By: Brandon Polk, Director of Compliance Services
Contextual Security Solutions | April 1, 2017 @ 10:17
The Payment Card Industry Security Standards Council (PCI SSC) recently released guidance on “Best Practices for Securing E-Commerce”. It should be noted that a large driver for this guidance is based upon a migration from traditional, magnetic-stripe payment cards to chip-enabled payment card technologies. The widespread adoption of chip-enabled payments has resulted in a shift of payment card fraud from card-present (i.e. physical swipes or dips) to card-not-present transactions, such as those you encounter when making online purchases.
The updated guidance is applicable to merchants and service providers of all sizes, budgets, and industries and provides more clarity for meeting compliance requirements specifically applicable to electronic commerce implementations. The guidance describes various methods of integrating e-commerce transactions as well as provides recommendations for best practices and security configurations. Furthermore, the document highlights advantages and disadvantages of these various methods and the PCI DSS validation requirements associated with each.
Finally, the document describes common deployment scenarios via case studies that can be used to further your understanding of the technologies and cardholder data flows as well as a checklist for securing e-commerce implementations. High-level topics include the following:
- Knowing the location(s) of all cardholder data
- If you don’t need cardholder data, don’t store it
- Evaluating risks associated with the selected e-commerce technology
- Service provider remote access to merchant environments
- ASV scanning of e-commerce environments
- Penetration testing of e-commerce environments
- Best practices for securing e-commerce
- Implementing security training for all staff
- Best practices for customer awareness
- Resources for additional information
The official guidance document can be found on the PCI Council’s site at the following address: https://www.pcisecuritystandards.org/pdfs/best_practices_securing_ecommerce.pdf