March 12, 2001, 4:41 PM — Bibliofind, the Amazon.com Inc. subsidiary for buyers and sellers of used and hard-to-find books, last week disclosed that 98,000 customer credit card numbers it stored in its servers were repeatedly stolen between last October and this February.
It took a defacement to its Web site by a hacker last month to compel Bibliofind to undertake the investigation of its network logs and servers, which uncovered that a hacker had been breaking in to steal customer data for at least five months. The company doesn't process credit card transactions, but stored the customer card data to provide to sellers. Due to the card theft, Bibliofind has stopped storing customer card data and is waiving the $25 fee it was charging booksellers for the service.
The hacker break-in -- which may be an inside job, Bibliofind acknowledges -- forced the company to distribute a mass e-mail apology last week to customers, breaking the bad news that their credit card numbers had been stolen. The incident comes as Visa International Inc. is trying to get e-commerce merchants by May to undergo a systematic security check of their networks, as detailed in a 12-point plan.
Visa's demand, first articulated last fall, is for e-merchants to follow 12 security procedures, including encrypting stored credit card data, using antivirus software and tracking access to data by a unique ID. Visa wants to certify compliance on an ongoing basis by having security firms make on-site visits and run remote network scans.
Because banks provide Visa services directly to merchants, Visa has been pressing banks to get e-merchants to undergo the audit, which can be done by any security firm. Visa has a list of preferred providers, though, including Internet Security Systems Inc. (ISS), the Big Five accounting firms, Global Integrity and Exodus Communications Inc., which bought its way into security by acquiring the professional practices arm of Network-1 Security Solutions Inc.
"Right now, we're focusing on the top 100 e-commerce merchants because they represent 70 percent of Visa card business online," says Jean Bruesewitz, a Visa senior vice president. "We expect every single one of them to be in compliance by May." Later, Visa will start pressing smaller companies and international e-commerce firms to undergo security audits.
If there's unwillingness to comply, it could mean that restrictions will be imposed on Visa card use at their sites, Bruesewitz warns.
So far, none of the large e-commerce merchants, such as Amazon.com, have managed to make it through Visa's security check, though some began the process in November.
ISS, which worked out a special group-plan rate with Visa for conducting the security inspection of e-merchants, offers some insight as to why this is so.