New PCI Guidelines for E-Commerce

Addressing Risks for Merchants, Payments Providers

By , February 1, 2013.
New PCI Guidelines for E-Commerce

A new set of card data security guidelines for merchants and payments providers aims to address increasing risks unique to e-commerce environments.

See Also: Cybersecurity, Digital Transformation and Resiliency - A Lesson for Financial Services Institutions

On Jan. 31, the Payment Card Industry Security Standards Council issued its PCI DSS E-commerce Guidelines Information Supplement, a set of guidelines for e-commerce security. The guidelines relate to online infrastructures and how merchants work with third-party providers.

Developed by the PCI E-commerce Security Special Interest Group, the 39-page resource includes recommendations about topics ranging from online risks associated with payments gateways to often-overlooked security gaps Web-hosting providers can inadvertently create, says Bob Russo, general manager of the PCI Security Standards Council.

The risk e-commerce sites pose for cardholder data compromises is increasing because of poor security, he says.

"Fraud is moving down the chain to the card-not-present environment, and we're seeing the same old things leading to the compromises," Russo says. "Take SQL injection. It's an exploit that is 12 years old, and there are so many ways to prevent this. But we still see sites getting exploited by SQLs over and over again."

Securing the Payments Chain

The guidance offers a checklist of security recommendations and reminders, such as:

  • Know where cardholder data is located within the merchant's infrastructures and those of the processors and vendors to which they outsource.
  • Regularly test software and applications to detect if card data or other information is being stored unintentionally.
  • Evaluate risks associated within e-commerce technology.
  • Review the network and database risks posed by outsourcing functions, such as payments processing and Web hosting to third parties.
  • Hire PCI-approved website scanning vendors to validate, on a regular basis, Internet-facing environments for compliance with the PCI Data Security Standard.
  • Define best practices for online payment application security.
  • Implement security training for internal staff.
  • Establish best practices for consumer awareness.

PCI: Connecting the Dots

Most cardholder security gaps result from poorly configured applications and software, such as online shopping carts, which are common on most e-commerce sites, Russo says.

"All card data is at risk when these things aren't addressed," Russo says. "There are different kinds of exploits that are being used in the e-commerce world that merchants have to be aware of."

Ensuring that vendors are regularly assessed and scanned for vulnerabilities to their networks is a must as well, he adds.

"From a vendor standpoint, if they look at this document, they'll know specifically what to do in order to create these applications in a secure manner," Russo says. "This guidance dives into coding. It reviews what we're seeing with online applications, where insecure passwords are being used or things are not being configured properly when they are installed. I know I sound like a broken record, but these issues continue to be a problem, so this document is comprehensive."

Evaluating Third Parties

The guidance reviews how merchants can work with third parties to address those risks and provides a checklist for easy-to-fix vulnerabilities related to:

  • Online injection flaws;
  • Cross-site scripting, or XSS;
  • Online cross-site request forgery, or CSRF;
  • Buffer or temporary data storage overflows, which result when programs or processes attempt to store more data than they were designed to hold;
  • Weak authentication and/or session credentials; and
  • Application and software misconfigurations.

Russo stresses, however, that the e-commerce guidance should complement, not replace, other PCI guidance and programs, such as the guidelines for ongoing risk assessments, issued in November, and the PCI Qualified Integrators and Resellers Program, issued in August.

The reason for the new guidance: "Our constituents asked for this," Russo says. E-commerce vulnerabilities are growing as more merchants move sales online, he adds, and most don't appreciate the new threats they face.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE LastPass Sounds Breach Alert

Warning to LastPass users: Change your master password and ensure you're using multi-factor...

Latest Tweets and Mentions

ARTICLE LastPass Sounds Breach Alert

Warning to LastPass users: Change your master password and ensure you're using multi-factor...

The ISMG Network