Page 11 - GS170202
P. 11
News
Moya stated. "They will outspend baby boomers in 2017 The supplement augments guidance in
and bring more capital into the planet than any other Payment Card Industry Data Security
previous generation."
Standard (PCI DSS) Version 3.2. In addition to
Moya urged the audience to redesign the workplace to general recommendations, it clarifies merchant
create opportunities and upward mobility for millennials, responsibilities and approved implementation
asserting they will bring talent and energy to the payments and certification methods.
industry. His message garnered questions, laughter and
applause from NEAA's multigenerational audience that
included payment veterans and entrepreneurs running
fintech startups. Regardless of how a merchant chooses to implement
ecommerce best practices, no option will completely
remove a merchant's PCI DSS responsibilities, the authors
PCI SSC revises stated. The merchant still needs to ensure that payment card
data is protected and perform due diligence to verify that
ecommerce guidance third-party service providers are protecting cardholder
data in accordance with the PCI DSS. Acquirers and
payment card brands may also require some merchants to
conduct onsite assessments or complete a self-assessment
he PCI Security Standards Council (PCI SSC) questionnaire, they added.
published Best Practices for Securing E-commerce
Jan. 31, 2017. The supplemental guide, written The PCI SSC also recommended monitoring connections
T by the council's Securing E-commerce Special between merchants' information technology frameworks
Interest Group (SIG), expands and revises content previ- and third-party service providers to prevent information
ously published in 2013. technology infrastructures from being compromised.
Designed to help payments industry stakeholders More growth in fraud, ecommerce predicted
combat increasing levels of online fraud, the report
provides insights from merchants, financial institutions, In its 2017 Identity Fraud Study published Feb. 7, 2017, Javelin
third-party service providers, assessors and industry Strategy & Research found a 40 percent increase in online
associations tasked with protecting card-not-present and new account takeover fraud, which analysts attribute
(CNP) environments, PCI SSC representatives stated. to the EMV (Europay, Visa and Mastercard) migration in
the United States, which shifted fraudsters from in-store
Troy Leach, Chief Technology Officer for the council, to card-not-present (CNP) environments. The report found
praised SIG members for their collaborative efforts and consumers who regularly visit ecommerce and mobile
unique case studies. "This information supplement is commerce sites are more likely to experience fraud, but
a testament to their collaboration and willingness to were also faster to identify it.
share their experience with others and provides easy to
understand examples of e-commerce scenarios along with Al Pascual, Senior Vice President, Research Director and
best practices to secure cardholder data and meet PCI DSS Head of Fraud & Security at Javelin Strategy & Research
requirements," he stated. said the report findings clearly indicate fraudsters never
rest. "The rise of information available via data breaches
The report, intended for existing and prospective is particularly troublesome for the industry and a boon
ecommerce merchants of all sizes and industries, will be for fraudsters," he stated. "To successfully fight fraudsters,
most useful to merchants and payment service providers the industry needs to close security gaps and continue to
(PSPs) that have a "solid understanding of their current improve and consumers must be proactive too."
e-commerce solution and environment," the authors noted.
The PCI SSC has mandated the use of TLS 1.1 encryption
PSP, merchant responsibilities or higher for payment card acceptance; the deadline is
June 2018. The secure sockets layer TLS encrypts data as it
The supplement augments guidance in Payment Card travels between two endpoints, such as a web server and
Industry Data Security Standard (PCI DSS) Version 3.2. web browser. The council reported that Google recently
In addition to general recommendations, it clarifies installed an alert in its Chrome browser to notify users
merchant responsibilities and approved implementation of unsecure websites. The PCI SSC's Best Practices for
and certification methods. The authors also listed Securing E-commerce provides additional guidance to
several approaches to ecommerce implementation CNP merchants on evaluating and selecting certificate
involving various payment software, technologies and authorities.
infrastructure.
11
