DOCSLIB.ORG

Best Practices for Securing E-Commerce Special Interest Group PCI Security Standards Council

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Best Practices for Securing E-Commerce Special Interest Group PCI Security Standards Council Standard: PCI Data Security Standard (PCI DSS) Date: April 2017 Authors: Best Practices for Securing E-commerce Special Interest Group PCI Security Standards Council Information Supplement: Best Practices for Securing E-commerce Information Supplement • Best Practices for Securing E-commerce • April 2017 Document Changes Date Document Version Description Pages January 2013 1.0 Initial release All January 2017 1.1 Expanded and revised Various content based upon the Securing e-Commerce Special Interest Group April 2017 1.2 Corrected entries in table, Various Section 2.7 typographical and grammatical errors The intent of this document is to provide supplemental information. Information provided here does ii not replace or supersede requirements in any PCI SSC Standard. Information Supplement • Best Practices for Securing E-commerce • April 2017 Table of Contents Document Changes ................................................................................................................................................. ii 1 Introduction ........................................................................................................................................................ 5 1.1 Background ................................................................................................................................................... 5 1.2 Intended Audience ........................................................................................................................................ 7 1.3 Terminology .................................................................................................................................................. 7 2 Understanding E-commerce implementations ............................................................................................... 8 2.1 Shared-Management E-commerce – URL Redirects ................................................................................... 8 2.2 The iFrame .................................................................................................................................................. 10 2.3 The Direct Post Method (DPM) ................................................................................................................... 13 2.4 JavaScript Form .......................................................................................................................................... 15 2.5 The Application Programming Interface (API) ............................................................................................ 17 2.6 Wholly Outsourced E-commerce Solutions ................................................................................................ 19 2.7 Advantages and Disadvantages of E-commerce Methods ......................................................................... 20 2.8 PCI DSS Validation Requirements ............................................................................................................. 21 2.9 The Intersection between E-commerce and Other Payment Channels ..................................................... 22 2.10 E-commerce Scoping Considerations ......................................................................................................... 23 2.11 Additional Considerations ........................................................................................................................... 26 3 Public Key Certificate Selection ..................................................................................................................... 34 3.1 Brief History on SSL and TLS ..................................................................................................................... 34 3.2 Selecting the Certification Authority ............................................................................................................ 34 3.3 Selecting the Appropriate Type of Public Key Certificates ......................................................................... 35 3.4 Tools for Monitoring and Managing E-commerce Implementations ........................................................... 36 4 Encryption and Digital Certificates ................................................................................................................ 37 4.1 Certificate Types (DV, OV, EV) and Associated Risks ............................................................................... 37 4.2 TLS 1.2 Configurations ............................................................................................................................... 39 4.3 Merchant Questions on Certificate Types and TLS Migration Options ....................................................... 40 5 Guidelines to Determine the Security of E-commerce Solutions ............................................................... 44 5.1 E-commerce Solution Validation ................................................................................................................. 44 5.2 Validation Documentation ........................................................................................................................... 45 5.3 PCI DSS Requirement Ownership .............................................................................................................. 46 6 Case Studies for E-commerce Solutions ...................................................................................................... 47 6.1 Case Study One: Fully Outsourced Redirect .............................................................................................. 47 6.2 Case Study Two: Fully Outsourced iFrame ................................................................................................ 49 6.3 Case Study Three: Partially Outsourced (JavaScript-Generated Form) .................................................... 51 6.4 Case Study Four: Merchant Managed (API) ............................................................................................... 53 7 Best Practices .................................................................................................................................................. 55 7.1 Know the Location of all Your Cardholder Data .......................................................................................... 55 7.2 If You Don’t Need It, Don’t Store It .............................................................................................................. 