Credit Card Security at Fillmore Container

To all those following the current credit card fraud debacle,

This is Keith Reinhart from Fillmore. First - kudos to all of you who tirelessly participate in this forum and share your wealth of knowledge. After several days of phone calls with our web host, merchant processor, network administrator and e-commerce security consultant, it may be your combined effort on CraftServer that leads to discovery of the recent security breach and credit card theft by common denominator or process of elimination.

I am still awaiting definitive answers from our experts, but I wanted to share with you what I know so far:

1. There has been no known breach of the PCI-DSS (Payment Card Industry Data Security Standard) compliant web servers hosting FillmoreContainer.com. Our checkout pages are GeoTrust certified with SSL encryption up to 256-bit.
   
2. Payments are processed at time of invoice through Sage Payments, a virtual terminal extension of our Peachtree Quantum enterprise software. There has been no breach of Sage's gateway or virtual terminal, where all cc data are stored.
   
3. No card data are stored on our local network. All network machines are double password-protected, have Symantec Endpoint Protection, and sit behind a WatchGuard firewall.
   
4. Web site hosting facilities are monitored 24x7x365 (** details below).
   

We have been processing with increasing security on our site for over 7 years with no indication of compromise or fraud, and with the recent hacks we will continue to improve our systems and security wherever possible. I have engaged Trustwave for a forensics investigation to see if we can shed any light on the source of the current leak (whether at Fillmore or elsewhere) and to help discover any potential weaknesses in our systems and processes. The continued proliferation and poor detectability of trojan horse programs like Zeus won't allow me to (nor should anyone else) claim with 100% certainty that we (or they) were not the source of this cyber attack; so I'll say I'm 99% certain that Fillmore Container was not the source, and I'll spend the majority of the coming days pursuing the uncertain 1%.

I'll continue to post as I learn more. If you have any hesitation in providing a payment card on our site, please paste your order into an email and call us with your card information. If you have questions or would like to further discuss the issue, please call me any time. Your business, your trust, and your peace of mind are not taken lightly and we will do whatever it takes to prove ourselves worthy of your continued support.

Sincerely,

Keith Reinhart

President

Fillmore Container, Inc.

866-FILL-JAR x102

** For techies who care about the details, following is the simplified report given to me regarding the protection of our site and your sensitive information:

Security - Secured perimeter access, Security cameras inside and outside of the building, and Honeywell Prowatch Proximity door access system in all entrance doors and into raised floor areas. This is all monitored 24x7x365 with alerts generated to the Windstream NOC.

Firewalls – Firewall services are provided by a redundant active/passive firewall cluster consisting of 2 Cisco ASA5520 firewalls.

Network Intrusion Prevention – Cisco AIP (Advanced Inspection and Prevention Security Services) modules are installed at the edge of the network. Working in conjunction with the redundant ASA cluster, the AIP modules perform IDS/IPS on all traffic flowing through the ASA devices. These devices provide accurate inline prevention technologies, multivector threat identification, unique network collaboration, and powerful management, event correlation, and support services. When combined, these elements provide a comprehensive inline prevention solution to detect and stop the broadest range of malicious traffic before business continuity is affected.

Vulnerability Assessments – performs regular vulnerability assessments of networks, network equipment and hosted servers using variety of tools and technologies including Nessus and Microsoft Baseline Security Audit Tool and is PCI compliant. Weekly scans are performed by Control Scan.

I have not been a part of this widespread attack, ours was stolen by a local pizza parlor employee. But I must say, this response has impressed me greatly!! I like the admittance of the 1% chance because in my way of thinking, how many are really going to own up to a breach of their system. It seems this report is comprehensive as well as open minded.

Kieth and FMC,

Thank you very much for your detailed and thorough post.

Your company and you customer service has always been #1 in my book. :smiley2:

It is nice to see everyone working together to try to find where the breach is!! THANK YOU KEITH!!

I have never ordered from Fillmore and I was hacked, therefore, I doubt it was Fillmore's system.

Thanks for the great email and you are on my wish list of FOs to try.

Keith-- thank you so much for looking into this and responding to those here who are concerned about this matter.

I am a customer and have been for the last couple of years and will continue to be. I have always been impressed with how helpful you and your staff have been in helping me with my orders and loading into my car. (I also love to come in and sniff the FO vials in your office!)