PCI e-commerce guidance issued for merchants

Share this article:

The group responsible for managing payment security standards has crafted new guidance for protecting e-commerce technologies and transactions, a topic of growing concern among merchants doing business online.

The Payment Card Industry Security Standards Council (PCI SSC) on Thursday published the “PCI Data Security Standard (DSS) E-Commerce Guidelines Information Supplement,” which outlines common vulnerabilities in e-commerce environments and offers security best practices for organizations that collect payment card data.

Bob Russo, general manager of the council, told SCMagazine.com on Wednesday that the guidance also provides a reference point for developers of e-commerce web applications, like e-shopping carts and security solutions.

“Most of this guidance is down-to-earth primer for the merchant to make sure they are touching on all the aspects they are seeing in today's world when adding e-commerce onto their brick and mortar,” Russo said.

In the guidance, the top weaknesses in web applications are SQL injection, cross-site scripting and buffer overflows. Weak passwords or login credentials, and security misconfigurations are also listed as common vulnerabilities.

Merchants and third-party companies involved in payment card data management are also advised to know the location of all of their cardholder data, to not store any data that is not necessary to business, and to implement security training for staff and educate consumers on policies involving their shared information.

In addition, the guidance advises merchants and developers to set up firewalls that ensure only permitted web traffic reaches their servers, and to identify and document all parties with administrative access to e-commerce applications. 

Russo said that a major pitfall for merchants to avoid is assuming someone else is responsible for protecting their customers' information.

“Outsourcing card data for a third party to process does not relieve them of their responsibility to follow PCI standards,” Russo said. “That can really be a trap in that they've outsourced it and feel they don't need to protect [data].”

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.