PCI DSS Compliance Overview for E-Commerce Businesses & Online Merchants

E-commerce businesses and online merchants are right in the crosshairs when it comes to PCI DSS compliance – and understandably so – as such platforms store, process and/transmit high volumes of credit card numbers on a daily basis. Add to the fact of growing web attacks, coupled with the continued launch of a dizzying array of websites selling products and services online via credit card transactions, the importance of cardholder data security of e-commerce platforms has never been greater.

There’s many challenges for merchants seeking to ensure the safety and security of their e-commerce platforms – and become PCI DSS compliant – so take note of the following overview and best practices, provided by Materdei Consulting LLC, providers of the industry’s highest quality PCI Policy Compliance Toolkits & policy templates for e-commerce merchants, service providers, and all other businesses seeking to become PCI DSS compliant:

Understanding the E-commerce Infrastructure for PCI Compliance

Web Servers: A web server’s primary purpose is storing, processing, and delivering web pages to clients, with web pages delivered (i.e., “served up”) via HTML documents, which may include images, style sheets and scripts in addition to text content. As for e-commerce web servers, they are generally publicly accessible and should thus NEVER store credit card data. Web servers, do, however, communicate with highly sensitive servers, such as application and database servers, which “should” be protected internally behind firewalls.

General provisioning and hardening of the web server, and the underlying application and operating system, should be performed for helping ensure its safety and security. General provisioning means removing default vendor accounts (passwords, etc.), removing and/or shutting down insecure services and protocols (telnet, etc.), putting in place necessary security monitoring and protection tools (File Integrity Monitoring – FIM, anti-virus, etc.). Securing web servers – all servers, if you will – goes a long way in protecting cardholder data.

Application Servers: Application servers perform critical functions and thus should never be publicly accessible. Additionally, application servers are not to interact or “face” the untrusted external network, instead, receiving requests from the web servers for any number of reasons. Furthermore, application servers may also receive responses or retrieve content from database servers and passing the results back to web servers for presentation to the consumer.

Data Storage: The data-storage platform for PCI DSS compliance essentially includes database servers and any other systems that may be used to store data. Because database servers often store cardholder data, such as the Primary Account Number (PAN), they must never be publically accessible. Additionally, if cardholder data is being stored, it must be encrypted, such as the use of file or column level encryption.

Shopping Cart Software: Many of today’s shopping cart software programs are effectively involved in authorization and settlement functions, ultimately requiring such software to be Payment Application Data Security Standards (PA-DSS) compliant. This is different from PCI DSS compliance, as the PA-DSS standards focus primarily on the application itself that’s performing critical authorization and settlement processes. Simply visit pcisecuritystandards.org to see if the shopping cart software being used is in fact PA-DSS compliant.

SSL and TLS Secure Transmission Methods: Secure Socket Layer (SSL) is now considered not to be a secure encryption data transmission protocol, requiring organizations to now move to the most current and stable version of TLS. It means for end-users of e-commerce systems, they’ll have to update browsers or have a broken connection. It’s a relatively straightforward approach, but one that needs to be implemented by e-commerce merchants for ensuring the continued security of data transmissions. Even early versions of Transport Layer Security (TLS) protocol are not considered an industry best practice, as experts are now pushing for the most current version of TLS. If you’re still using SSL, keep in mind that per the actual PCI DSS standards, you’ll need to have a documented risk mitigation plan in place that effectively discusses your long term plans from moving away from SSL and over to TLS.

Network Components and Essential Systems: Specifically, the firewalls, routers, switches, and load balancers that are in place for filtering traffic and protecting the cardholder data environment also need to be assessed for PCI DSS compliance. Who is responsible for provisioning such devices and establishing rulesets? Is this a function performed by your internal network engineers or a third-party entity? Do you have documentation – policies and procedures – describing such actions? It’s just another reason to consider purchasing and downloading our PCI Policy Compliance Toolkits & policy templates for e-commerce merchants.

Types of E-commerce Solutions and Platforms

The e-commerce system being utilized for helping manage and sell your products and services also has large implications regarding the Payment Card Industry Data Security Standards (PCI DSS) mandates. Are you using a well-known provider, such as Shopify or Volusion, is it SaaS based, are you hosting at your own data center, etc.? These are questions you’ll need to answer for ensuring PCI compliance.

Merchant Controlled E-commerce Platform: With this type of platform, Merchant-managed e-commerce implementations are generally those whereby the merchant effectively develops, or pays someone else to develop, their own payment application, or the merchant utilizes a commercial payment application. As such, the merchants web application and overall e-commerce structure are thus in scope for PCI DSS compliance. Additionally, such platforms may very well have PA-DSS applicability.

More specifically, PA-DSS stands for “Payment Application Data Security Standards”, thus, if your payment application conducts authorization and settlement functions and is also being used by other parties, then the application itself will need to become PA DSS compliant. Similar to PCI-DSS, PA-DSS requires an assortment of policies, procedures, and processes to be in place, but it’s also vastly different from PCI-DSS compliance in that the scope and main focus of PA-DSS is the actual payment application, and not the entire PCI-DSS environment.

Shared E-commerce Platform: Shared-management e-commerce implementations are those where the merchant effectively maintains responsibility for various elements of the e-commerce platform. With that said, there are three (3) common types of third-party provided ecommerce implementations that would fall under the “shared e-commerce” landscape, and they are the following:

Embedded APIs with direct post: One very well-known and often used approach is utilizing application programming interfaces (APIs) licensed to the merchant by the e-commerce payment processor. In such a scenario, the actual merchant will host a web application using third-party APIs that effectively redirects the payment information from the consumer’s browser directly to the e-commerce payment processor. Thus, an API allows the merchant to send code from its web page to the consumer’s browser (“client-side” code) so that when the credit card information is entered into the specific fields, the consumer’s browser posts the payment card data directly to the e-commerce payment processor and not to the merchant’s web application infrastructure.

Inline frames: iFrames essentially allow a web page to be embedded within another web page. The iFrame thus becomes a frame for a link to another page, therefore, a very common e-commerce implementation is to accept cardholder data via an e-commerce payment processor’s hosted web pages. These web pages can widely vary, ranging from a simple, short form containing only the fields necessary to process a payment transaction, to more complex levels. The merchant’s web application then embeds the e-commerce payment processor’s web payment page as an inline frame so that it appears as part of the merchant’s page. When data is entered into the payment page, it is posted directly to the e-commerce payment processor’s web application server instead of the merchant’s.

Hosted payment pages: Thus for a hosted payment page, instead of embedding the e-commerce payment processor’s payment page in a frame on the merchant’s web page, the merchant’s customer is instead redirected to the payment page on the e-commerce payment processor’s site to enter payment card data. Once payment is processed, acknowledgement is sent back to the merchant’s web application. Hosted payment pages are a great way of reducing your PCI DSS scope.

Outsourced E-commerce Platform: Do you completely outsource your entire process for accepting credit cards, such as using a company like Shopify, or do you actually enter credit card information into a completely different URL other than your website? If so, you may be able to remove many of the core PCI DSS requirements from scope, such as possibly using SAQ-A, provided you are under the prescribed threshold for annual transactions.

Challenges and Vulnerabilities with E-commerce Systems

PCI DSS compliance for e-commerce merchants is not always a black and white, easy-to-interpret scenario – as we’ve seen – so it’s important to clearly understand the essential components of your e-commerce system and what you’re responsible for in terms of compliance.
Best Practices and Recommendations

Know Where the Cardholder Data is: You can’t protect what you don’t know you have – particularly when it comes to highly sensitive credit card information, so make sure you know the exact whereabouts of cardholder data throughout the entire lifecycle of your business. This means understanding where cardholder data originates from, how it traverses the system, and where it is stored. Hey knowledge is power and it’s also a good for securing one’s e-commerce platform!

If you don’t need it, don’t store it: Do you have a real, genuine reason for storing cardholder data – if not – then get rid of it and use tokenization or a simple re-direct with a payment processor/gateway, letting them handle the sensitive storage aspect of cardholder data. Breaches happened because e-commerce merchants store credit cards and criminals know this, so if there’s nothing to steal, they’ll go somewhere else.

Picking the Correct Self-Assessment Questionnaire (SAQ): Merchants have a number of options when it comes to “self-assessing” with the PCI DSS standards, but remember that self-assessing is often easier said than done, ultimately requiring guidance and support from payment card industry experts. With that said, many merchants incorrectly choose SAQ-A, which is the easiest and shortest Self-Assessment Questionnaire, but it’s important to remember the following SAQ’s and their overall applicability:

SAQ A: Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Note: Not applicable to face-to-face channels.

