The Green Sheet Online Edition
February 27, 2017 • Issue 17:02:02
PCI SSC revises ecommerce guidance
The PCI Security Standards Council (PCI SSC) published Best Practices for Securing E-commerce Jan. 31, 2017. The supplemental guide, written by the council's Securing E-commerce Special Interest Group (SIG), expands and revises content previously published in 2013.
Designed to help payments industry stakeholders combat increasing levels of online fraud, the report provides insights from merchants, financial institutions, third-party service providers, assessors and industry associations tasked with protecting card-not-present (CNP) environments, PCI SSC representatives stated.
Troy Leach, Chief Technology Officer for the council, praised SIG members for their collaborative efforts and unique case studies. "This information supplement is a testament to their collaboration and willingness to share their experience with others and provides easy to understand examples of e-commerce scenarios along with best practices to secure cardholder data and meet PCI DSS requirements," he stated.
The report, intended for existing and prospective ecommerce merchants of all sizes and industries, will be most useful to merchants and payment service providers (PSPs) that have a "solid understanding of their current e-commerce solution and environment," the authors noted.
PSP, merchant responsibilities
The supplement augments guidance in Payment Card Industry Data Security Standard (PCI DSS) Version 3.2. In addition to general recommendations, it clarifies merchant responsibilities and approved implementation and certification methods. The authors also listed several approaches to ecommerce implementation involving various payment software, technologies and infrastructure.
Regardless of how a merchant chooses to implement ecommerce best practices, no option will completely remove a merchant's PCI DSS responsibilities, the authors stated. The merchant still needs to ensure that payment card data is protected and perform due diligence to verify that third-party service providers are protecting cardholder data in accordance with the PCI DSS. Acquirers and payment card brands may also require some merchants to conduct onsite assessments or complete a self-assessment questionnaire, they added.
The PCI SSC also recommended monitoring connections between merchants' information technology frameworks and third-party service providers to prevent information technology infrastructures from being compromised.
More growth in fraud, ecommerce predicted
In its 2017 Identity Fraud Study published Feb. 7, 2017, Javelin Strategy & Research found a 40 percent increase in online and new account takeover fraud, which analysts attribute to the EMV (Europay, Visa and Mastercard) migration in the United States, which shifted fraudsters from in-store to card-not-present (CNP) environments. The report found consumers who regularly visit ecommerce and mobile commerce sites are more likely to experience fraud, but were also faster to identify it.
Al Pascual, Senior Vice President, Research Director and Head of Fraud & Security at Javelin Strategy & Research said the report findings clearly indicate fraudsters never rest. "The rise of information available via data breaches is particularly troublesome for the industry and a boon for fraudsters," he stated. "To successfully fight fraudsters, the industry needs to close security gaps and continue to improve and consumers must be proactive too."
The PCI SSC has mandated the use of TLS 1.1 encryption or higher for payment card acceptance; the deadline is June 2018. The secure sockets layer TLS encrypts data as it travels between two endpoints, such as a web server and web browser. The council reported that Google recently installed an alert in its Chrome browser to notify users of unsecure websites. The PCI SSC's Best Practices for Securing E-commerce provides additional guidance to CNP merchants on evaluating and selecting certificate authorities.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.