55 7.3 Evaluate Risks Associated with the Selected E-commerce Technology .................................................... 55 7.4 Service Provider Remote Access to Merchant Environment ...................................................................... 56 7.5 ASV Scanning of E-commerce Environments ............................................................................................ 56 7.6 Penetration Testing of E-commerce Environments .................................................................................... 56 The intent of this document is to provide supplemental information. Information provided here does iii not replace or supersede requirements in any PCI SSC Standard. Information Supplement • Best Practices for Securing E-commerce • April 2017 7.7 Best Practices for Securing e-Commerce ................................................................................................... 57 7.8 Implement Security Training for all Staff ..................................................................................................... 58 7.9 Other Recommendations ............................................................................................................................ 58 7.10 Best Practices for Consumer Awareness ................................................................................................... 58 7.11 Resources ................................................................................................................................................... 59 Acknowledgments ................................................................................................................................................. 62 About the PCI Security Standards Council ......................................................................................................... 64 The intent of this document is to provide supplemental information. Information provided here does iv not replace or supersede requirements in any PCI SSC Standard. Information Supplement • Best Practices for Securing E-commerce • April 2017 1 Introduction Electronic commerce, commonly known as e-commerce, is the use of the Internet to facilitate transactions for the sale and payment of goods and services. E-commerce is a card-not-present (CNP) payment channel and may include: . E-commerce websites accessible from any web-browser, including “mobile-device friendly” versions accessible via the browser on smart phones, tablets, and other consumer mobile devices . “App” versions of your e-commerce website, i.e., apps downloadable to the consumer’s mobile device or saving of the URL as an application icon on a mobile device that has online payment functionality (consumer mobile payments) The objective of this information supplement is to update and replace the PCI DSS E-commerce Guidelines published in 2013. This information supplement offers additional guidance to that provided in PCI DSS and is written as general best practices for securing e-commerce implementations. All references in this document are for
Load more

Recommended publications
  • Active Server Pages (ASP)
    Active Server Pages (ASP) Outline 11.1 Introduction 11.2 How Active Server Pages Work 11.3 Client-side Scripting versus Server-side Scripting 11.4 Using Personal Web Server or Internet Information Server 11.5 A Simple ASP Example 11.6 Server-side ActiveX Components 11.7 File System Objects 11.8 Session Tracking and Cookies 11.9 Accessing a Database from an Active Server Page 11.10 Case Study: A Product Catalog 11.1 Introduction • Active Server Pages (ASP) – Processed in response to client request – ASP file contains HTML and scripting code – VBScript de facto language for ASP scripting • Other languages can be used – JavaScript – .asp file extension – Microsoft-developed technology – Send dynamic Web content • HTML • DHTML • ActiveX controls • Client-side scripts • Java applets 11.2 How Active Server Pages Work • Client sends request – Server receives request and directs it to ASP – ASP processes, then returns result to client • HTTP request types – Request methods • GET – Gets (retrieves) information from server – Retrieve HTML document or image • POST – Posts (sends) data to server – Send info from HTML form » Client-entered data » Info to search Internet » Query for a database » Authentication info 11.2 How Active Server Pages Work (II) • Browsers often cache Web pages – Cache: save on disk – Typically do not cache POST response • Next POST request may not return same result • Client requests ASP file – Parsed (top to bottom) by ActiveX component asp.dll • ActiveX component: server-side ActiveX control that usually does not have GUI
    [Show full text]
  • A Theory on Information Security
    Australasian Conference on Information Systems Horne et al. 2016, Wollongong, Australia A Theory on Information Security A Theory on Information Security Craig A. Horne Department of Computing and Information Systems The University of Melbourne Victoria, Australia Email: [email protected] Atif Ahmad Department of Computing and Information Systems The University of Melbourne Victoria, Australia Email: [email protected] Sean B. Maynard Department of Computing and Information Systems The University of Melbourne Victoria, Australia Email: [email protected] Abstract This paper proposes a theory on information security. We argue that information security is imperfectly understood and aim to bring about an altered understanding of why efforts are made to engage in information security. The goal of information security is widely recognised as the confidentiality, integrity and availability of information however we argue that the goal is actually to simply create resources. This paper responds to calls for more theory in information systems, places the discussion in philosophical context and compares various definitions. It then identifies the key concepts of information security, describes the relationships between these concepts, as well as scope and causal explanations. The paper provides the theoretical base for understanding why information is protected, in addition to theoretical and practical implications and suggestions for future research. Keywords Information security, resources, controls, threats, theory development. 1 Australasian Conference on Information Systems Horne et al. 2016, Wollongong, Australia A Theory on Information Security 1 INTRODUCTION Despite the concept of information security being very well established, the reasons and motivations behind it are imperfectly understood. This paper seeks to explain how and why the phenomena that comprise the concepts of information security occur.
