By Natasja Bolton, Acquirer Support Manager
As we discussed in the Ecommerce SAQ Selection guide, business seeking to minimise their PCI DSS compliance obligations for their ecommerce payment channel often outsource all capture and processing of payment card data to validated PCI DSS compliant payment service providers (PSPs).
The most common method of doing so is for the business to configure their website to redirect the consumer to a hosted payment page or, alternatively, to present that hosted payment page within an iFrame on the business’s website.
Businesses prefer the iFrame presentation of the hosted payment page because they know that the usability of their payment solution heavily influences whether the consumer completes the purchase.
The iFrame is as easy and straightforward for small businesses to configure as a hosted payment page integration but has the advantage of streamlining the checkout process, so that the consumer never appears to leave the business’s own webpage and isn’t put off by a redirect to another webpage.
However, despite its popularity the European Banking Authority (EBA, the European body responsible for banking supervision), in releasing the Guidelines for the security of internet payments, has raised the prospect that using the iFrame method is no longer acceptable:
|12.5 Acquiring PSPs should require e-merchants to clearly separate payment-related processes from the online shop in order to make it easier for customers to identify when they are communicating with the PSP and not the payee (e.g. by re-directing the customer and opening a separate window so that the payment process is not shown within a frame of the e-merchant).|
(EBA, Final Guidelines on the Security of Internet Payments, 19 December 2014, p. 23)
iFrame ecommerce risks and PCI DSS acceptability
The iFrame integration method is seen as contrary to the EBA guidelines’ stated aim of enhancing protection of consumers against payment fraud on the Internet. This is because, by embedding the hosted payment page as an iFrame on the business webpage, the consumer is unable able to:
- Immediately verify that the connection to the hosted payment page within the iFrame is secure/encrypted (any ‘padlock the consumer sees indicating a secured HTTPS session will relate to the connection to the businesses webpage not to the hosted payment page)
- Confirm the identity of the server (the PSP) presenting the hosted payment page
- Confirm that the PSP’s certificate has been issued by a trusted certificate authority and hasn’t expired or been revoked
Visa Europe in their Ecommerce Guide acknowledge that there is a risk in using iFrame integrations. This risk is mainly related to the compromise of the business website and malicious alternation of the iFrame to call a payment form from the criminal’s website.
However, Visa Europe and the PCI SSC currently still consider that, because such attacks against the business website are not transparent, both business and consumer should notice tampering with the iFrame; therefore the iFrame integration method is acceptable for online payment card transactions and is eligible for a reduced PCI DSS compliance assessment using SAQ A.
The EBA guidelines came into force on 1st August 2015. The guidelines set out minimum security requirements for PSPs across the EU, including issuing and acquiring banks, e-money institutions, credit institutions and payment processing service providers, which these entities are required to make every effort to comply with.
The guidelines specify the governance, risk management, incident handling, control and mitigation measures and traceability requirements that PSPs must meet directly, as well as the security controls and measures that must be applied for internet payments.
Additionally, the EBA guidelines place obligations on PSPs offering acquiring services to impose certain security requirements on their ecommerce businesses (e-merchantes). These include requirement 12.5 highlighted above (for e-merchants to clearly separate payment-related processes from their online shop) as well as:
- Encourage e-merchants not to store sensitive payment data (11.3)
- Contractually require e-merchants handling sensitive payment data to have security measures in place to protect the data (4.8, 11.3)
- Contractually require e-merchant handling sensitive payment data to cooperate on major security incidents (3.4)
- Require e-merchants to support solutions allowing the issuer to perform strong authentication of the cardholder for transactions via the Internet (although the EBA does allow for alternative measures to be considered for low risk or low value transactions) (7.5)
- Ensure mutual authentication of communications between PSP and e-merchant when initiating internet payments and accessing sensitive authentication data (7.9)
The first three items on the list above do not seem drastically different to the contractual obligations already placed on e-merchants to comply with the applicable security measures required by the PCI DSS.
However, the guidelines can be seen as extending the requirement for acquirers to maintain a business compliance programme as the guidelines also ask acquirers to “carry out regular checks” (11.3) of those e-merchants that handle sensitive payment data and expect them to take enforcement steps if the required security measures are not in place.
