Online shopping is now second nature for many consumers. Unfortunately, ecommerce is equally popular with criminals looking for easy means to steal payment card data. Recognizing this, the Payment Card Industry Security Standards Council (PCI SSC) published new guidelines on e-commerce on January 31. The “PCI DSS E-commerce Guidelines Information Supplement,” a result of many months of research and work from the PCI SSC E-Commerce Special Interest Group (SIG), addresses PCI compliance and IT security concerns specifically related to e-commerce merchants and third parties. The supplement discusses common technologies in e-commerce environments, proven methods to help secure the payment process, and the use of completely outsourced solutions, among other topics.
The increasing number of merchants with an online presence introduces some new (and not so new) issues that affect the security of payment card data. Malicious hackers frequently exploit vulnerabilities caused by weak coding practices, as well as inadequate security at third-party service providers. While secure coding standards have existed for a while, there are still too many instances where merchants and vendors don’t follow them and suffer from data breaches as a result. For example, criminals often use SQL Injection and Cross Site Scripting to pilfer cardholder data. Although this has been the case for years, many merchants still don’t take basic steps to protect themselves from this threat.
Service providers with inadequate security often enable vulnerabilities to be introduced, too. The new guidelines provide much needed clarification on the use of third parties, their responsibilities, and how these should be addressed by the PCI standard, as well as creating secure applications.
The guidelines describe various technologies and architectures used in e-commerce environments, and recommend that if a merchant is developing its own application, that it be developed in accordance with the PA-DSS standards (Payment Application Data Security Standard). While the PA-DSS is normally applied to off-the-shelf applications used in payment processing, it is sound advice nonetheless.
The guidelines also offer some tried and tested practices to help secure the e-commerce payment process. These may be helpful for new e-commerce merchants or those requiring a refresher. These suggestions include steps such as determining where cardholder data is stored; regularly testing software and application for flaws; and ensuring that an ASV is engaged for vulnerability testing. While these recommendations are already found within the PCI-DSS, it does serve to reinforce the need for following best practices.
The document details some of the most prevalent technologies used for outsourcing payment functions to a service provider, too. Specifically, it describes the use of Application Programming Interfaces (APIs), inline frames, and third-party payment pages. It even covers the use of completely outsourced solutions. Significantly, the document provides reinforcement that outsourcing the payment process to a third party does not absolve the merchant from adhering to PCI. The document explicitly states that the merchant still has responsibility to address Requirement 12.8, which mandates written agreements with service providers and monitoring their compliance.
Further, the document provides a checklist to aid the merchant in their PCI efforts to determine where the responsibility of various PCI requirements falls. The use of the checklist is optional, but it does provide helpful clarity when determining responsibility.
As a PCI QSA, Dell SecureWorks is often asked is to provide guidance on contractual language to use for service providers. The guidelines provide help on this as well by outlining the points that need to be in official contracts: specify the responsibility for requirements; indicate how applicable requirements are met; and indicate how the service provider will demonstrate compliance by either undergoing its own compliance validation or being part of the merchant’s assessment each year.
In summary, while the guidelines are more likely to be useful for new merchants, the level of detail they provide for e-commerce requirements are a helpful reference for everyone who is impacted by PCI compliance.