SAQ A-EP: E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Note: Applicable only to e-commerce channels.

SAQ B: Merchants using only: (1). Imprint machines with no electronic cardholder data storage; and/or (2). Standalone, dial-out terminals with no electronic cardholder data storage. Note: Not applicable to e-commerce channels.

SAQ B-IP: Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Note: Not applicable to e-commerce channels.

SAQ C: Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Note: Not applicable to e-commerce channels.

SAQ C-VT: Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Note: Not applicable to e-commerce channels.

SAQ P2PE-HW: Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Note: Not applicable to e-commerce channels.

SAQ D for Merchants: SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types.

Policies and Procedures Are Essential

One of the most important and time-consuming aspects of complying with the PCI DSS standards for e-commerce businesses are developing all the mandated information security policies and procedures. It’s why we offer our PCI Policy Compliance Toolkits & policy templates for e-commerce merchants for instant download today at pcipolicyportal.com. That’s right, whichever Self-Assessment Questionnaire (SAQ) you to decide to complete – or maybe it’s even a Level 1 onsite assessment – documentation is incredibly important and critical, no question about it, and here’s why:

Practices require documentation: From requesting changes to a firewall configuration, or moving a system from development to production – whatever the change may be – it needs to be documented for ensuring it was authorized, and has a complete history of such actions.
Third Party Reliance: Many e-commerce websites are hosted by managed services providers – the likes of Rackspace and others – meaning it’s critical to have policies and procedures in place regarding such third party providers roles and responsibilities, etc.
Awareness and Accountability: Employees need to be aware of what they can and cannot do at work – acceptable usage policies, if you will – and they also need to be aware of what actions will be taken against them for not adhering to such rules.
PCI DSS Standards: Read through the PCI DSS standards, and you’ll quickly see words and phrases such as “policies”, “procedures” and more littered throughout the twelve (12) requirements.

Our Toolkits Ensure Rapid PCI DSS Compliance

Developing policies and procedures – and adhering to them – is a large part of PCI DSS compliance, but you need more than policy templates to become compliant, that’s right, you also need risk assessment documentation, security awareness training materials, and other critical forms and checklists. And that’s exactly what you’ll receive when downloading the PCI Policy Compliance Toolkits & policy templates for e-commerce merchants today from pcipoolicyportal.com. Therefore, take note of the following initiatives every e-commerce vendor should be implementing, either as a mandate for PCI compliance, or a best practice for information security:

Assessing Risk: One of the very best ways for ensuring e-commerce businesses have a safe and secure platform for storing, processing, and/or transmitting cardholder data is conducting an annual risk assessment. Depending on which of the applicable Self-Assessment Questionnaires (SAQ) you choose, assessing risk is mandatory – but even if it’s not – doesn’t it just make good business sense to identify critical issues and threats facing your organization? Sure it does, and it’s why every e-commerce business should assess risk annually, regardless of PCI compliance.

Documentation: As for policies and procedures for e-commerce businesses, it’s now painfully clear that documentation is incredibly important, not only for documenting specific processes and actions, but also for assessing risk, along with training employees, and much more. Turn to the world’s leading authority on PCI DSS policy compliance documentation, and that’s pcipolicyportal.com.

Security Awareness Training: All the leading technology in the world means nothing without well-educated employees, those that can identify threats and concerns for an organization. The best defense against malicious actions in today’s cybersecurity world is having well-trained, thoughtful, and vigilant employees – and that’s exactly what high-quality security awareness training provides.

Compliance is an Annual Requirement: E-commerce vendors need to become – and maintain – PCI compliant each year, which means adhering to the applicable PCI standards and supporting best practices, while also ensuring policies and procedures are still in place and relevant. This can be a challenge, particularly for companies without additional resources, but compliance must be maintained, so finding and appointing a “PCI champion” is critical for continued certification.

Save Thousands of Dollars on PCI Compliance with our Toolkits

Looking for the very best documentation found anywhere in the world, then turn to the global PCI DSS experts at pcipolicyportal.com. We offer the very best policy packets and consulting & strategy services for helping e-commerce merchants and service providers become compliant with the Payment Card Industry Data Security Standards (PCI DSS). Visit pcipolicyportal.com today to learn more.