by Natasja Bolton, Acquirer Support Manager, Risk and Assurance Division
Ecommerce merchants are encouraged to reduce the risk of payment card data compromises in their online trading by outsourcing the acceptance and processing of cardholder data to validated PCI DSS compliant service providers.
The simplest and cheapest option for small ecommerce merchants is to redirect their customers to a third party hosted payment page (or embed that hosted payment page in an iFrame) so that all capture and processing of the cardholder’s data is undertaken by the PCI DSS compliant third party payment service provider.
As the merchant and their website do not come into contact with the customer’s cardholder data, the merchant is able to assess PCI DSS compliance for their ecommerce channel against the requirements set out in Self-Assessment Questionnaire (SAQ) A.
SAQ A places no obligations onto the merchant for ensuring the security of their website, instead accepting that, as “All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers” and “All elements of the payment page(s) delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s)”, ensuring the merchant verifies that their hosted payment page is provided by a validated PCI DSS compliant service provider is sufficient for the level of potential risk to the cardholder data.
While there are sound reasons to minimise and streamline the journey to PCI DSS compliance for these small ecommerce merchants, where the handling of cardholder data is entirely outsourced, the failure of the SAQ A to highlight either the residual risks to their website or the need to consider further security measures to protect their website sends a potentially misleading message to merchants: that no further security protection is required.
As a case in point, I recently heard of a retailer that chose to expand their business online, making the decision to set-up their website to use a hosted payment page and thereby meeting the requirements of SAQ A and attesting as PCI DSS compliant for this payment. That merchant was subsequently targeted by malicious persons who were able to compromise the website and steal their customer database.
The attackers used that stolen data to issue phishing emails to the merchant’s customers advertising a Sale, and created a copy of the website, which they used to capture the payment card details of the merchant’s many customers tempted by the Sale offers.
This merchant was so devastated by this attack and the resulting loss of customer trust that they no longer have an ecommerce website; the loss of that payment channel will hinder their potential growth but they will no longer take that risk.
The PCI SSC, in their analysis of the differences between Direct Post and iFrame or URL redirect integration methods, acknowledges that use of hosted payment pages by merchants is not entirely risk free: “the main attack a criminal has against [the redirect to or iFrame of a hosted payment page integration method]
is to change the code on the merchant’s website so the consumer is re-directed to the criminal’s payment page and not the legitimate payment page – this is commonly known as a “man-in-the-middle” (MITM) attack. The disadvantage for the criminal is that this attack is usually detected reasonably quickly and minimal cardholder data is put at risk ”.
Indeed Visa Europe encourages merchants to follow additional guidelines to “detect and protect against this attack” .
However, as we know, most small merchants juggle the conflicting priorities of running and growing their business and tend to look at their PCI DSS compliance assessment as a ‘necessary evil’ – an annual obligation, like their tax return, that must be ‘gone through’ in order to move onto the next most important task.
They simply want to know: “what must I do?” and they won’t explore the supporting guidance, such as that given above. The PCI SSC is fully aware of this and in a recent edition of CIO Magazine , Stephen Orfei, General Manager at the PCI SSC, emphasised the need to focus on security not compliance; “Security isn’t about checking a box to pass an annual audit.
It’s about ongoing vigilance and multiple layers that address people, process and technology.” The PCI Council’s difficulty is in providing clear and straightforward compliance requirements, to address the risks to payment card data, to small merchants without giving the impression that those requirements are all that is needed to secure the business.
As Stephen says, “PCI DSS provides the foundation” for building a good security culture but more is needed to ensure businesses are prepared for and protected against the threats that could critically damage their ability to trade.
The question is, how do we inform and support businesses so that they better protect themselves?
I believe it is the role and responsibility of leaders in the payments industry (the card schemes, the PCI SSC, the acquirers and others) to utilise their resources and visibility of the risks/compromises that occur, to educate and support those with limited resources and poor understanding of the security threats and issues that could have a fundamental and catastrophic impact on their ability to continue trading.
Next week, I will explore the Government initiatives that are underway to promote good security practice, steps to develop a more secure and resilient small business sector, and offer a means by which you can support and promote the need for a security culture to your merchants.
Sysnet Risk & Assurance is available to assist small businesses with pragmatic solutions to help improve their security posture and meet compliance initiatives, for more information, please visit Risk & Assurance or email: email@example.com
If you are a merchant that requires technical or PCI DSS help, please click here