Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI DSS Improve the Security of Your Ecommerce Environment

Published byAndra Shelton Modified over 7 years ago

Similar presentations

Presentation on theme: "PCI DSS Improve the Security of Your Ecommerce Environment"— Presentation transcript:

1 PCI DSS Improve the Security of Your Ecommerce Environment
Lib de Veyra VP Emerging Technologies and Security JCB International Credit Card Co., Ltd.

2 Agenda Understand Your Implementation Validation for PCI DSS
Scoping Considerations for PCI DSS Choosing a Public Key Certificate Security Best Practices Resources

3 Understanding Your Implementation
Fully Outsourced URL Re-Direct Cardholder enters their account data into a payment page hosted by a third party payment service provider (PSP) Need to ensure integrity of re-direct mechanism I-Frame Merchant has embedded web page within another web page (PSP) Ensures that information is not accessible or cannot be manipulated through various exploits by malicious individuals Recommended that PSPs provide configurable tools that detect and report suspicious transactions or unusual activity

4 Understanding Your Implementation
Fully Outsourced (Continued) Fully Outsourced E-Commerce transaction is not seamless integrated into the merchant’s website where the customer is directed to a separate website to select their goods/services and complete check-out Example is a hosted shopping cart

5 Understanding Your Implementation
Partially Managed Direct Post Uses the merchant’s website to generate the shopping cart and payment web pages Merchant then sends the payment form containing the cardholder data directly to the PSP Allows the merchant to have more control over the website look and feel at the expense of additional security responsibilities for its website JavaScript Form The payment page originates from the merchant’s website and requests the customer’s browser to execute JavaScript code from the PSP to create the payment form The cardholder data is sent directly to the PSP The merchant can optionally monitor for a timeout of a customer’s session and respond to the customer with an error message

6 Understanding Your Implementation
Merchant Managed Application Program Interface (API) Method of system-to-system data transmission wherein the merchant principally controls the progress of the payment transaction The cardholder data is sent from the customer’s browser back to the merchant website before before sent to the PSP Data sent to the PSP may be sent in different formats such as XML, JSON, or name/value pairs Higher targets for malicious individuals due to larger amounts of cardholder data available and varying levels of security controls merchants must meet Other

7 Validation for PCI DSS Choosing the Right Tool to Validate PCI DSS Compliance For Fully Outsourced, use SAQ A For Partially Managed, use SAQ A-EP For Merchant Managed, use SAQ D or onsite assessment Merchants should contact their acquirer for eligibility

8 Scoping Considerations for PCI DSS
Consider Other Payment Channels Mobile e-commerce (or in-app) Mail order/telephone order with call centers Face-to-face Traditional brick and mortar using POS system Merchant entered transaction via web browser in the store location Consumer entered transaction via kiosk or similar unattended device

9 Choosing a Public Key Certificate
Internet Security Protocol Deprecation of SSL (v1.0, v2.0 and v3.0) and early TLS (v1.0) Secure TLS (minimum v1.1 but v1.2 recommended) Certification Authority (CA) Look for highly reliable and reputable CA provider Public Key Certificate Support approved encryption algorithms and key lengths of encryption ciphers (refer to NIST or PCI)

10 Choosing a Public Key Certificate
Monitor and Manage TLS Certificates Check certificate, certificate chain, intermediate CA and root CA Check supported encryption ciphers and protocols Check for vulnerabilities including OpenSSL vulnerabilities and server vulnerabilities

11 Security Best Practices
Know Where Your Cardholder Data Is Have a cardholder data flow diagram Identify where the hand-off of cardholder data to third parties (such as PSPs) happens Eliminate Unnecessary Storage of Cardholder Data Reduce the footprint of your cardholder data environment subject to PCI DSS Remember that sensitive authentication data cannot be stored, even if encrypted

12 Security Best Practices
Assess Risk of Your E-Commerce Solution Balance between business needs and security exposure Ensure Secure Remote Access by Your Service Providers Understand how and when your service provider accesses your network and limit access on an as-needed basis Service provider should use multi-factor authentication for remote access Use Secure Web Applications Address common coding vulnerabilities when developing your web application including, but not limited to, SQL injection, buffer overflow and cross-site scripting

13 Security Best Practices
Vulnerability Scanning PCI DSS Requirement 11.2 requires internal and external vulnerability scanning for the merchant’s cardholder data environment including their e-commerce websites. Hire a PCI Approved Scanning Vendor for the external vulnerability scanning. If using a hosting provider, either: Have the hosting provider undergo their own ASV scan and provide you with evidence of compliance, or Have the hosting provider undergo an ASV scan as part of each merchant customer’s ASV scan.

14 Security Best Practices
Penetration Testing If using a service provider, ensure the service provider: Undergoes internal and external penetration testing in accordance with PCI DSS Requirement 11.3 at least annually. Provide their merchant customers enough information on the systems that need to be tested. Communicate when penetration tests are conducted to their merchant customers to ensure minimal downtimes. Communicate to their merchant customers what if any remediation steps the merchant must take to correct negative findings.

15 Security Best Practices
Monitor and Alert Have a plan to monitor suspicious activity in your e-commerce environment Alert your service provider and/or acquirer if suspicious activity is detected Training and Awareness Provide training to your employees on data security including response to security breaches and social engineering Consider educating customers on security best practices when conducting e- commerce transactions (such as upgrading to the latest versions of web browsers)

16 Resources Industry Resources
Open Web Application Secure Project (OWASP) Individual guides includes Handling E-Commerce Payments, Security of Payment Cards (Credit/Debit) in E-Commerce Applications, and Cornucopia E-Commerce Website Edition ISACA E-Commerce Security: A Global Report

17 Resources PCI Security Standards Council Website (pcisecuritystandards.org) Information Supplement: Best Practices for Securing E-Commerce Small Merchant Guidance Contains four documents entitled Guide to Safe Payments, Common Payment Systems, Questions to Ask Your Vendors, and Glossary of Payment and Information Security Terms Third Party Security Assurance Penetration Testing Guidance Information Supplement: PCI SSC Migrating from SSL and Early TLS

18 Presenter’s Contact Info Lib de Veyra VP Emerging Technologies and Security JCB International Credit Card Co., Ltd. Telephone: If you have any questions about the presentation, go to our LinkedIn Group (the Payments Education Forum) and request an invitation (this is a closed group specifically for the payments industry).

Download ppt "PCI DSS Improve the Security of Your Ecommerce Environment"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
Navigating the New SAQs (Helping the 99% validate PCI compliance)

Navigating the New SAQs (Helping the 99% validate PCI compliance)
Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.

Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
Kevin R Perry August 12, 2014. Part 1: High Level Changes & Clarifications.

Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Web Advisory Committee June 17, 2009.  Implementing E-commerce at UW  Current Status and Future Plans  PCI Data Security Standard  Questions.

Web Advisory Committee June 17,  Implementing E-commerce at UW  Current Status and Future Plans  PCI Data Security Standard  Questions.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger 515-237-5007.

Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.

PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.
MasterCard Site Data Protection Program Program Alignment.

MasterCard Site Data Protection Program Program Alignment.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Similar presentations

Ads by Google