New PCI Guidelines for E-Commerce

Addressing Risks for Merchants, Payments Providers
New PCI Guidelines for E-Commerce

A new set of card data security guidelines for merchants and payments providers aims to address increasing risks unique to e-commerce environments.

See Also: Defense Strategies for Advanced Threats: Breaking the Cyber Kill Chain with SANS 20 Critical Security Controls

On Jan. 31, the Payment Card Industry Security Standards Council issued its PCI DSS E-commerce Guidelines Information Supplement, a set of guidelines for e-commerce security. The guidelines relate to online infrastructures and how merchants work with third-party providers.

Developed by the PCI E-commerce Security Special Interest Group, the 39-page resource includes recommendations about topics ranging from online risks associated with payments gateways to often-overlooked security gaps Web-hosting providers can inadvertently create, says Bob Russo, general manager of the PCI Security Standards Council.

The risk e-commerce sites pose for cardholder data compromises is increasing because of poor security, he says.

"Fraud is moving down the chain to the card-not-present environment, and we're seeing the same old things leading to the compromises," Russo says. "Take SQL injection. It's an exploit that is 12 years old, and there are so many ways to prevent this. But we still see sites getting exploited by SQLs over and over again."

Securing the Payments Chain

The guidance offers a checklist of security recommendations and reminders, such as:

  • Know where cardholder data is located within the merchant's infrastructures and those of the processors and vendors to which they outsource.
  • Regularly test software and applications to detect if card data or other information is being stored unintentionally.
  • Evaluate risks associated within e-commerce technology.
  • Review the network and database risks posed by outsourcing functions, such as payments processing and Web hosting to third parties.
  • Hire PCI-approved website scanning vendors to validate, on a regular basis, Internet-facing environments for compliance with the PCI Data Security Standard.
  • Define best practices for online payment application security.
  • Implement security training for internal staff.
  • Establish best practices for consumer awareness.

PCI: Connecting the Dots

Most cardholder security gaps result from poorly configured applications and software, such as online shopping carts, which are common on most e-commerce sites, Russo says.

"All card data is at risk when these things aren't addressed," Russo says. "There are different kinds of exploits that are being used in the e-commerce world that merchants have to be aware of."

Ensuring that vendors are regularly assessed and scanned for vulnerabilities to their networks is a must as well, he adds.

"From a vendor standpoint, if they look at this document, they'll know specifically what to do in order to create these applications in a secure manner," Russo says. "This guidance dives into coding. It reviews what we're seeing with online applications, where insecure passwords are being used or things are not being configured properly when they are installed. I know I sound like a broken record, but these issues continue to be a problem, so this document is comprehensive."

Evaluating Third Parties

The guidance reviews how merchants can work with third parties to address those risks and provides a checklist for easy-to-fix vulnerabilities related to:

  • Online injection flaws;
  • Cross-site scripting, or XSS;
  • Online cross-site request forgery, or CSRF;
  • Buffer or temporary data storage overflows, which result when programs or processes attempt to store more data than they were designed to hold;
  • Weak authentication and/or session credentials; and
  • Application and software misconfigurations.

Russo stresses, however, that the e-commerce guidance should complement, not replace, other PCI guidance and programs, such as the guidelines for ongoing risk assessments, issued in November, and the PCI Qualified Integrators and Resellers Program, issued in August.

The reason for the new guidance: "Our constituents asked for this," Russo says. E-commerce vulnerabilities are growing as more merchants move sales online, he adds, and most don't appreciate the new threats they face.

Inadequate website coding and poorly integrated payment gateways are often to blame for online breaches, Russo says.

"The advice we are offering is not only for the merchants, but also to show them what to ask their partners when they move to an e-commerce environment," he says. "Even if they are building their platforms internally, these are helpful hints about what they need to do."

It's a concern David Wallace, who oversees merchant security compliance for Chase Paymentech, a merchant acquirer, also recently raised.

"The ongoing perception in the world today [is] that systems, applications and products are inherently secure or inherently insecure, and that's simply not the case," Wallace said in an interview with BankInfoSecurity. "I've heard: 'I'm an e-commerce merchant. Payment application security isn't really my problem. It doesn't apply to me.' I've heard: 'We have a firewall. Compromises can't happen because the hackers can't get past it.'"

Those misconceptions about online security are what council is working to address, Russo says.

But one big problem: Many merchants don't appreciate the responsibility they have to ensure PCI compliance, even when portions or all of their e-commerce platform maintenance and transaction processing is outsourced to a third party, he says.

"Outsourcing is not the panacea everyone thinks it is," Russo explains. "A lot of people think if they outsource the entire environment and have someone else handle their credit card data that everything is done and they don't have to worry. But that's a big mistake."

In fact, many recent merchant breaches have been linked to insecure third-party practices, he says. "The merchant still has responsibility, and that's what we're addressing," Russo adds.

About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network