On Jan. 31, the Payment Card Industry Security Standards Council issued its PCI DSS E-commerce Guidelines Information Supplement, a set of guidelines for e-commerce security. The guidelines relate to online infrastructures and how merchants work with third-party providers.
The guidance offers a checklist of security recommendations and reminders. The guidance reviews how merchants can work with third parties to address those risks and provides a checklist for easy-to-fix vulnerabilities.
It is observed that Merchants may develop their own e-commerce payment softwar or use a third-party developed solution,
or use a combination of both. Merchants may also use a variety of technologies to implement e-commerce functionality, including
payment-processing applications, application-programming interfaces (APIs), inline frames (iFrames), or hosted payment pages. Merchants may also choose to maintain different levels of control and responsibility for managing the supporting information technology infrastructure like for example, choosing to manage all networks and servers in house or outsource the management of all systems and infrastructure to hosting providers and/or e-commerce payment processors, or use a combination.
The guidelines provide that
1. No option completely removes a merchant’s PCI DSS responsibilities. Regardless of the extent of outsourcing to third parties, the merchant retains responsibility for ensuring that payment card data is protected.
2. Connections and redirections between the merchant and the third party can be compromised, and the merchant should monitor its systems to ensure that no unexpected changes have occurred and that the integrity of the connection/redirection is maintained.
3. E-commerce payment applications such as shopping carts should be validated according to PA-DSS,and confirmed to be included on PCI SSC’s list of Validated Payment Applications. For in-house developed e-commerce applications, PA-DSS should be used as a best practice during development.
4. Third-party relationships and the PCI DSS responsibilities of the merchant and each third party should be clearly documented in a contract or service-level agreement to ensure that each party understands and implements the appropriate PCI DSS controls.
A high level check list has also been provided to assist the Merchants regarding compliance requirements.