The Council just published Best Practices for Securing E-commerce which educates merchants on accepting payments securely through online platforms and is an update to existing guidance previously published in 2013. We sit down with CTO Troy Leach to discuss the guidance.
Why is the Council issuing this information supplement?
Troy Leach: Securing the e-commerce environment continues to be critically important. According to several sources, e-commerce sales almost hit $2 trillion globally in 2016 with double-digit growth forecasted for several years to come. We also know that fraud is moving to card-not-present (CNP) environments with the implementation and acceptance of EMV chip, making e-commerce merchants a prime target for criminal hackers. The Council is uniquely positioned to help merchants since we are aware of the changing threat landscape of e-commerce environments. This supplement updates and replaces the previous PCI DSS E-commerce Guidelines, which was published in 2013. This version contains revised content to address changes in risk and supporting technologies.
What is the main audience for this paper and how can they use it to help secure e-commerce platforms?
Troy Leach: The audience for this guidance is primarily merchants that operate an e-commerce channel. This guidance will help them determine which solutions may be right for them, provide additional education on SSL/TLS encryption and digital certificates, as well as some common questions the merchant can ask their service provider. The guidance is also useful for third party e-commerce service providers and assessors that support the ongoing security of e-commerce environments.
Will this paper help merchants in their PCI DSS Validation efforts?
Troy Leach: The guidance includes a section specifically related to a merchant’s PCI DSS validation efforts and the applicable PCI DSS requirements for various environments. This section also includes a chart that illustrates the likely level of complexity for a merchant to secure different types of implementations.
It’s important to note that the information does not replace or supersede requirements in any PCI SSC Standard.
What are some common hurdles merchant have in securing their e-commerce platforms?
Troy Leach: For smaller businesses, many that are just starting up, developing an e-commerce presence is essential to begin building brand recognition and a customer base. However, those e-commerce merchants likely have limited resources related to IT or security. That means that they will potentially outsource most or all of their payment acceptance to a third party. Still, those merchants should be aware of how their e-commerce solution accepts payments, specific risks to their customer’s cardholder data and best practices that they or their service providers should be following to mitigate those risks. That is what is intended by this guidance. The guidance includes questions a merchant can ask their service providers to help them make an informed decision on whether PCI DSS requirements will be met and their customer’s cardholder data will be protected.
How will this guidance help merchants with the SSL/TLS migration?
Troy Leach: For those unfamiliar, the Council issued guidance that followed industry recommendations and removed SSL/early TLS as an example of strong cryptography from the PCI Data Security Standard (PCI DSS), stating that it can no longer be used as a security control after 30 June 2018.
Knowing that there is still confusion in the industry regarding encryption and digital certificate selection, we’ve dedicated a large portion of the information supplement to explaining SSL/TLS, with guidance on how to select a certificate authority, an outline of the different types of certificates and a list of potentials questions merchants can ask service providers regarding digital certificates and encryption.
There is a section dedicated to “best practices”- can you give some examples?
Troy Leach: Sure. There are a number of best practices included in the guidance- I will share two that I see are fundamental to simplifying the effort to meeting PCI DSS requirements: know the location of your data, and if you don’t need it, don’t store it. DSS Requirement 3.1, which suggests minimizing the business needs for storing cardholder data and consolidating to known and manageable locations is highly critical for any environment but especially if you operate an e-commerce channel with a third party. Isolating all cardholder data away from non-cardholder data environments will reduce the number of locations requiring PCI DSS oversight and create a much more manageable set of assets for an e-commerce merchant to protect.
There is a section with case studies on different e-commerce solutions. How does this help the e-commerce merchants be more secure?
Troy Leach: We’ve included four case studies that illustrate examples from fully outsourced, to partially outsourced and merchant-managed models. The Special Interest Group did a wonderful job with easy-to-understand visual diagrams on how payment data may flow through a typical e-commerce transaction. Merchants can easily identify their implementation and better understand their risks, responsibilities and best practices that can be used to ensure secure e-commerce transactions that will meet the requirements of PCI DSS.
This paper was created by a Council Special Interest Group. Can you talk a little bit about this program?
Troy Leach: Delighted to as the SIGs bring together smart, experienced payment security professionals from a wide-ranging group of PCI stakeholders- including merchants, financial institutions, service providers, assessors and industry associations. Deeply ingrained in the day-to-day of data security, these experts are able to share their experiences and knowledge to address important security challenges related to PCI Security Standards. The wealth of knowledge regarding e-commerce within this particular group was phenomenal. There was a collaborative spirit and engagement from experts in digital certifications, CNP processing, network security and all other aspects that a merchant would have to consider.