Learn what PCI 3.2 expects from e-commerce merchants. 

George Mateaki, SecurityMetrics, CISSP, QSA
By: George Mateaki
Security Analyst
Many e-commerce merchants face similar issues when it comes to securing cardholder data.

The PCI SSC recently released a guidance for e-commerce websites. This guidance updates and replaces the PCI DSS E-commerce Guidelines published in 2013. It offers more guidelines for e-commerce businesses in reference to PCI DSS version 3.2.
Here are a few things from the guidance that your e-commerce business should know with PCI 3.2.

Know your e-commerce payment implementations’ security needs

e-commerce guidance
There are several technical tools and implementations e-commerce businesses can use as payment solutions. These tools, while often fairly secure, can come with some security risks that you should address. Here are a few examples:

iFrames are used to embed a web page within another web page. Businesses often use this tool in the checkout process to embed the page that handles cardholder data.

Using an iFrame will make you eligible for SAQ A, but remember that the iFrame could still be vulnerable to malware attacks, specifically malicious scripts coming from the website itself. You will need monitoring and alerting controls to help identify and prevent these types of attacks.

Direct post method (DPM)
The DPM method uses your business's website to generate a shopping cart and payment web pages. This puts your systems in scope for additional PCI DSS controls. You will need a subset of security controls to protect the web server, and the payment form. Tools like firewalls, vulnerability/penetration testing and patch management will also be required. With this method, you can fill out SAQ A-EP.
Application programming interface (API)
This method involves system-to-system data transmission where you control the progress of the payment transaction. Customer cardholder data is sent from the customer browser back to your website before it’s sent to the PSP. Often larger businesses and enterprises use this method, since it allows them to handle more customers.

With API, the risks are minimized, though since your business handles the cardholder data, you should apply the entire set of PCI controls applied to your in-scope systems. If you use this method, you should fill out an SAQ D.

These payment methods all have different risks and require different sets of security controls. Whichever one you use depends on the nature of your business and which works better for you. Just keep in mind that you should apply the correct security controls.

e-commerce Update your certificates

When it comes to your digital certificates, it’s crucial that they are updated and secure. Attacks like target non-secured certificates. Customers will also not visit your website should the certificate be labeled as not secure.

It’s highly recommended you use the current TLS certificates that provide the most modern encryption and are proven to be secure. Do not use SSL, which is outdated and has proven to have multiple exploitable vulnerabilities. PCI 3.2 has required that all businesses migrate from SSL to TLS certificates by January 2018.

Encrypt where needed

Per PCI DSS Requirement 4.1, cardholder data must be encrypted across open, public networks. There will be times where you will need to encrypt sensitive data. Make sure any data you do store is encrypted.

Encrypting cardholder data doesn’t remove it from scope of the PCI DSS. You should ensure that strong cryptography is used to secure data, which includes data in transit and in storage (even temporarily).

SEE ALSO: Securing Mobile Devices with Mobile Encryption

Remember that your e-commerce business will have its own security challenges. Make sure you properly secure any sensitive data to protect your business and your customers.

Need help with getting PCI compliant? Talk to us! 

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.