Sunday, February 3, 2013

New PCI Guidelines for E-Commerce

New PCI Guidelines for E-Commerce

A new set of card data security guidelines for merchants and payments providers aims to address increasing risks unique to e-commerce environments. On Jan. 31, the Payment Card Industry Security Standards Council issued its PCI DSS E-commerce Guidelines Information Supplement, a set of guidelines for e-commerce security.

The guidelines relate to online infrastructures and how merchants work with third-party providers. Developed by the PCI E-commerce Security Special Interest Group, the 39-page resource includes recommendations about topics ranging from online risks associated with payments gateways to often-overlooked security gaps Web-hosting providers can inadvertently create.

Securing the Payments Chain
  • The guidance offers a checklist of security recommendations and reminders, such as:
  • Know where cardholder data is located within the merchant's infrastructures and those of the processors and vendors to which they outsource.
  • Regularly test software and applications to detect if card data or other information is being stored unintentionally.
  • Evaluate risks associated within e-commerce technology.
  • Review the network and database risks posed by outsourcing functions, such as payments processing and Web hosting to third parties.
  • Hire PCI-approved website scanning vendors to validate, on a regular basis, Internet-facing environments for compliance with the PCI Data Security Standard.
  • Define best practices for online payment application security.
  • Implement security training for internal staff.
  • Establish best practices for consumer awareness.
Evaluating Third Parties

The guidance reviews how merchants can work with third parties to address those risks and provides a checklist for easy-to-fix vulnerabilities related to: 
  • Online injection flaws;
  • Cross-site scripting, or XSS;
  • Online cross-site request forgery, or CSRF;
  • Buffer or temporary data storage overflows, which result when programs or processes attempt to store more data than they were designed to hold;
  • Weak authentication and/or session credentials; and
  • Application and software misconfigurations.

No comments: