PCI Security Standards Council Releases Best Practices for Securing E-Commerce
What Is the PCI Security Standards Council?
E-commerce transactions have increased over the past decade to the mutual delight of e-commerce business owners and motivated consumers for their wares. In response, it has become increasingly crucial that e-commerce business owners provide safeguards to protect consumer data. The PCI Security Standards Council (PCI) states, as part of its mission, that “the security of cardholder data affects everybody.”
E-Commerce business owners must create a safe environment in which loyal customers feel safe and confident when providing their payment information to make one-of-a-kind purchases. In turn, just as e-commerce customers must trust merchants, merchants benefit from a set of standards and regulations that serve to protect their business. PCI diligently provides such backup for e-commerce businesses.
The PCI Security Standards Council is “a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.” Your compliance with PCI’s regularly updated standards and best practices will help you keep your system secure by staying compliant. Your ongoing diligence to adhering to the best practices covered in each update show your customers that you are part of the solution to protecting their data in the wide world of online shopping.
What Risks Do the World’s E-Commerce Businesses Face When Dealing with Customer Account Information?
Cyber-attackers are ready, willing, and able to hack into nearly any type of business, which certainly includes e-commerce businesses. In 2014, eBay, Inc., suffered an intrusion and requested that all customers change their passwords. It is probably easy to imagine how potentially damaging such a data breach could be for this American-based multinational e-commerce corporation. However, with eBay’s long history, dating back to 1995, along with its fairly quick detection and reporting of the data compromise to its customers and shareholders, the company held tight. The online bidding website’s IT team was able to determine that while the hackers breached user passwords, they did not obtain customer data.
eBay’s experience is not uncommon. Their compliance to standards and best practices in the protection of customer data likely spared them and their valued customers greater damage.
The Guardian reports that many of its online sellers are not PCI-compliant and suffer the consequences. The online U.K. newspaper goes on to report the findings of “ethical hacking” through a consulting firm called SecureTest, which reported several fundamental flaws among the e-commerce businesses in the U.K. The article discusses a few problems that include passwords and lack of adherence to the guidelines set forth by the PCI Security Standards Council.
British e-commerce businesses, as well as many others around the world, would benefit from taking note of PCI’s best practices. Companies whose IT teams are already overwhelmed with daily tasks may enlist the help of consulting firms that specialize in helping to shore up database security for online transactions.
What Are the New Best Practices from the PCI Security Standards Council?
Foregenix cites the exponential increase in online shopping over the past four years—along with EMV, which stands for the Europay, MasterCard and Visa microchip, in the United States—for PCI’s updates. Delivering new and refining current standards, rules, and regulations that have come to light since the last update in 2013, PCI published its “Best Practices for Securing E-Commerce” in January 2017.
This update replaces the 2013 guide with this release, which featured a PCI DSS Version 3.2 perspective. Above all the new regulations set forth in this guide, it is important to keep in mind the overriding message that “no option completely removes a merchant’s PCI DSS (Data Security Standard) responsibilities,” according to Foregenix.
Essentially, the 2017 PCI Best Practices Guide is expanded and revised content based upon the Securing E-Commerce Special Interest Group (SIG), per the full pdf document, which is available online via the PCI Security Standards Council website.
A few of the highlights that you might give special attention for implementation in your own e-commerce business include the following:
Understanding E-Commerce Implementations and Their Effects
This portion of the guide discusses the various implementations and their potential to your e-commerce organization as the merchant. You will find recommendations for safe and secure implementations, as well as the potential applicability of the PCI DSS SAQ (Self Assessment Questionnaire). The guide covers merchant-managed, shared-management, and wholly outsourced implementation.
Choosing Public Key Certificate Authorities
Your digital certification provides a level of authentication between your e-commerce business’s browser and web server. The certificates offer an added layer of protection—temporarily jumbling the message while in transit between the browser and web server—that is built into the encryption process. Digital certificates offer both authentication and encryption, which are essential tools in protecting your customers’ confidential data as they make their online purchases. The guide helps give you a more detailed understanding of certificates and their value to your e-commerce company.
Selecting the Best Questions to Ask Your Service Providers
Your e-commerce business’s ongoing success relies on providing a safe shopping and payment environment for your customers. You need to prepare certain questions to ask your service providers (SPs) to make sure you are on the same page. Ask prospective SPs about their validation software and services to make sure your platform and shopping environment are sound, safe, and secure.
The guide also makes general recommendations that include legal and contractual obligations with your service providers and the available options for approved scanning vendors (ASVs).
Do You Worry About Your Compliance with PCI Security Standards Council Best Practices for Securing E-Commerce?
PCI has definitely made some serious additions to their Best Practices Guide that might seem overwhelming. If you need help sorting out the changes, our team at I.S. Partners, Inc. can help. We can read through all the changes and discuss anything that seems complex to you to make sure you are in full compliance for your customers’ security and your own peace of mind. Give us a call at 215-675-1400 or send us a message to discuss all the ways we can help you keep your e-commerce business safe, secure, and compliant with PCI’s standards.