PCI DSS Improve the Security of Your Ecommerce Environment Lib de Veyra VP Emerging Technologies and Security JCB International Credit Card Co., Ltd.

Agenda Understand Your Implementation Validation for PCI DSS Scoping Considerations for PCI DSS Choosing a Public Key Certificate Security Best Practices Resources

Understanding Your Implementation Fully Outsourced URL Re-Direct Cardholder enters their account data into a payment page hosted by a third party payment service provider (PSP) Need to ensure integrity of re-direct mechanism I-Frame Merchant has embedded web page within another web page (PSP) Ensures that information is not accessible or cannot be manipulated through various exploits by malicious individuals Recommended that PSPs provide configurable tools that detect and report suspicious transactions or unusual activity

Understanding Your Implementation Fully Outsourced (Continued) Fully Outsourced E-Commerce transaction is not seamless integrated into the merchant’s website where the customer is directed to a separate website to select their goods/services and complete check-out Example is a hosted shopping cart

Understanding Your Implementation Partially Managed Direct Post Uses the merchant’s website to generate the shopping cart and payment web pages Merchant then sends the payment form containing the cardholder data directly to the PSP Allows the merchant to have more control over the website look and feel at the expense of additional security responsibilities for its website JavaScript Form The payment page originates from the merchant’s website and requests the customer’s browser to execute JavaScript code from the PSP to create the payment form The cardholder data is sent directly to the PSP The merchant can optionally monitor for a timeout of a customer’s session and respond to the customer with an error message

Understanding Your Implementation Merchant Managed Application Program Interface (API) Method of system-to-system data transmission wherein the merchant principally controls the progress of the payment transaction The cardholder data is sent from the customer’s browser back to the merchant website before before sent to the PSP Data sent to the PSP may be sent in different formats such as XML, JSON, or name/value pairs Higher targets for malicious individuals due to larger amounts of cardholder data available and varying levels of security controls merchants must meet Other

Validation for PCI DSS Choosing the Right Tool to Validate PCI DSS Compliance For Fully Outsourced, use SAQ A For Partially Managed, use SAQ A-EP For Merchant Managed, use SAQ D or onsite assessment Merchants should contact their acquirer for eligibility

Scoping Considerations for PCI DSS Consider Other Payment Channels Mobile e-commerce (or in-app) Mail order/telephone order with call centers Face-to-face Traditional brick and mortar using POS system Merchant entered transaction via web browser in the store location Consumer entered transaction via kiosk or similar unattended device

Choosing a Public Key Certificate Internet Security Protocol Deprecation of SSL (v1.0, v2.0 and v3.0) and early TLS (v1.0) Secure TLS (minimum v1.1 but v1.2 recommended) Certification Authority (CA) Look for highly reliable and reputable CA provider Public Key Certificate Support approved encryption algorithms and key lengths of encryption ciphers (refer to NIST or PCI)

Choosing a Public Key Certificate Monitor and Manage TLS Certificates Check certificate, certificate chain, intermediate CA and root CA Check supported encryption ciphers and protocols Check for vulnerabilities including OpenSSL vulnerabilities and server vulnerabilities

Security Best Practices Know Where Your Cardholder Data Is Have a cardholder data flow diagram Identify where the hand-off of cardholder data to third parties (such as PSPs) happens Eliminate Unnecessary Storage of Cardholder Data Reduce the footprint of your cardholder data environment subject to PCI DSS Remember that sensitive authentication data cannot be stored, even if encrypted

Security Best Practices Assess Risk of Your E-Commerce Solution Balance between business needs and security exposure Ensure Secure Remote Access by Your Service Providers Understand how and when your service provider accesses your network and limit access on an as-needed basis Service provider should use multi-factor authentication for remote access Use Secure Web Applications Address common coding vulnerabilities when developing your web application including, but not limited to, SQL injection, buffer overflow and cross-site scripting

Security Best Practices Vulnerability Scanning PCI DSS Requirement 11.2 requires internal and external vulnerability scanning for the merchant’s cardholder data environment including their e-commerce websites. Hire a PCI Approved Scanning Vendor for the external vulnerability scanning. If using a hosting provider, either: Have the hosting provider undergo their own ASV scan and provide you with evidence of compliance, or Have the hosting provider undergo an ASV scan as part of each merchant customer’s ASV scan.

Security Best Practices Penetration Testing If using a service provider, ensure the service provider: Undergoes internal and external penetration testing in accordance with PCI DSS Requirement 11.3 at least annually. Provide their merchant customers enough information on the systems that need to be tested. Communicate when penetration tests are conducted to their merchant customers to ensure minimal downtimes. Communicate to their merchant customers what if any remediation steps the merchant must take to correct negative findings.

Security Best Practices Monitor and Alert Have a plan to monitor suspicious activity in your e-commerce environment Alert your service provider and/or acquirer if suspicious activity is detected Training and Awareness Provide training to your employees on data security including response to security breaches and social engineering Consider educating customers on security best practices when conducting e- commerce transactions (such as upgrading to the latest versions of web browsers)

Resources Industry Resources Open Web Application Secure Project (OWASP) Individual guides includes Handling E-Commerce Payments, Security of Payment Cards (Credit/Debit) in E-Commerce Applications, and Cornucopia E-Commerce Website Edition ISACA E-Commerce Security: A Global Report

Resources PCI Security Standards Council Website (pcisecuritystandards.org) Information Supplement: Best Practices for Securing E-Commerce Small Merchant Guidance Contains four documents entitled Guide to Safe Payments, Common Payment Systems, Questions to Ask Your Vendors, and Glossary of Payment and Information Security Terms Third Party Security Assurance Penetration Testing Guidance Information Supplement: PCI SSC Migrating from SSL and Early TLS

Presenter’s Contact Info Lib de Veyra VP Emerging Technologies and Security JCB International Credit Card Co., Ltd. Email: lib.deveyra@jcbusa.com Telephone: 213-896-3718 If you have any questions about the presentation, go to our LinkedIn Group (the Payments Education Forum) and request an invitation (this is a closed group specifically for the payments industry).