Back in 2011, the PCI Security Standards Council – a global forum underpinning the development of the PCI Data Security Standards – voted on subjects for its own special interest groups to examine. One of the most popular subjects was ‘E-commerce’. “The community wanted more guidance and clarification on security issues specifically within E-commerce,” PCI SSC European director Jeremy King told Infosecurity. “So,” he continued, “the special interest group worked on and developed an E-commerce guidance document.”
That document, PCI DSS E-commerce Guidelines, has been released this week. It provides an overview of the components of an E-commerce infrastructure together with their relevance to the PCI DSS, and a discussion on the common vulnerabilities in E-commerce environments with recommendations on how to overcome them. “Its purpose,” King told Infosecurity, “is to provide high-level help and guidance to companies, many of which are not IT expert, on the steps necessary to conform to PCI DSS within E-commerce.”
The common vulnerabilities caused by insecure coding practices are injection flaws (such as SQL injection), XSS, cross-site request forgery, buffer overflows, and weak authentication/session credentials. “Take SQL injections as an example,” explained Bob Russo, general manager, PCI Security Standards Council. “This is not a new attack, and something we’ve known about in the industry for years. Yet it continues to be one of the most common methods by which e-commerce websites are compromised. This can be addressed through simple, prudent coding practices, but merchants often don’t know where to start.”
The Open Web Application Security Project (OWASP) is particularly recommended as a source for secure coding practices (as is SANS, CERT/CC, CIS, and ISACA). “I was at an OWASP conference last summer,” commented Jeremy King. “One of the speakers put four lines of code on the screen, and said, ‘That’s how you stop SQL injection.’ So actually the information is out there on how to be secure; it’s just that not all E-commerce sites know where to look, or what to look out for and specify in third-party software.
“Many of the merchants don’t know,” he continued, “what their responsibilities are when working with a third-party product – many think that responsibility falls on the third party supplier. But that’s not the case, and this document gives clear guidance on the various different options available in working with a third-party provider and where the responsibility lies depending on the particular solution adopted.”
The guideline document has many strengths. Firstly it was written by users for users, and deals with security practice rather than complex security theory – it is very approachable. Secondly, King stressed that it has strong European input. In many areas, European data protection laws cover the protection of the same personal data protected by PCI DSS; so a by-product of the PCI DSS E-commerce Guidelines document is that it will help conformance to EU data protection requirements.