The Council published Best Practices for Securing E-commerce which educates merchants on accepting payments securely through online platforms and is an update to existing guidance previously published in 2013. We sit down with Special Interest Group (SIG) participant Geoffrey Noakes, Symantec’s VP of Business Development, to discuss best practices for securing the e-commerce channel.
What are some common hurdles merchants have in securing their e-commerce platforms?
Geoffrey Noakes: Security is among the biggest concerns that shoppers have when buying online. There is constant news around phishing scams, spam, and cybercriminals intercepting customers’ financial data as it’s transmitted. For shoppers, this has a direct impact on their confidence and their purchases. For merchants, they see increased rates of shopping cart abandonment. With the adoption of Europay, MasterCard and Visa (EMV) “chip” cards in conventional retail environments where the shopper is present (point of sale), fraud is increasingly moving into the e-commerce Card Not Present (CNP) environments – thus making e-commerce merchants the prime target for criminal hackers.
Building a beautiful, easy-to-use, search-friendly website is important for shopper usability, but not the full answer to maximizing customers completing their purchases rather than abandoning their shopping carts.
In a fast evolving cyber threat landscape, the task of selecting the right security aspects for an e-commerce site can be daunting. Therefore, one of the biggest hurdles merchants have is to showcase the trustworthiness and legitimacy of their business to reduce or eliminate customers’ concerns.
What is the main audience for this paper and how can they use it to help secure e-commerce platforms?
Geoffrey Noakes: The guidelines are particularly suitable for e-commerce merchants, and for any partners in that are “in scope” for PCI Data Security Standard (PCI DSS) Requirement #4 (encrypt data in motion). Any website that processes, stores, or transmits card holder details – and this includes financial organizations, not-for-profit organizations, health care institutions, and service providers like magazine subscriptions, gaming services etc., will benefit from the best practices that are specified in the PCI SSC’s Special Interest Group “Best Practices for Securing E-commerce” document.
The report helps companies to understand the various e-commerce implementations, security concepts, and technologies available today. This empowers e-commerce merchants to make more informed decisions, and at the same time - help them meet PCI DSS requirements, and thus minimizing the exposure to risk and ultimately driving more business.
There is a section dedicated to “best practices”- can you give some examples?
Geoffrey Noakes: PCI DSS Requirement #4 calls for the encryption of data in motion, typically referring to data sent between a browser and the merchant’s website. PCI DSS Requirement #4 does *not* say anything about authenticating the website. And that becomes the attack vector for phishers, thieves, terrorists, and others: they easily buy domain names (often with stolen credit cards or prepaid debit cards), and then buy basic domain validated (DV) SSL / TLS certificates. Whether cybercriminals are posting a fake e-commerce site or impersonating a legitimate one, DV certificates will encrypt the data without providing shoppers any assurance about the website to which they are sending their personal data – in many cases, the shoppers are delivering their cardholder data securely into the hands of cybercriminals.
The “Best Practices for Securing E-commerce” SIG document recommends, as a best practice, that merchants use organization validated (OV) or extended validation (EV) certificates. Sites with OV and EV have undergone rigorous authentication, so that shoppers can know who they are dealing with on the Internet.
Why is it important for organizations to view security as more than just an IT issue, but as a business priority?
Geoffrey Noakes: Whether it’s the way we shop, work, or pay our tax bill, trust and confidence in online services has become critical to our way of life.
Recent studies have shown that nearly 1 in 5 shoppers abandon shopping carts due to a lack of trust.
Encryption and authentication are important aspects to convey security – which is often handled by IT teams. However, if a site gets labelled as ‘not secure’ this has an immediate impact on the image and reputation of the merchant, and it extends the business responsibility across the entire merchant’s organization.
The road to success and profit starts with solid compliance practices and security standards resulting in a trustworthy and sustainable business.
This paper was created by a Council Special Interest Group. Can you talk a little bit about your experience as part of the group that put forth this guidance?
Geoffrey Noakes: This was a fantastic experience and I wholeheartedly recommend that anyone with a good idea about protecting cardholder data to propose that idea to the PCI SSC as a potential SIG during their annual SIG proposal period.
You will quickly find yourself surrounded by all sorts of subject matter experts – from the cardholder brands, the acquiring banks, the payment processors, merchants, Qualified Security Assessors (QSA), Approved Scanning Vendors (ASV), PCI Forensic Investigators (PFI), and other POs – that will reinforce and expand your ideas, challenge your ideas (which helps you explain them better and more clearly), and ultimately produce a report that helps the PCI ecosystem.