NoMoreRack.com Probes Possible Card Breach

For the second time since Aug. 2013, online retailer NoMoreRack.com has hired a computer forensics team after being notified by Discover about a potential breach of customer card data, KrebsOnSecurity has learned.

Over the past several weeks, a number of banks have shared information with this reporter indicating that they are seeing fraud on cards that were all recently used by nomorerack.com customers. Turns out, nomorerack.com has heard this as well, and for the second time in the last seven months has called in outside investigators to check for signs of a digital break-in.

Vishal Agarwal, director of business development for the New York City-based online retailer, said the company was first approached by Discover Card back in August 2013, when the card association said it had isolated nomorerack.com as a likely point-of-compromise.

“They requested then that we go through a forensics audit, and we did that late October by engaging with Trustwave,” Agarwal said. “Trustwave came out with a report at end of October saying there was no clear cut evidence that our systems had been compromised. There were a few minor bugs reported, but not conclusive evidence of anything that caused a leakage in our systems.”

Then, just last month, NoMoreRack heard once again from Discover, which said that between Nov. 1, 2013 and Jan. 15, 2014, the company had determined there were more incidents of fraud tied to cards that were all used at the company’s online store.

“So, as of last week, we engaged with Trustwave again to undergo another audit,” Agarwal said. “We have been hearing the complaints from banks, but apart from that, and we’ve done our analysis and due diligence, and there is nothing seriously we can find that may have resulted in customer cards being compromised.”

NoMoreRack also has engaged with Trustwave to ensure that its systems are compliant with the Payment Card Industry (PCI) standards, a set of requirements designed to ensure that all companies that process, store or transmit credit card data maintain a secure environment.

For the purposes of PCI compliance, merchants fall into one of four tiers. The tiers correspond to the volume of cards a merchant processes per year: For example, Tier-1 merchants are those which handle more than 6 million transactions a year. Tier 4 merchants, on the other end of the spectrum, are those which process fewer than 20,000 e-commerce transactions per year.

All merchants that handle credit card transactions are required to be PCI compliant, but most are able to self-certify that they are compliant. Only Tier-1 merchants are required to be audited by an independent “qualified security assessor” or QSA. However, companies that self-certify and later experience a breach may be required by their bank to place themselves into the Tier-1 category and undergo a QSA assessment.

Agarwal said NoMoreRack is now in the process of certifying itself this time as a Tier-1 merchant, even though the number of credit and debit cards it processed in 2013 placed it squarely in the Tier-2 range.

“What we’ve also done is we’ve engaged with Trustwave to do a full PCI compliance audit,” Agarwal said. “Not only are we going through another forensics audit, but we will be going through PCI compliance Level 1, just to make sure our systems are secure and that we are doing everything we can to protect consumer data. We are hoping that Trustwave can point us in the right direction so we may plug any gaps that are there already.”

NoMoreRack has grown significantly since its founding in October 2010. In 2012, the company had online sales of more than $100 million; by the end of last year, sales had reached $340 million annually. It’s possible that this rapid growth is what has been contributing to a poor reputation for consumer complaints against the online retailer. That is, at least according to the Better Business Bureau, which gives NoMoreRack a rating of “F” (its worst).