Guest Blog Writer: Zach Walker of SecurityMetrics

Learn about common security issues and what you can do to secure your e-commerce business.

E-commerce merchants sometimes face confusion and difficulty when it comes to truly securing cardholder data. With this in mind, the Payment Card Industry Security Standard Council (PCI SSC) recently released a supplement with additional guidance for e-commerce websites.

This new guidance updates and replaces the Payment Card Industry Data Security Standard (PCI DSS) E-commerce Guidelines published in 2013. It offers specific guidelines for e-commerce businesses with reference to the PCI DSS version 3.2—which will go into effect on February 1, 2018.  

Here are a few tips based on the new guidance to get your e-commerce business PCI compliant.

1. Know the security considerations of your payment solution

E-commerce businesses have options when it comes to accepting payments. Here are a few examples, along with respective security needs:

Merchant-Hosted Payment Form: In this case, the merchant website hosts the payment page and form. All cardholder data is processed by the merchant web server (and other parts of their system) before being sent to the payment solution provider (PSP). Since the merchant handles the cardholder data, the entire set of PCI compliance controls used on the merchant’s systems is in scope.

iFrame: These methods embed a separate and protected payment page within the merchant’s
webpage. Monitoring and alerting controls will increase security.   

URL Redirect Model: Usually used by small- to medium-sized merchants who aren’t concerned with customizing or adding advanced features to the customer payment experience. The consumer is redirected from the merchant’s website to a third-party page where account data is entered into a payment page hosted by the third-party PSP. In this case, the merchant system doesn’t touch cardholder data, so fewer security controls are needed.

JavaScript Form: JavaScript-based solutions like Accept.js use JavaScript to intercept payment data and submit it directly to your PSP. It is also used by larger merchants who want to control the “look and feel” of their payment form.

To learn what PCI compliance means for your business, consult the PCI DSS Self-Assessment Questionnaire (SAQ) table. E-commerce merchants who outsource their payment processing will generally fall under SAQ A or SAQ A-EP, and you can learn the difference between the two categories here.

2. Update your SSL/TLS Certificate

You should be using the most current and up-to-date TLS (Transport Layer Security) certificates. Do not use any version of SSL, which is outdated and has been proven to have multiple exploitable vulnerabilities. The PCI DSS 3.2 requires that all businesses stop using any version of SSL—as well as earlier versions of TLS—by June 30, 2018. Authorize.Net plans to disable outdated versions of TLS  by February 28, 2018.

3. Encrypt, encrypt, encrypt

Make sure you know exactly where and how you are sending cardholder data. Use encryption to secure data in transit and in storage (even temporarily).

PCI DSS Requirement 4.1 requires that cardholder data must be encrypted when sent across open, public networks. Be sure you are using the latest TLS standards. And if you do need to store cardholder data for business or legal reasons, PCI DSS Requirement 3 says that you must encrypt it or store it through tokenization.  

4. Review code

Successful attackers find routes to sensitive data through poorly developed code. Common coding problems can create vulnerabilities, which could then allow attackers to successfully use tactics like cross-site scripting. Cross-site scripting is an attack strategy where hackers embed malicious code into vulnerable websites. Their intent is usually to gather user data like passwords and credit card numbers.

You should take measures to involve objective parties in any code review. To sum up the PCI DSS on this issue: you should review any code that could possibly interact with your payment card environment in any way. For large code introductions, such as product releases or when introducing a new website, consider a penetration test.

5. Limit employee access and train on protocol

Access to cardholder data should only be given to those who absolutely need it to perform their job. But, even if an employee does not have access to cardholder data, their workstation or device may store usernames, passwords, and other info that may be valuable to a hacker. All it takes is one unwitting employee to accidentally introduce malware into your system. Train employees quarterly, if not monthly, on your company’s security measures and protocols regarding email, attachments, downloads, passwords, etc.

 When it comes to e-commerce security, make sure you’re taking the right steps to secure your card data. E-commerce guidance from the PCI SSC is intended not only to help merchants become PCI compliant, but to help them understand the foundational principles of cybersecurity—creating a safer online payment environment for everyone. Remember that you’re not just protecting your clients; you’re looking out for your business and its reputation as well.

Zach Walker is the Director of Technical Support at SecurityMetrics and has been with the company for over 6 years. He has worked in the IT/security field for over 10 years, and has A+, Network+, Security+, CISSP, and ASV certifications. He is currently pursuing a bachelor’s degree in IT Security.

Have a great small business tip or want your business to be featured with your small business advice? Submit your story.