Requirements 7.5 and 7.9, as well as 12.5 highlighted earlier, will have an impact on the e-merchant’s ecommerce website implementation and integration with their PSP or payment gateway. In order to meet these requirements, acquiring PSPs must urge their e-merchants to:
- Move away from iFrame implementations of hosted payment pages
- Support strong authentication by the issuer (currently 3D Secure but the technology is moving towards use of at least one non-reusable one-time second factor for consumer authentication)
- Support bilateral authentication (the means of verifying the identity of business to PSP and vice versa)
The PSPs that e-merchants rely on to enable online payments on their websites will also have to adjust their solution offerings so that e-merchants are able to fulfil these measures, required of them by their acquirer.
Indeed, many progressive PSPs, who are at the forefront of the development of ever more streamlined and ‘attractive’ methods of presenting the payment page to the consumer while at the same time working right up to the boundaries of what could be defined as a hosted payment page (or iFrame of the same), may need to revise their strategy.
Many such providers rely on modal iFrames to present the payment page as a pop-up window (so that the business’s own web page remains in view behind it) but with these implementations, as the browser address bar is no longer visible as part of the pop-up window, there are the same security concerns as the traditional iFrame: the security of the connection to the pop-up payment page cannot be verified, the certificate cannot be viewed.
For these methods, and those that fall into the PCI DSS SAQ A-EP definition, there is a need to ensure that the payment page implementation makes it obvious to consumers that payment data is being submitted to, and only handled by, the trusted PSP over a mutually authenticated and secure connection – these methods currently fail in this regard.
The Financial Conduct Authority (FCA), which was obliged like all other EU ‘competent authorities’ to respond to the EBA Guidelines certainly considers there to be an impact on PSPs in scope for the guidelines, and hence also on e-merchants.
Their response concluded that implementation, “will require some providers to make significant changes to their systems and controls and significant additional changes”.
The EBA guidelines’ measures to better protect the online consumer closely reflect the objectives of the PSD2 (the new EU Payment Services Directive): to make payments safer and more secure and to protect consumers.
It is easy to see therefore why the EBA, as the custodian of the technical standards required by the PSD2, expects to amend and build upon the Security of Internet Payments Guidelines to address the operational and security requirements for payment services encompassed in the PSD2 which is expected to come into force in 2018/9.
Sysnet believe that the EBA Guidelines and the upcoming PSD2 will result in ‘conflict’ between PSPs and e-merchants, seeking to streamline the consumer checkout/payment process (for a better consumer experience), and financial institutions, acquirers and regulators, seeking to better protect the consumer and their sensitive personal and payment data.
Education and understanding is needed to ensure that the benefits of internet payment services are fully realised while risks to the e-merchant and consumer are minimised.
E-merchants often make decisions about their ecommerce website based on their own personal perception without fully understanding the consumer’s perception of that same checkout process (which can be influenced not just by the payment integration method but also by aspects such as too many steps or mandatory customer registration) or considering the security and liability implications of their decisions.
Sysnet consider therefore that there is a need to better educate e-merchants on their options for ecommerce payment integration and strong customer authentication and the benefits/risks associated with each. Business compliance with 7.5 and 7.9 (strong consumer authentication and mutual authentication of PSP and e-merchant) will serve to better protect both the consumer and the e-merchant with regards to the internet payment transactions.
Adherence to Requirement 12.5 (redirect the consumer to a secure hosted payment page) will ensure that e-merchants are not handling sensitive payment data; hence the further security measures in the EBA are not mandated.
Sysnet also recommend that e-merchants and their acquirers, PSPs and regulators focus on educating the consumer on how to protect themselves and their card data when making payments online, on what to look for to assure themselves of the security of a merchant website or payment page, on the indicators that should warn them that they may be at risk, on the need to prove their identity in order to protect their payment data.
With better consumer education, for example encouraging the consumer to look for a secure hosted payment page provided by a trusted PSP, those e-merchants and PSPs that follow the EBA guidelines and avoid the use of iFrames will benefit and merchants’ protestations about ‘basket abandonment’ will be unfounded.
In the longer term, developing consumer understanding of the risks associated with internet payments will ensure that further measures such as two factor consumer authentication will be accepted by the consumer as necessary and fundamental to the online experience rather than needless or excessive.
Look out for our discussion on the potential impact on PSPs and businesses of the PSD2 and of the EU Network and Information Services (NIS) Directive, the first EU-wide legislation on cybersecurity, in future issues.
If you are a merchant that requires technical or PCI DSS help, please click here