to shut down its services for a month.

After that initial bomb, hackers continued to attack Sony throughout the year. Once again Sony was being breached as recent as October, according to this Forbes article.

Not Just Sony Gets Breached

This problem is spreading, however, beyond just Sony. Other companies are getting breached. Notably Turbine, maker of Dungeons and Dragons Online and Lord of the Rings Online. Allegedly the company’s community forums were hacked in early October –– around the same time Sony was being breached –– and vital customer data was breached through the hack. Turbine took their forums and community down for a week in an attempt to fix the problem.

Then in November, digital game distribution leader Valve announced there has been a security breach within its Steam database. This breach was similar to the Turbine breach in that the hack targeted the Steam community forums, which in turn opened up access to the customer database. The timing of this breach was right around the time that Steam was offering the newly launched, extremely popular Skyrim for digital download.

The Trend Targets Forums

With the recent flurry in security breaches, a trend appears to be taking shape. Hackers break into ancillary areas of a video game’s structure, notably the community forums. Because of how those areas store customer information but are still very vulnerable to security breach, which customers have critiqued and notified the company about in Turbine’s case, hackers keep targeting this weak spot. By getting in through a forum, they can find a backdoor into the database that stores the credit card information.

The big picture concern here is that more and more games are being distributed digitally, and more and more games are requiring some form of storage of credit card information for either ongoing subscriptions or micro-payments for downloadable content. Which means these hackers will be able to vigorously pursue customer information like credit card and billing information. Here’s an infographic detailing the change in video gamer behavior regarding micro-payments and digital downloads between 2008 and 2010.

Host Merchant Services infographic on video gamer trends like gold farming and micro-transactions, between 2008 and 2010.

What it’s basically showing is that subscriptions are going down, but gamers are buying more virtual items and are willing to make more and more micro-payments for content. This shows there’s a rise in the freemium model that Turbine games employ or the Downloadable Content that XBox Live games employ –– as previously noted in our blog here. And that makes the stored payment information that these gaming companies have a tasty target for hackers.

On the Horizon

It appears these attacks, and subsequent breaches, are just getting started. The Sony breach this past spring was huge and really set the stage for the ongoing assault. But the continued efforts have been relentless. Putting that activity into the context of recent reports from Verizon on lax PCI Compliance among businesses and merchants –– 79% of organizations surveyed were not fully compliant –– as well as the continued rise in micro-payments, virtual item shopping, and digital download content  in gaming systems  –– be it a pair of sneakers in sports game NBA 2K12 or an entire starship in Star Trek Online  –– these security breaches are cause for alarm.

This holiday season sees the competition between major MMORPG giant Blizzard, with their World of Warcraft game shifting to a Kung-Fu Panda inspired expansion, and Bioware’s George Lucas-fueled Star Wars: The Old Republic. Blizzard’s own security has been compromised consistently through their battlenet, so gamers need to be cautious in handing companies their information. Security needs to be stepped up. Both sides, consumer and merchant need to be proactive.

PCI Compliance And More

The PCI DSS is already stepping things up, as they’ve instituted a revamped set of PCI Compliance Standards with their version 2.0. But as the Verizon study shows, a lot of companies are struggling to maintain compliance. And PCI Compliance is really just the first step, as it tends to be a more basic set of guidelines on security, still striving to adapt to the swiftly changing schemes that hackers launch in their quest for your credit card information.

Host Merchant Services provides a Free PCI Analysis to its merchants and prospective merchants. The company also provides an informative FAQ on PCI and what it all means. And finally gives anyone interested, a step-by-step guide on how to become PCI Compliant at the most common tier for businesses.

More needs to be done, however, with e-commerce businesses. These security breaches keep happening, and they put millions of accounts  –– and credit cards  ––  at stake. The Official Merchant Services Blog will continue to monitor this developing story, especially as we get past the release dates of some major video games that have been fueling holiday shopping. But we’d love to hear from some of you. What are some tips you would offer to be more secure in your video gaming habits? Do you think there’s more risk now than there was in the past when using online gaming services such as XBox Live or subscribing to World of Warcraft? Let us know.

Save Time, Money, & Resources

Categories

E-commerce

Contact HMS

Ready for the ultimate credit card processing experience? Ask us your questions here.