This October, the Payment Card Industry Security Standards Council (PCI SSC) will be issuing a major update to the PCI Data Security Standards (PCI DSS), which are required for accepting all electronic payments. The new additions will be discussed and presented at community meetings throughout the year, but in the meantime, it is crucial for online retailers to get up to date on the current standards.
To help merchants prepare for this update, the council also issued a new PCI DSS eCommerce guidelines Information Supplement on how to better secure themselves and achieve compliance. Developed by the PCI E-commerce Security Special Interest Group, this 39-page resource is chock full of helpful tips and content ranging from protecting your code to the online risks associated with payments gateways, web-hosting providers and more.
Below we highlight some key areas to focus on in order to be ready for the PCI DSS 3.0 release this fall.
Understanding Compliance vs. Security
For merchants, following PCI DSS is a vital step in protecting financial transactions, but many are still unaware of the difference between security and compliance. Though many eCommerce merchants are considered in compliance with the standards, they may not necessarily be secure. Compliance addresses some security measures but there are many areas of your website that can still be vulnerable.
Most security gaps are the result of poorly configured applications and software, such as online shopping carts. Aside from following PCI compliance protocols, all areas where customer information is entered and/or stored must be protected with additional measures like SSL encryption. Additionally, non-purchase pages are also applicable if you have an update feature where customers can update their payment or account information. Enlisting the help of third-party security providers can help mitigate the additional risks associated with accepting payments online.
Avoiding Common Security Risks
While there are many dangers eCommerce merchants face when it comes to securing their websites, SQL injection and cross-site scripting (XSS) attacks are some of the most common, yet most often overlooked. While these two attack methods have been around for years, they are consistently cited as the culprit for many of the breaches every year.
Both SQL Injection and Cross-site scripting (XSS) use seemingly harmless commands like database queries or HTML code to trick websites into providing sensitive data or turning an end-user’s browser into a weapon. Like we suggested above, it is important for merchants to go beyond just following PCI regulations and work with third parties to address these and other easy-to-fix vulnerabilities.
Start by reviewing the latest eCommerce guidelines for tips on better coding, trends in online application protection, as well as areas that are commonly not configured properly when they are installed. Additionally, check out our previous post on the most common ways cybercriminals get in and how to keep them out.
Evaluating Third Parties
Along with common security mistakes, many merchants don’t realize that the responsibility to ensure PCI compliance continues even after payment processing or other functions are outsourced to a third party. All too often, businesses fail to assess the PCI compliance of their credit card processors or add extra security to payment gateways or iFrames. In fact, many recent merchant breaches have been linked to insecure third-party practices.
Even if another company is handling part or the entire environment, merchants still need to know where and how cardholder data is dealt with by the vendors to which they outsource. Again, refer to the guidance for tips on how to work with third parties to address those risks in preparation for the PCI DSS 3.0 release.
While the new standards won’t become effective until Jan. 1, 2014, merchants must be aware of what they are missing now. As each new version is released, merchants who fail to stay up to date will fall farther and farther behind on their compliance duties, putting consumers in danger as a result. The PCI DSS are crucial to the foundation of any online business—not only for ensuring safe financial transactions but also helping to build customer confidence. By following the eCommerce guidance, online businesses can take the necessary steps to keep their customers’ data safe.
Visit our website for more information on how the McAfee PCI Certification Service can provide your company with step-by-step compliance guidance, and be sure to follow us on Twitter at @McAfeeSECURE for the latest in eCommerce news and events.