    [Show full text]
  • Practical Ecommerce Publisher
    C;>7<J>9:ID Z8DBB:G8: FEBRUARY/MARCH 2007 • $9.95 : 1. Getting Started Securing a domain name .Com, .net or other? I½H>CH>9 2. Web Sites For Service Businesses Why you need a Web site L=6 Ideas to help you get started 3. Selling Products Online Basic steps to doing business on the Internet Using eBay, Amazon and Overstock 4. Online Shopping Carts What the options are Tips from the experts 5. Staying Secure Spotting fraudulent credit cards How to Protection from data theft 6. Hiring A Web Developer the Using predesigned templates Harness Tips on selecting a Web site developer 7. Selecting A Web Host Why a host is important Differences among service options Internet 8. E-mail Marketing to Revolutionize Improve communication with customers No special skills are required 9. Search Engines The importance of being found Paid search vs. organic results Your Business www.NFIB.com SUPPLEMENTC1 TO MyBUSINESS MAGAZINE nfib-authorizenet-outlines.pdf 1/4/2007 4:33:08 PM C M Y CM MY CY CMY K C2 NFIB Guide to eCommerce | February/March 2007 2 Our First Small Business Guide A Letter from NFIB President Todd Stottlemyer 3 Contents Domain Name Basics Establishing a name for your Web site is an easy process 5 NFIB Guide to eCommerce is published Web Sites For Service Businesses as a benefit for NFIB’s members. An online presence can help you compete with major franchises TODD STOTTLEMYER President 7 JEFF KOCH Vice President of Member Benefits Selling Products Online What does a business need to launch an ecommerce business? Susan RidGE Vice President of Communications DAVid SilVerman 10 Vice President of Sales and Marketing Shopping Cart Options BOB DAVIS 10 steps to making the right choice Director of Marketing RITA TALLENT 14 Senior Marketing Editor/Writer 800-NFIB-NOW, nfib.com Credit Card Fraud Is a Manageable Risk Two types of fraud for online merchants Practical eCommerce serves small-to- 16 midsize businesses with sensible articles and advice to help improve their online Is It Time To Hire A Web site Developer? operations.
    [Show full text]
  • Data and Database Security and Controls
    1 Handbook of Information Security Management, Auerbach Publishers, 1993, pages 481-499. DATA AND DATABASE SECURITY AND CONTROLS Ravi S. Sandhu and Sushil Jajodia Center for Secure Information Systems & Department of Information and Software Systems Engineering George Mason University, Fairfax, VA 22030-4444 Telephone: 703-993-1659 1 Intro duction This chapter discusses the topic of data security and controls, primarily in the context of Database Management Systems DBMSs. The emphasis is on basic principles and mechanisms, which have b een successfully used by practitioners in actual pro ducts and systems. Where appropriate, the limitations of these techniques are also noted. Our discussion fo cuses on principles and general concepts. It is therefore indep endent of any particular pro duct except for section 7 which discusses some pro ducts. In the more detailed considerations we limit ourselves sp eci cally to relational DBMSs. The reader is assumed to be familiar with rudimentary concepts of relational databases and SQL. A brief review of essential concepts is given in the app endix. The chapter b egins with a review of basic security concepts in section 2. This is followed, in section 3, by a discussion of access controls in the current generation of commercially available DBMSs. Section 4 intro duces the problem of multilevel security. It is shown that the techniques of section 3 are inadequate to solve this problem. Additional techniques develop ed for multilevel security are reviewed. Sec- tion 5, discusses the various kinds of inference threats that arise in a database system, and discusses metho ds that have b een develop ed for dealing with them.
    [Show full text]
  • In-Depth Evaluation of Redirect Tracking and Link Usage
    Proceedings on Privacy Enhancing Technologies ; 2020 (4):394–413 Martin Koop*, Erik Tews, and Stefan Katzenbeisser In-Depth Evaluation of Redirect Tracking and Link Usage Abstract: In today’s web, information gathering on 1 Introduction users’ online behavior takes a major role. Advertisers use different tracking techniques that invade users’ privacy It is common practice to use different tracking tech- by collecting data on their browsing activities and inter- niques on websites. This covers the web advertisement ests. To preventing this threat, various privacy tools are infrastructure like banners, so-called web beacons1 or available that try to block third-party elements. How- social media buttons to gather data on the users’ on- ever, there exist various tracking techniques that are line behavior as well as privacy sensible information not covered by those tools, such as redirect link track- [52, 69, 73]. Among others, those include information on ing. Here, tracking is hidden in ordinary website links the user’s real name, address, gender, shopping-behavior pointing to further content. By clicking those links, or or location [4, 19]. Connecting this data with informa- by automatic URL redirects, the user is being redirected tion gathered from search queries, mobile devices [17] through a chain of potential tracking servers not visible or content published in online social networks [5, 79] al- to the user. In this scenario, the tracker collects valuable lows revealing further privacy sensitive information [62]. data about the content, topic, or user interests of the This includes personal interests, problems or desires of website. Additionally, the tracker sets not only third- users, political or religious views, as well as the finan- party but also first-party tracking cookies which are far cial status.
