Industry body the Payment Card Industry Security Standards Council (PCI SSC) has updated its best practice guidelines for securing e-commerce transactions, as more fraud migrates online.
The Best Practices for Securing E-commerce guidance replaces the previous PCI DSS E-commerce Guidelines, published back in 2013.
As such, there’s new info in there for online merchants explaining SSL/TLS, how to select a certificate authority (CA), the different types of certificates out there and a list of questions merchants can ask service providers on digital certificates and encryption.
The PCI SSC has mandated, for example, that all online merchants use TLS 1.1 encryption or higher by June 2018.
There’s plenty of information on how to achieve PCI DSS validation and a chart showing the level of complexity for different types of implementation.
“Securing the e-commerce environment continues to be critically important. According to several sources, e-commerce sales almost hit $2 trillion globally in 2016 with double-digit growth forecasted for several years to come,” explained PCI CTO Troy Leach.
“We also know that fraud is moving to card-not-present (CNP) environments with the implementation and acceptance of EMV chip, making e-commerce merchants a prime target for criminal hackers. The Council is uniquely positioned to help merchants since we are aware of the changing threat landscape of e-commerce environments.”
Best practice tips from the PCI SSC include gaining visibility into the location of all data; eliminating any data that’s not needed; and security training for all staff.
Many smaller businesses will outsource payment acceptance to a third party, Leach claimed.
“Still, those merchants should be aware of how their e-commerce solution accepts payments, specific risks to their customer’s cardholder data and best practices that they or their service providers should be following to mitigate those risks,” he added. “That is what is intended by this guidance.”