New PCI Guidelines for E-Commerce
A new set of card data security guidelines for merchants and payments providers aims to address increasing risks unique to e-commerce environments. On Jan. 31, the Payment Card Industry Security Standards Council issued its PCI DSS E-commerce Guidelines Information Supplement, a set of guidelines for e-commerce security.
The guidelines relate to online infrastructures and how merchants work with third-party providers. Developed by the PCI E-commerce Security Special Interest Group, the 39-page resource includes recommendations about topics ranging from online risks associated with payments gateways to often-overlooked security gaps Web-hosting providers can inadvertently create.
Securing the Payments Chain
The guidance reviews how merchants can work with third parties to address those risks and provides a checklist for easy-to-fix vulnerabilities related to:
A new set of card data security guidelines for merchants and payments providers aims to address increasing risks unique to e-commerce environments. On Jan. 31, the Payment Card Industry Security Standards Council issued its PCI DSS E-commerce Guidelines Information Supplement, a set of guidelines for e-commerce security.
The guidelines relate to online infrastructures and how merchants work with third-party providers. Developed by the PCI E-commerce Security Special Interest Group, the 39-page resource includes recommendations about topics ranging from online risks associated with payments gateways to often-overlooked security gaps Web-hosting providers can inadvertently create.
Securing the Payments Chain
- The guidance offers a checklist of security recommendations and reminders, such as:
- Know where cardholder data is located within the merchant's infrastructures and those of the processors and vendors to which they outsource.
- Regularly test software and applications to detect if card data or other information is being stored unintentionally.
- Evaluate risks associated within e-commerce technology.
- Review the network and database risks posed by outsourcing functions, such as payments processing and Web hosting to third parties.
- Hire PCI-approved website scanning vendors to validate, on a regular basis, Internet-facing environments for compliance with the PCI Data Security Standard.
- Define best practices for online payment application security.
- Implement security training for internal staff.
- Establish best practices for consumer awareness.
The guidance reviews how merchants can work with third parties to address those risks and provides a checklist for easy-to-fix vulnerabilities related to:
- Online injection flaws;
- Cross-site scripting, or XSS;
- Online cross-site request forgery, or CSRF;
- Buffer or temporary data storage overflows, which result when programs or processes attempt to store more data than they were designed to hold;
- Weak authentication and/or session credentials; and
- Application and software misconfigurations.
No comments:
Post a Comment