    [Show full text]
  • Spamming Botnets: Signatures and Characteristics
    Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+,IvanOsipkov+ Microsoft Research, Silicon Valley +Microsoft Corporation {yxie,fangyu,kachan,rina,ghulten,ivano}@microsoft.com ABSTRACT botnet infection and their associated control process [4, 17, 6], little In this paper, we focus on characterizing spamming botnets by effort has been devoted to understanding the aggregate behaviors of leveraging both spam payload and spam server traffic properties. botnets from the perspective of large email servers that are popular Towards this goal, we developed a spam signature generation frame- targets of botnet spam attacks. work called AutoRE to detect botnet-based spam emails and botnet An important goal of this paper is to perform a large scale analy- membership. AutoRE does not require pre-classified training data sis of spamming botnet characteristics and identify trends that can or white lists. Moreover, it outputs high quality regular expression benefit future botnet detection and defense mechanisms. In our signatures that can detect botnet spam with a low false positive rate. analysis, we make use of an email dataset collected from a large Using a three-month sample of emails from Hotmail, AutoRE suc- email service provider, namely, MSN Hotmail. Our study not only cessfully identified 7,721 botnet-based spam campaigns together detects botnet membership across the Internet, but also tracks the with 340,050 unique botnet host IP addresses. sending behavior and the associated email content patterns that are Our in-depth analysis of the identified botnets revealed several directly observable from an email service provider. Information interesting findings regarding the degree of email obfuscation, prop- pertaining to botnet membership can be used to prevent future ne- erties of botnet IP addresses, sending patterns, and their correlation farious activities such as phishing and DDoS attacks.
    [Show full text]
  • Evolution of Touch Commerce and Its Impact on Ecommerce Industry
    Evolution of touch commerce and its impact on PAY ecommerce industry Touch commerce is a technique that allows the shopper to buy from online market place without using shopping cart software or allows to buy using online wallets . Touch commerce enables customers to make a secure first-time or subsequent payment on any merchant’s website or app without having to provide registration or log-in details TOUCH . One-click payment system is a convenient method of paying by cards or e-wallets, wherein the customer decides to buy a product and clicks the COMMERCE “Pay €XX” button completing the transaction CARD PAYMENTS E-wallets Benefits Customers Sellers . More accessible for customers . Providing an unparalleled customer experience and a near frictionless . Lower cart abandonment checkout levels . Helps a merchant to retain customers . Makes a more pleasant . Conveniently shop for featured products represents a value-add shopping experience . Enables to display or sell products on any other website . Improving conversion rates and opening doors to future opportunities Key Drivers 1 1 22 33 44 Increase usage of Growth of data Payment methods Technological mobile phones for analytics aids in will continue to advancements like online purchases, content evolve, with mobile Augmented Reality provides mobile personalization by payments and offers new ways of optimization from chat analyzing the buying cryptocurrencies displaying products support to optimized patterns of consumers leading the way in beyond the physical checkout facilitating based
    [Show full text]
  • Active Server Pages Architecture
    Active Server Pages Architecture Li Yi South Bank University Contents 1. Introduction ...................................................................................................................................... 2 1.1 Host-based databases ............................................................................................................... 2 1.2 Client/server databases ............................................................................................................ 2 1.3 Web databases........................................................................................................................... 3 2. Active Server Pages ........................................................................................................................ 5 2.1 ASP Components ...................................................................................................................... 6 2.2 ADO and Database................................................................................................................... 7 2.3 The steps of executing a query ............................................................................................. 11 3 ASP Attributes ................................................................................................................................ 12 References:.......................................................................................................................................... 13 1 1. Introduction The development of databases always comes
    [Show full text]
  • Implementing OGC Web Map Service Client Applications Using JSP, JSTL and XMLC
    Implementing OGC Web Map Service Client Applications Using JSP, JSTL and XMLC Hao Ding , Richard Pascoe & Neville Churcher Department of Computer Science University of Canterbury. Christchurch, New Zealand Phone: +64 3 364-2362 Fax: +64 3 364-2569 Email: [email protected] , {richard, neville}@cosc.canterbury.ac.nz Presented at SIRC 2002 – The 14th Annual Colloquium of the Spatial Information Research Centre University of Otago, Dunedin, New Zealand th December 3-5 2002 ABSTRACT Java technologies are widely used in web application development. In this paper are described three approaches to developing Java-based web applications and our experiences with applying each to the development of client that interact with servers implementing the OGC (Open GIS Consortium) Web Map Service (WMS) specification. Also described is the installation and configuration of open source software that implements the WMS specification. The paper is concluded with some preliminary insights into when one of the three approaches to WMS client implementation is more suited to another. Keywords and phrases: WMS, JSP, JSTL, XMLC, map layer, web map server 1.0 INTRODUCTION Of the many technologies, such as Common Gateway Interface (CGI), Active Server Pages (ASP), JavaServer Pages (JSP), that are used to develop web applications, three are of particular interest to the research presented here. These three technologies or approaches to developing clients that utilise web services are JavaServer Pages (JSP), JSP with the use of tags from the JSP Standard Tag Library (JSTL), and the eXtensible Markup Language Compiler (XMLC). JSP is a more convenient way to write Java servlets, and allows the insertion of Java code directly into static HTML (Hypertext Markup Language) pages.
