The PCI Standards Council recently released their eCommerce Guidelines document, created by the eCommerce Special Interest Group (SIG). I am writing this post to summarize this 40-page document and to provide you with some guidance while hopefully saving you time (since it takes a while to read through 40 pages). This document only pertains to those entities that conduct cardholder transactions over the Internet. This information does not apply to strictly brick and mortar enterprises.
As with other documents published by PCI SIGs, the purpose of this document is to provide a guideline for eCommerce merchants to help them understand various e-commerce architectures, models, scoping considerations, and how that pertains to securing cardholder transactions and ultimately helping to maintain PCI compliance.
Thanks much to those folks who have volunteered to participate in the SIG to research and create this document – it’s these efforts that allow for the PCI Data Security Standard (DSS) to evolve. Keep in mind that the information presented in this document is only a guideline and not to be considered as the PCI standard itself, although it is quite feasible for the PCI Council to adopt some of the information from this report into a future version of the standard.
Things You Should Know
The SIG did a good job of covering the various e-commerce models, including descriptions of Third Party Entities (payment gateway, web-hosting provider, infrastructure hosting provider) and their degree of responsibility towards PCI compliance.
There was a description of the various e-commerce infrastructure elements (web servers, application servers, data storage) which also stated that all of these entities are considered to be in-scope.
The e-commerce elements section was quite useful, and was the meat of the document in my opinion – it included information about shopping carts (and the fact that they may need to be PA-DSS compliant if provided by a Third Party, or, if developed in-house, should meet the spirit of PA-DSS compliance).
The document then described several common e-commerce scenarios, including:
- Merchant-managed e-commerce implementations.
- Proprietary/custom developed shopping cart/payment app – should meet the spirit of PA-DSS.
- Commercial shopping cart/payment app – should be PA-DSS certified.
- Shared-management e-commerce implementations – this is NOT outsourcing PCI DSS responsibility, though it may help reduce scope. There is a security risk for the merchant since weaknesses on the merchant’s website can lead to compromises of payment card data during the transaction process.
- Third-party embedded application programming interfaces (APIs).
- Inline frame (iFrame) which allows payment form hosted by third party to be embedded within merchant’s page – this section included some great Best Practices suggestions about securing iFrames.
- Third-party hosted payment page redirect.
- Wholly outsourced e-commerce implementations – this may allow for a merchant to use the SAQ A form if indeed no cardholder data flows go into the merchant’s environment.
Best Practices Recommendations
The document provided some good Best Practices takeaways. Some of these items should go without saying, and really are just part of what you need to do to be PCI compliant in the first place, and some are good things to embed into your governance program:
- Know location and flows of your cardholder data. This is the between the lines requirement of PCI DSS 2.0.
- If you don’t need it, don’t store it. This has always been the mantra of PCI and rightfully so!
- Evaluate the risks associated with the selected e-commerce technology. Why not build this into your regular risk assessment cycle?
- Address risks associated with outsourcing to Third-party Service Providers. Ditto. Also, there is a SIG working on a third-party risk document so more info coming in the future.
- Along those lines, ensure that third-parties’ signed Attestations of Compliance (AOC) confirms their compliance status is current (like merchants, service providers should validate PCI DSS compliance annually), and that the services being provided to the merchant are covered by the service provider’s PCI DSS assessment.
This well thought-out document is a great primer for those who are somewhat unfamiliar with e-commerce environments. It should help merchants and QSAs alike to better understand how e-commerce environments should protect cardholder data and also how they should be reviewed during a PCI assessment. While PCI is many shades of gray, these guidelines should help add a little bit more black and white.