The Council just published Best Practices for Securing E-commerce which educates merchants on accepting payments securely through online and mobile platforms and is an update to existing guidance previously published in 2013. We sit down with Special Interest Group member Wayne Murphy, Senior Security Consultant (QSA/ASV) of Sec-1 to discuss the guidance.
Online fraud against UK retailers totaled an estimated £155.5 million in 2015, a rise of 13% on the previous year. There was also a substantial rise in fraud against online retailers based abroad, rising 27% to £103 million. Is this substantial increase a concern? Why are we continuing to see this trend in the UK?
I believe this increase is very concerning and will only continue. Further technologies designed to secure the card-present payment channels such as Point-to-Point Encryption (P2PE) and EMV technologies, coupled with additional standards designed to secure Point of Interaction (POI)/Pin Entry Devices (PED) are making it much more difficult for criminals to obtain cardholder data (CHD) within this payment channel.
We may be seeing this trend since card-present channels are becoming harder to compromise due to more secure POI/PEDs being deployed, which is probably due to the adoption of EMV chip. Weak e-commerce security is likely to be an easier target. We are seeing more attacks against iFrame and redirect implementations in the wild, which prompted updates in the Self-Assessment Questionnaire (SAQ) A released in PCI DSS Version 3.2, bringing several requirements within Requirement 2 and Requirement 8 into scope for the webserver. The January 2017 SAQ update to SAQ A has made this clearer. Many stakeholders were still unclear as to what this update meant since the webservers were typically seen as being out-of-scope for iFrame and redirect implementations since the webserver is not involved in the storage, transmission or processing of cardholder data.
What do you see as the biggest threat for e-commerce businesses when it comes to protecting their customers’ payment information?
Businesses are still getting the basics wrong when it comes to e-commerce security. Default credentials allowing access to the e-commerce platform are still commonplace; and as Worldpay’s 2015 Payment Security Report identifies, SQLi (SQL Injection) and malicious web shells continue to be prevalent in attacks against web applications. Often the issue in these two vulnerabilities identified in the Worldpay report is attributed to poor software coding practices. At the 2016 European Community Meeting, the PCI SSC (Security Standards Council) announced that a PCI SSC working group is working towards a software security framework which should help to further bridge these issues. Following the PCI DSS would help businesses mitigate these issues identified since it has requirements which cover software development and changing default credentials.
Is it possible for these businesses to outsource their payment security?
Sure, this is possible, however businesses should carry out adequate due diligence checks to ensure the outsourcer is equipped to secure the payment and e-commerce functionality. Businesses should ask adequate questions of third parties to validate the security practices they deploy within the outsourced environment. It is very dangerous for businesses utilising an iFrame or Redirect to ignore basic security hygiene of its e-commerce platform by assuming the third-party will be handling this. The industry has already seen how compromised e-commerce platforms can circumvent security mechanisms instilled by payment service providers (PSP); due to weak security practices within the e-commerce platforms. PCI DSS Version 3.2 has highlighted this additional risk through the change to SAQ A, introducing additional requirements which are in scope for e-commerce platforms (webserver).
The majority of small businesses today are online merchants, who have little security knowledge or resources. What advice can you give to these businesses?
A good approach is to outsource e-commerce payments to reduce risk, however be mindful that the business should not forget about securing the e-commerce environment. Engage a qualified and experienced cybersecurity expert to provide professional security advice, testing and best practice guidance for securing the e-commerce platform.
You were a member of the Council’s Special Interest Group which recently published Best Practices for Securing E-commerce. Can you share how you think this paper will help organizations secure their e-commerce platforms?
This newly released paper provides more up-to-date information to help organizations understand the various e-commerce implementations, as well as additional security concepts and technologies available to today. In addition to this new information, the paper provides guidance on how to outsource these services to third-parties which can reduce the organization’s overall compliance obligations. Understanding what e-commerce implementations are available to the organization, and how this decision impacts an organizations PCI DSS compliance program, should empower them to choose an implementation which can limit the organisations overall risks and help to minimize applicable PCI DSS requirements.
An organization should also be able to use this paper to gain a further understanding of some typical security techniques and technologies available to e-commerce platforms. With the wider adoption of EMV chip and P2PE in the card-present channels, experience suggests that fraudulent activities will no doubt shift to “card-not-present” channels. With the ever-increasing number of online transactions taking place each year e-commerce channels are likely to become a profitable source for fraudulent activities so organizations need to be vigilant and employ greater security techniques, implementing basic cyber hygiene practices.
Finally, many organizations elect to outsource some of these platforms to third-parties. This decision is often made to remove the responsibilities from the organization, but sometimes this decision is made in a belief that a third-party providing this dedicated service are more competent at deploying effective security controls which would help protect the e-commerce platform from the myriad of external threat actors trying to compromise these platforms to harvest cardholder data. Although this paper provides some guidance on third-parties, the “Third-Party Security Assurance” information supplement released in March 2016 provides much greater detail in the subject.
What was your experience participating this SIG? Why is it important for organizations to participate in Council Special Interest Groups?
This was my first special interest group participation. The experience exceeded my expectations providing not only a platform to help the PCI DSS community and provide some excellent guidance documentation but also providing a means to communicate with likeminded and talented individuals from all over the globe.
It is extremely important that various organizations from all aspects of the card payment eco-system participate in this process. This ensures a high quality paper that is relevant to the real needs of the organizations who will be following the guidance. Participating in a SIG can improve an organization’s understanding of the PCI DSS and the intent of the topics and/or standards requirements, and can help to reduce their overall risks to card data compromises.