Fuelled by the exponential increase in online shopping in the past 4 years along with the move to EMV in the US, the PCI SSC has published an update to the 2013 'Best Practices for Securing E-commerce' guide. 

What's the crux?

The objective is to replace the 2013 guide from a PCI DSS Version 3.2 perspective, and focuses on:

- Different e-commerce methods, including the risks and benefits

- The selection of appropriate public key certificate authorities 

- Question a merchant should ask its service providers 

- General recommendations for merchants

One of the most important messages this guide gets across is that "no option completely removes a merchant’s PCI DSS responsibilities. Regardless of the extent of outsourcing to third parties, the merchant retains responsibility for ensuring that payment card data is protected. A merchant is responsible for performing due diligence to ensure the service provider is protecting the CHD shared with it in accordance with PCI DSS."

At Foregenix, we regularly deal with breached merchants who are unaware or ignorant of their responsibility when it comes to storing customer card data, believing it to be safe as long as a redirect model is used. This guide points out that this is not the case - focusing on both the redirect and the iframe's risk. 

Download the complete guide here: https://www.pcisecuritystandards.org/pdfs/best_practices_securing_ecommerce.pdf

If you would like to understand your website's risk, you can scan externally for free at webscan.foregenix.com