March 12, 2014

For the second time since Aug. 2013, online retailer has hired a computer forensics team after being notified by Discover about a potential breach of customer card data, KrebsOnSecurity has learned.

nomorerackOver the past several weeks, a number of banks have shared information with this reporter indicating that they are seeing fraud on cards that were all recently used by customers. Turns out, has heard this as well, and for the second time in the last seven months has called in outside investigators to check for signs of a digital break-in.

Vishal Agarwal, director of business development for the New York City-based online retailer, said the company was first approached by Discover Card back in August 2013, when the card association said it had isolated as a likely point-of-compromise.

“They requested then that we go through a forensics audit, and we did that late October by engaging with Trustwave,” Agarwal said. “Trustwave came out with a report at end of October saying there was no clear cut evidence that our systems had been compromised. There were a few minor bugs reported, but not conclusive evidence of anything that caused a leakage in our systems.”

Then, just last month, NoMoreRack heard once again from Discover, which said that between Nov. 1, 2013 and Jan. 15, 2014, the company had determined there were more incidents of fraud tied to cards that were all used at the company’s online store.

“So, as of last week, we engaged with Trustwave again to undergo another audit,” Agarwal said. “We have been hearing the complaints from banks, but apart from that, and we’ve done our analysis and due diligence, and there is nothing seriously we can find that may have resulted in customer cards being compromised.”

NoMoreRack also has engaged with Trustwave to ensure that its systems are compliant with the Payment Card Industry (PCI) standards, a set of requirements designed to ensure that all companies that process, store or transmit credit card data maintain a secure environment.

For the purposes of PCI compliance, merchants fall into one of four tiers. The tiers correspond to the volume of cards a merchant processes per year: For example, Tier-1 merchants are those which handle more than 6 million transactions a year. Tier 4 merchants, on the other end of the spectrum, are those which process fewer than 20,000 e-commerce transactions per year.

All merchants that handle credit card transactions are required to be PCI compliant, but most are able to self-certify that they are compliant. Only Tier-1 merchants are required to be audited by an independent “qualified security assessor” or QSA. However, companies that self-certify and later experience a breach may be required by their bank to place themselves into the Tier-1 category and undergo a QSA assessment.

Agarwal said NoMoreRack is now in the process of certifying itself this time as a Tier-1 merchant, even though the number of credit and debit cards it processed in 2013 placed it squarely in the Tier-2 range.

“What we’ve also done is we’ve engaged with Trustwave to do a full PCI compliance audit,” Agarwal said. “Not only are we going through another forensics audit, but we will be going through PCI compliance Level 1, just to make sure our systems are secure and that we are doing everything we can to protect consumer data.¬†We are hoping that Trustwave can point us in the right direction so we may plug any gaps that are there already.”

NoMoreRack has grown significantly since its founding in October 2010. In 2012, the company had online sales of more than $100 million; by the end of last year, sales had reached $340 million annually. It’s possible that this rapid growth is what has been contributing to a poor reputation for consumer complaints against the online retailer. That is, at least according to the Better Business Bureau, which gives NoMoreRack a rating of “F” (its worst).

54 thoughts on “ Probes Possible Card Breach

  1. Dave

    Just received notice from CapitalOne that my credit card number was used for attempted unauthorized purchases. Earlier this week, my girlfriend had the same thing happen to her bank card. I did some research and figured out that both of us had used these cards for purchases from in November and December, and that was absolutely the only thing the two cards had in common.

  2. JD

    TrustWave cleared them the first time…thats all you need to know. TW is not exactly the most up and up firm out there. I’d sooner not do a PCI audit than have them do one for me….

    1. DIZ

      Hi JD do you have a vendor your would recommend other than TW?

      1. Hav0c

        You can find the complete list of QSA’s here

        I have worked with Accudata, Accuvant and Fishnet in the past all with pretty good luck, but the QSA will be regional most likely. I would consider the following 2 factors 1) does the company have a solid review process prebuilt and trains its QSA’s in this process – most of the approved companies most likely do 2) the QSA themself needs to have enough IT knowledge to be able to determine how secure systems are and determine compensating controls. Insist on meeting your QSA at least over the phone and talk encryption or something with them to be sure they are knowledgeable.

  3. Nobody

    Trustwave? More like RustWave. Biggest hyped PCI Compliance audit firm out there. Just ask Heartland, Target, etc. etc…

Comments are closed.