Fuelled by the exponential increase in online shopping in the past 4 years along with the move to EMV in the US, the PCI SSC has published an update to the 2013 'Best Practices for Securing E-commerce' guide.
What's the crux?
The objective is to replace the 2013 guide from a PCI DSS Version 3.2 perspective, and focuses on:
- Different e-commerce methods, including the risks and benefits
- The selection of appropriate public key certificate authorities
- Question a merchant should ask its service providers
- General recommendations for merchants
One of the most important messages this guide gets across is that "no option completely removes a merchant’s PCI DSS responsibilities. Regardless of the extent of outsourcing to third parties, the merchant retains responsibility for ensuring that payment card data is protected. A merchant is responsible for performing due diligence to ensure the service provider is protecting the CHD shared with it in accordance with PCI DSS."
At Foregenix, we regularly deal with breached merchants who are unaware or ignorant of their responsibility when it comes to storing customer card data, believing it to be safe as long as a redirect model is used. This guide points out that this is not the case - focusing on both the redirect and the iframe's risk.
Download the complete guide here: https://www.pcisecuritystandards.org/pdfs/best_practices_securing_ecommerce.pdf
If you would like to understand your website's risk, you can scan externally for free at webscan.foregenix.com
Exponential online sales growth paired with the EMV chip migration in the US makes e-commerce payment security for merchants more important than ever before. As EMV chip technology continues to reduce face-to-face credit card fraud, the shift to e-commerce security becomes increasingly important to businesses large and small. To help merchants shore up their e-commerce platforms, today the PCI Security Standards Council released Best Practices for Securing E-commerce. The information supplement will educate merchants on accepting payments securely online and is an update to existing guidance previously published in 2013.