E-commerce businesses have exponentially flourished over the past decade. With the boom in the industry, so has the level of risk in context to data breach/ theft spiked over the years. It is therefore imperative for e-commerce businesses to ensure safety and protect consumer data. E-Commerce businesses are expected to create a safe environment for customers providing their payment information to make purchases online. For the benefit of consumers and to help merchants secure their payment data application, PCI SSC has provided a detailed guideline suggesting the Best Practices for Securing E-commerce. The information provided will educate merchants and help them in securing payment application and cardholder data. Lets us today through this article learn about the recommendations offered by PCI SSC and understand how it will help merchants.
12 Best practice for securing E-commerce
In addition to meeting the PCI DSS requirements, the e-commerce merchants should also consider adopting the recommended security best practices for securing e-commerce business. Below given is a list of best security practice outlined by PCI SSC for e-commerce merchants
1. Know your cardholder data
Merchants are recommended to draw out a data flow diagram to map out the flow of Cardholder Data across various networks and systems. This process will help merchants identify systems and connected systems that store process and transmit cardholder data. It clearly elaborates how the cardholder data is processed and flows within a network and across multiple networks. It is also recommended that the merchants conduct a periodic review to ensure systems and applications implemented are updated and relevant.
2. Avoid storing cardholder data if not required
It goes without saying that the risk of data theft/breach gets eliminated if the merchants do not store CHD if not required. Ideally, merchants should consolidate the necessary cardholder data in a known location and isolate it from noncard holder environments. This will reduce the scope of compliance in context to the number of locations and the amount of cardholder data need to be protected. It will further help restrict the number of access points to the CDE that need to be secured. So, remember, if your business does not have a legitimate reason to store CHD, it is best not to store it. However, it is important to note that merchants or businesses that have a legitimate reason to store CHD should never store Sensitive Authentication Data (SAD) – Magnetic Stripe data and Card Validation Code also known as CVC/CVV/CVV1/CVV2.
3. Evaluate technology-related risks
Merchants should evaluate risks associated with payment applications and technologies they plan to use or implement for online payment. Whether an e-commerce solution is completely hosted and managed by the merchant, or partially outsourced to a third party, or fully outsourced to a third party shall result in different levels of risk for the merchant. The merchant must conduct a risk assessment to ensure all applications in use are secured and well managed. Either way, the PCI DSS requirement clearly calls for an annual risk assessment program to be conducted by Merchants.
4. Third-Party payment application & PA-DSS
Consider using highly integrated payment technology to minimize risk security for your e-commerce. Merchants should opt for a PA DSS Validated third party payment application that is noted on the List of Validated Payment Applications. This shall reduce the scope of Compliance for Merchants but will however need to ensure that the third-party vendor is compliant and PA DSS Validated. Its important to be pointed out that the new standard PCI SSF has been introduced as the next upgrade of PA DSS.
You can also view our webinar on PA DSS and PCI SSF by clicking here : PA DSS and PCI SSF
5. Third-Party access to the merchant’s environment
E-commerce businesses that have third party vendors involved need to ensure that access given to them is restricted and limited only to their requirements. For security reasons, merchants should have in place multi-factor authentication for remote access into the merchant’s cardholder data environment. Merchants should also provide limited ID access that allows service providers to have access to CHD Environment only when required and at the time when merchants are aware of the access. This will limit the risk of a potential hack by malicious individuals using a service provider’s credentials for access.
6. ASV scanning of E-commerce Environments
Be it an in-house payment application or a third-party application, conducting an ASV Scan is essential. The ASV scans help identify common vulnerabilities within the system and provides a report of those vulnerabilities. It is the merchant’s responsibility to ensure that the hosted environment clears from the scan test that is conducted every quarter.
7. Penetration Testing of E-commerce Environments
Merchants are expected to conduct regular Penetration tests to ensure the cardholder data environment is well protected. Even if the merchant is using a third-party service, they are expected to ensure that the third-party conduct an annual test as per the PCI DSS requirement to ensure the CHD is safe and there is no room for a possible breach or hack.
8. Deployment of firewalls
Merchants should consider implementing web application firewalls (WAF) and other necessary intrusion-detection technologies to limit access to unwanted traffic. From a security point of view, it is recommended that merchants deploy additional firewalls between the application server and the database server to limit risks from the Internet-connected web server.
9. Deployment of anti-virus and malware software
Merchant should also ensure the deployment of anti-virus/anti-malware software on systems. Be it a system run by the merchants themselves or by the third party, having relevant anti-virus and malware software is essential
10. Advanced monitoring tools
Having advanced monitoring tools like a change-detection solution (File integrity monitor – FIM), intrusion detection tool and NTP Server in place is essential. Merchants are expected to ensure their service providers have all the necessary monitoring tools in place to determine any potential threat. Merchants are also advised to ensure their own systems are equipped with tools that monitor for intrusions.
11. Implementing security training for staff
Training your staff about security threats and making them aware of the potential risk is essential for businesses. Make them aware of the general security issues like social engineering techniques used by unauthorized individuals to gain access to areas with cardholder data. Ensure all staff is trained to use systems securely and follow the set procedures and guidelines during operation. Moreover, train them to take appropriate measures in the event of a suspected breach.
12. Refer to PCI SSC resources
The PCI Security Standards Council has published numerable documents with guidelines, information, FAQ, and other related resources pertaining to information security initiatives. PCI SSC also provides a variety of training and educational resources for building security awareness within the payment card industry. These offerings include PCI Awareness, PCI Professional (PCIP), and PCI DSS training for Internal Security Assessors (ISA). Merchants and third-party service providers are expected to refer to these documents to ensure security and compliance to the PCI DSS Standards.
You can watch our webinar on how to secure E-commerce business using PCI DSS
How can VISTA InfoSec help e-commerce businesses implement the best security practices?
VISTA InfoSec is a highly acclaimed InfoSec consulting and service provider offering clients across the globe guidance in meeting industry standards and regulatory requirements. The company has about 2 decades long year of experience (16 years) in the industry and has offered several esteemed clients Advisory services and guidance in achieving Compliance. The company offers a wide range of Compliance services which include but is not limited to PCI DSS Compliance, PA DSS, PCI PIN, SOC1, SOC2, GDPR, CCPA, MAS TRM, NESA to name a few. Leveraging on its team of expert Advisors, the company performs audits on security management and data storage systems to ensure that merchants, vendors, and other stakeholders achieve compliance. To add to its expertise and credentials, VISTA InfoSec is also a qualified PCI QPA which gives them the authority to validate an entity’s adherence to the PCI PIN Standard. To learn more about VISTA InfoSec and to connect to their Compliance Specialist, visit their website www.vistainfosec.com or simply drop a mail on n info[at]vistainfosec.com
