GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?

Table of Contents

Lead Story

Progress on the long road to faster payments

Patti Murphy

Direct mail dinosaur or diamond?


NEAA blends tradition, innovation

PCI SSC revises ecommerce guidance

CFPB regulates prepaid, Congress eyes CFPB

Arby's under the microscope after breach


Jeff Shavitz


The adjacent POS-sible

Dale S. Laszig
DSL Direct LLC


Street SmartsSM:
Rebranding as an equipment leasing professional

John Tucker
1st Capital Loans LLC

Secrets: A contemporary legal take

Adam Atlas
Attorney at Law

Looking ahead: Fintech in 2017

Don Bush
Kount Inc.

Company Profile

Prospay Inc

New Products

Gain, retain customers with real-time analytics

Retention Intelligence

Compliant, automated cash discounts at the POS



Letter from the editors

Readers Speak

Email prospecting tips that work

Resource Guide


A Bigger Thing

The Green Sheet Online Edition

February 27, 2017  •  Issue 17:02:02

previous next

PCI SSC revises ecommerce guidance

The PCI Security Standards Council (PCI SSC) published Best Practices for Securing E-commerce Jan. 31, 2017. The supplemental guide, written by the council's Securing E-commerce Special Interest Group (SIG), expands and revises content previously published in 2013.

Designed to help payments industry stakeholders combat increasing levels of online fraud, the report provides insights from merchants, financial institutions, third-party service providers, assessors and industry associations tasked with protecting card-not-present (CNP) environments, PCI SSC representatives stated.

Troy Leach, Chief Technology Officer for the council, praised SIG members for their collaborative efforts and unique case studies. "This information supplement is a testament to their collaboration and willingness to share their experience with others and provides easy to understand examples of e-commerce scenarios along with best practices to secure cardholder data and meet PCI DSS requirements," he stated.

The report, intended for existing and prospective ecommerce merchants of all sizes and industries, will be most useful to merchants and payment service providers (PSPs) that have a "solid understanding of their current e-commerce solution and environment," the authors noted.

PSP, merchant responsibilities

The supplement augments guidance in Payment Card Industry Data Security Standard (PCI DSS) Version 3.2. In addition to general recommendations, it clarifies merchant responsibilities and approved implementation and certification methods. The authors also listed several approaches to ecommerce implementation involving various payment software, technologies and infrastructure.

Regardless of how a merchant chooses to implement ecommerce best practices, no option will completely remove a merchant's PCI DSS responsibilities, the authors stated. The merchant still needs to ensure that payment card data is protected and perform due diligence to verify that third-party service providers are protecting cardholder data in accordance with the PCI DSS. Acquirers and payment card brands may also require some merchants to conduct onsite assessments or complete a self-assessment questionnaire, they added.

The PCI SSC also recommended monitoring connections between merchants' information technology frameworks and third-party service providers to prevent information technology infrastructures from being compromised.

More growth in fraud, ecommerce predicted

In its 2017 Identity Fraud Study published Feb. 7, 2017, Javelin Strategy & Research found a 40 percent increase in online and new account takeover fraud, which analysts attribute to the EMV (Europay, Visa and Mastercard) migration in the United States, which shifted fraudsters from in-store to card-not-present (CNP) environments. The report found consumers who regularly visit ecommerce and mobile commerce sites are more likely to experience fraud, but were also faster to identify it.

Al Pascual, Senior Vice President, Research Director and Head of Fraud & Security at Javelin Strategy & Research said the report findings clearly indicate fraudsters never rest. "The rise of information available via data breaches is particularly troublesome for the industry and a boon for fraudsters," he stated. "To successfully fight fraudsters, the industry needs to close security gaps and continue to improve and consumers must be proactive too."

The PCI SSC has mandated the use of TLS 1.1 encryption or higher for payment card acceptance; the deadline is June 2018. The secure sockets layer TLS encrypts data as it travels between two endpoints, such as a web server and web browser. The council reported that Google recently installed an alert in its Chrome browser to notify users of unsecure websites. The PCI SSC's Best Practices for Securing E-commerce provides additional guidance to CNP merchants on evaluating and selecting certificate authorities.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios