Originally published in January of this year, the updated Information Supplement: Best Practices for Securing E-commerce guidelines has now been amended. The changes though relatively minor include fixing typographical errors, readability issues as well as a correction to a table in section 2.7. If you missed (or need a refresh) then we strongly recommend that you read Sysnet’s Natasja Bolton article in which she discusses her involvement in the Best Practice for Safe E-Commerce Special Interest Group (SIG) and identifies key highlights and important changes.
PCI E-Commerce Best Practice Guidance
By Natasja Bolton, Senior Acquirer Support QSA
With its expanded content, fully revised diagrams of the e-commerce implementation methods and inclusion of case studies the 2017 guidance is a useful reference for merchants and services providers alike.
The guidance will help to ensure a common understanding of risks, PCI DSS compliance implications and responsibilities associated with e-commerce and the available implementation methods. Thereby helping merchants take informed and appropriate steps to secure their online card payment acceptance and achieve PCI DSS compliance.
Why was an update necessary?
It’s been four years since the original guidance was released and many changes have taken place. As PCI SSC CTO Troy Leach points out in the Council’s recent blog “Securing the e-commerce environment continues to be critically important … We also know that fraud is moving to card-not-present (CNP) environments … making e-commerce merchants a prime target for criminal hackers”.
Recently I wrote about the predicted 2017 security threats , in that article I highlighted that the volume of cybercrime is expected to increase this year. Internet-based attackers and opportunists continue to exploit well-known vulnerabilities and already established techniques to successfully compromise businesses that haven’t taken steps to protect themselves.
The guidance doesn’t just focus on PCI DSS compliance; in fact, it concludes with a security best practices summary. Noting that while, at a minimum, businesses should meet the PCI DSS requirements applicable to their specific e-commerce implementation, they should also consider implementing additional PCI DSS requirements and security best practices.
The security recommendations include addressing known areas of e-commerce weakness and vulnerability that cybercriminals seek to exploit.
Useful clarifications of responsibility
Businesses’ e-commerce websites are often vulnerable to attack and exploit because of misunderstanding or misallocation of responsibilities between merchants and their third party service providers.
The guidance addresses this issue in a number of places and confirms that regardless of the extent of a business’s reliance on third parties to support their e-commerce there is ‘No option [that] completely removes a merchant’s PCI DSS responsibilities. … The merchant retains responsibility for ensuring that payment card data is protected’.
Sysnet’s QSAs often encounter third party service providers that believe they have no PCI DSS responsibilities because, in supporting the merchant’s e-commerce website, they do not directly come into contact with cardholder data. The e-commerce best practices document provides examples, clarification and guidance for businesses that engage third parties to support their e-commerce solution.
Confirming, most importantly, that a third party may indeed be in scope for the merchant’s PCI DSS compliance if ‘the solution is impacted by this service and the service provider has not performed its own assessment’.
Informed e-commerce implementation choices
The guidance includes detailed descriptions and diagrams of each e-commerce implementation method allowing businesses to consider the risk of each method and the impact to their business in terms of PCI DSS scope and the potential effort and costs to protect their website and manage the risk.
A summary table of advantages and disadvantages on page 20 makes it easy for businesses to directly compare the e-commerce methods, helping them to make informed choices for their e-commerce implementation.
Considerations for determine the security of an e-commerce solution are outlined. The guidance sets out compliance questions that businesses need to ask their e-commerce service providers. The material also references other PCI SSC guidance for engaging third party providers, as appropriate to the audience: the small merchant Questions to Ask Your Vendors and the more in-depth Third – Party Security Assurance information supplement. The guidance emphasises the need to request PCI SSC documentation (i.e. the Attestation of Compliance) from compliant service providers to support their compliance status.
This is a useful statement as often service providers expect their customers to rely purely on a ‘compliance certificate’ which as the PCI SSC points out is not recognised for compliance validation.
E-commerce scoping considerations
The document guides businesses in the correct scoping of their cardholder data environment. It is important that businesses don’t forget about the protection of websites that aren’t linked to a payment gateway or PSP but which also capture their customer’s cardholder data online. These online channels also need the protection of the appropriate PCI DSS controls.
There is also advice to make sure that businesses do not scope their e-commerce environment in isolation. Businesses need to be aware that, even though their e-commerce website is set up to redirect to a hosted payment page, they may not eligible for SAQ A.
For example, because the business’s other payment card handling activities rely on the same back-end environment and the business cannot confirm SAQ A’s criterion that the ‘company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions’.
Other online card payment security considerations
The guidance includes a discussion of other aspects important to protecting online card payments transactions. There is a whole section on anti-fraud measures to detect suspicious activity. One of the key principles of account data security (If You Don’t Need It, Don’t Store It) is supported by sections on tokenisation and mechanisms to minimise the risk of caching cardholder data.
Per PCI DSS Requirement 4.1, cardholder data must be encrypted across open, public networks. This statement is supported by sections on encrypted transmission, on TLS 1.2 configuration and on digital certificates.
This is the first time the PCI SSC has provided guidance for businesses on considerations when selecting certificate authorities and public key certificates for their e-commerce websites. A useful Q&A section addresses typical merchant concerns about SSL and TLS helping to clarify, for small merchants in particular, what they need to do.
Though lengthy, the Best Practices for Securing E-commerce guidance brings together in one resource up to date information on e-commerce implementations and their security considerations. The materials explicitly state that they do not replace or supersede the PCI DSS.
No specific method, technology or approach to e-commerce is endorsed or recommended ahead of any other. Rather this best practice guide is provided to enable merchants to make informed decisions in relation to their e-commerce risk, the scope and complexity of their e-commerce implementation and when outsourcing aspects of their e-commerce solution.
Sysnet hope that this guidance will succeed in helping businesses better understand the risks associated with taking card payments online and their responsibilities for protecting payment card data accepted online.
If you are a merchant that requires technical or PCI DSS help, please click here
You may be also interested in this article: