PCI SSC revises ecommerce guidance

The PCI Security Standards Council (PCI SSC) published Best Practices for Securing E-commerce Jan. 31, 2017. The supplemental guide, written by the council’s Securing e-Commerce Special Interest Group (SIG), expands and revises content previously published in 2013.

Designed to help payments industry stakeholders combat increasing levels of online fraud, the report provides insights from merchants, financial institutions, third-party service providers, assessors and industry associations tasked with protecting card-not-present (CNP) environments, PCI SSC representatives stated.

Troy Leach, Chief Technology Officer for the council, praised SIG members for their collaborative efforts and unique case studies. “This information supplement is a testament to their collaboration and willingness to share their experience with others and provides easy to understand examples of e-commerce scenarios along with best practices to secure cardholder data and meet PCI DSS requirements,” he stated.

The report, intended for existing and prospective ecommerce merchants of all sizes and industries, will be most useful to merchants and payment service providers (PSPs) that have a “solid understanding of their current e-commerce solution and environment,” authors noted.

PSP, merchant responsibilities

The information supplement provides additional guidance to existing Payment Card Industry Data Security Standard (PCI DSS) Version 3.2. In addition to general recommendations, it clarifies merchant responsibilities and approved implementation and certification methods.

The authors listed several approaches to ecommerce implementation:

• Payment software: Merchants can process ecommerce payments with in-house software, outsourced software or a combination of both.

• Technologies: Merchants can adapt a variety of technologies into CNP environments, including processing applications, application programming interfaces, inline frames or third-party-hosted web pages.

• Infrastructure: Merchants can configure their processing frameworks to achieve their desired degree of control and responsibility. “For example, a merchant may choose to manage all networks and servers in-house, outsource management of all systems and infrastructure to hosting providers and/or e-commerce payment processors, or manage some components in house while outsourcing other components to third parties,” the authors wrote.

Regardless of how a merchant chooses to implement ecommerce best practices, no option will completely remove a merchant’s PCI DSS responsibilities, the authors stated. The merchant still needs to ensure that payment card data is protected and perform due diligence to verify that third-party service providers are protecting cardholder data in accordance with the PCI DSS. Acquirers and payment card brands may also require some merchants to conduct onsite assessments or complete a self-assessment questionnaire, they added.

The PCI SSC also recommended monitoring connections between merchants’ information technology frameworks and third-party service providers to prevent information technology infrastructures from being compromised.

“It is recommended that e-commerce payment applications, such as shopping carts, be validated according to PA-DSS, and confirmed to be included on PCI SSC’s list of Validated Payment Applications,” they wrote. “For in-house developed e-commerce applications, PA-DSS should be used as a best practice during development.”

More growth in fraud, ecommerce predicted

In its 2017 Identity Fraud Study published Feb. 7, 2017, Javelin Strategy & Research found a 40 percent increase in online and new account takeover fraud, which analysts attribute to the EMV (Europay, Visa and Mastercard) migration in the United States, which shifted fraudsters from in-store to CNP environments. The report found consumers who regularly visit ecommerce and mobile commerce sites are more likely to experience fraud, but were also faster to identify it.

Al Pascual, Senior Vice President, Research Director and Head of Fraud & Security at Javelin Strategy & Research said the report findings clearly indicate fraudsters never rest. “The rise of information available via data breaches is particularly troublesome for the industry and a boon for fraudsters,” he stated. “To successfully fight fraudsters, the industry needs to close security gaps and continue to improve and consumers must be proactive too.”

The PCI SSC has mandated the use of TLS 1.1 encryption or higher for payment card acceptance; the deadline is June 2018. The secure sockets layer TLS encrypts data as it travels between two endpoints, such as a web server and web browser. The council reported that Google recently installed an alert in its Chrome browser to notify users of insecure websites. Best Practices for Securing E-commerce provides additional guidance to CNP merchants on evaluating and selecting certificate authorities.

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.