PCI DSS Publishes Best practices for securing E-commerce Websites – 2017

E-commerce refers to buy and sell of products or potentially benefits by means of electronic channels, for example, the Internet.

E-commerce business was initially presented in the 1960s by means of an electronic information trade (EDI) on the value included systems.

Market research firm eMarketer projects e-commerce sales will eclipse $3.5 trillion within the next five years. The web will account for 7.3% of global retail sales this year, growing to 12.4% by 2019, eMarketer says

PCI Security Standards

The PCI Security Standards Council is a worldwide open body framed to create, upgrade, scatter and help with the comprehension of security measures for payment account security.

The Council keeps up, advances, and advances the Payment Card Industry Security Standards. It additionally gives basic tools expected to the execution of the guidelines, for example, assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programs.

Educating merchants

To help merchants shore up their online business stages, the PCI Security Standards Council discharged Best Practices for Securing E-commerce.

Securing the E-commerce business environment keeps on being basically vital a current review found that 66% of customers claim they won’t buy from an organization that has been hacked.

Best practices for securing E-commerce Websites – 2017

The Best Practices for Securing E-commerce business data supplement incorporates handy proposals and contextual investigations to help merchants recognize the best answer for their particular cardholder information environment.

In addition to educating vendors, this most recent asset from the Council additionally gives direction to third party web based business specialist organizations and assessors that bolster the progressing security of internet business situations.

Following industry recommendations, in December 2015 the Council announced that all organizations that accept payment cards must use TLS 1.1 encryption or higher by June 2018.

Public key Certificate

SSL/TLS encrypts a channel between two endpoints (for example, between a web browser and web server) to provide privacy and reliability of data transmitted over the communications channel.

To underline the importance of using an encrypted channel, Google announced that beginning in January 2017, the Chrome browser will warn users when a website doesn’t use HTTPS.

There has been a good deal of confusion about SSL vs. TLS since early 2015, and this section is intended to address the points of confusion.

Per the PCI SSC Migrating from SSL and Early TLS: “SSL/TLS encrypts a channel between two endpoints (for example, between a web browser and web server) to provide privacy and reliability of data transmitted over the communications channel.

Certificate Transparency (CT) is a Google-started system (characterized at www.certificatetransparency.org) and is another system for further securing the SSL/TLS ecosystem.

At an abnormal state, it obliges CAs to submit data about each SSL/TLS authentication being issued to different CT log documents. These log records can be seen openly, alongside the domain name of the web server.

“Our community of members boasts a wealth of payment security knowledge to protect e-commerce transactions all over the world,” said Troy Leach, Chief Technology Officer for the Council. “

“This information supplement is a testament to their collaboration and willingness to share their experience with others and provides easy to understand examples of e-commerce scenarios along with best practices to secure cardholder data and meet PCI DSS requirements.

Their engagement on Council efforts like this paper, the Small Merchant Task Force, and other resource guides help educate merchants on how to make better business decisions to secure cardholder data. Our aim is to make cardholder data more secure in the most sensible way possible.”

Best Practices for Securing e-Commerce Website

• Use TLS 1.1 or higher when transmitting cardholder data internally (for example, at cardholder data ingress and egress points) throughout the network per PCI DSS Requirement 4.1.
• Due to the dynamic nature of e-commerce environments and frequent changes to websites and web applications, consider implementing a web application firewall (WAF) per PCI DSS Requirement 6.6 or additional intrusion-detection technologies per PCI DSS Requirement 11.4.
• It is also recommended that firewall rules be configured to ensure unwanted traffic does not access (both ingress and egress) the network per PCI DSS Requirement 1.2. It is important to understand the type and nature of any firewalls installed in a service provider environment that controls access to services or environments provided to the merchant.
• Follow PA-DSS when internally developing and implementing payment applications/shopping carts to help ensure that the application will follow good coding practices and support PCI DSS compliance per PCI DSS Requirement 6.3 and PA-DSS Requirement 5.
• Consider using third-party payment applications that are PA-DSS validated and noted on the List of Validated Payment Applications as “acceptable for new deployments” (see the PCI Council website for the current List of Validated Payment Applications).
• Regularly review any links (such as URLs, IFrames, APIs etc.), from the merchant’s website to the payment gateway to confirm the links have not been altered to redirect to unauthorized locations.
• Per PCI DSS Requirement 5, it is recommended the merchant check with its service provider to ensure anti-virus/anti-malware software is running on the systems provided to the merchant. If the service provider is not running AV software on the merchant’s behalf, it is recommended the merchant understand why and implement a solution of its own for those systems. It is also recommended a merchant have AV software running on the systems it manages as well.
• PCI DSS Requirement 10 details that a change-detection solution be in place. Typically, existing logging and monitoring tools can be configured to comply with PCI DSS requirements but it is worth explicitly asking the service provider whether a change-detection solution is in place.
• Merchants are advised to ask their service providers about the intrusion-detection/prevention systems and file-integrity monitoring in place according to PCI DSS Requirement 11.4 and 11.5. They are also advised to ensure their own systems are being monitored for intrusions.

Best Practices for Consumer Awareness

• Don’t use public, untrusted computers for e-commerce transactions. Public computers may not be secure and could be capturing payment card data as it is being entered.
• Don’t make purchases when connected to an unsecured wireless network (for example, using your laptop computer with a public Wi-Fi connection), unless you have a personal firewall on your computer.
• Be aware of “shoulder-surfing” when entering payment card data in a public location.
• Keep personal computers up to date with security patches.
• Always ensure your computer is running anti-virus software that is updated with the most recent virus.
• Always check for signs of a secure web page, For example, look for the “HTTPS” prefix in the web address, the little “padlock icon” at the top or bottom of the web browser, a green address bar, or a security seal before entering your payment card data.
• Use strong passwords that cannot be easily guessed (for example, don’t use your date of birth or your name as a password).
• Keep your passwords private. For example, don’t write them on a piece of paper attached to your computer (especially if you are in a public place), and don’t save them in a file on a computer that is shared with others.