    [Show full text]
  • Electronic Commerce in the Gaming Industry. Legal Chal- Lenges And
    Pécs Journal of International and European Law - 2019/I-II. Electronic Commerce in the Gaming Industry. Legal Chal- lenges and European Perspective on Contracts through Elec- tronic Means in Video Games and Decentralized Applications Olena Demchenko PhD student, University of Pécs, Faculty of Law The present paper explains the need in the application of electronic commerce regulations to the so-called in-game purchasing activity in video games, particularly, purchase of intangible items, where such game is commoditized, focusing on the legislation of the European Union. It examines in detail the various applications of European regulations to the issues connected to the gaming industry in the European Union - gambling regulations, geo-blocking, data protection, smart con- tracts validity and enforcement, virtual currencies regulation in the scope of contractual law, and shows a possible way to adapt the national legislation of the Member States and European legis- lation in order to secure electronic commerce in the gaming industry. The present paper analyses gaps in existing legal procedures, stresses the necessity of new legal models in order to regulate the purchase of intangible items in video games and decentralized applications and underlines the importance of amendments to current European legislation with particular focus on new devel- opments of Create, Retrieve, Append, Burn technology and commoditized video games in order to protect consumer rights and the free movement of digital goods and to accomplish the Digital Single Market Strategy of the European Union. Keywords: video games, Blockchain, smart contract, electronic commerce, decentralized applica- tions 1. Introduction Since 1961, when MIT student Steven Russel created the first-ever video game “Spacewar”, which inspired the creation of such popular video games as “Asteroids” and “Pong”,1 technology went much further.
    [Show full text]
  • The Benefits of Electronic Payments in the Canadian Economy a White Paper Prepared by IHS Global Insight and Visa Canada
    The BenefiTs of elecTronic PaymenTs in The canadian economy A White Paper Prepared by IHS Global Insight and Visa Canada tHIrd edItIon editor’s note The Benefits of electronic Payments in the canadian economy, Third edition is a white paper designed to explore the social and economic benefits of electronic payments to the Canadian economy. Commissioned by Visa Canada, a wholly owned subsidiary of Visa Inc., this white paper is based on research conducted by IHS Global Insight, an econometric forecasting agency. For more details on IHS Global Insight’s methodology, please refer to the Methodology Appendix. Third Edition - 2012 Table of contents executive summary 2 electronic Payments in canada 4 Benefits to Consumers and Merchants Usage Trends in Canada The Big Picture 7 The Macroeconomic Value of Electronic Payments in Canada Electronic Payments in a Global Context Working with Governments to Increase Efficiency inbound Travel To canada: The impact of electronic Payments on Travel and Tourism 11 The efficient enterprise: The impact of electronic Payments on canadian Business 14 everything Within reach: The impact of electronic Payments on the digital economy 16 Protecting the system 17 Payment Card Industry Chip Technology conclusion 18 Visa: advancing the future of electronic Payments 19 Ways to Pay The Foundation for Innovation Visa Invests in the Security of the System Visa: a responsible Partner 23 Ensuring Financial Literacy executive summary over the last decade, Canada has benefited from strong • enhancing economic transparency and reducing the economic foundations: our highly-skilled workforce, “grey economy” of underreported cash transactions. modern infrastructure, natural resources, disciplined • Broadening participation and inclusion in financial financial system, and technological innovation have all services.
    [Show full text]
  • Redirect URL
    July 2012 Redirect URL User Guide Welcome to AT&T Website Solutions SM We are focused on providing you the very best web hosting service including all the tools necessary to establish and maintain a successful website. This document contains information that will help you to redirect pages from your site to other locations. You can use it to create a new Domain Redirection as well. © 2012 AT&T Intellectual Property. All rights reserved. AT&T products and services are provided or offered by subsidiaries and affiliates of AT&T Inc. under the AT&T brand and not by AT&T Inc. AT&T, AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other trademarks are the property of their owners. This document is not an offer, commitment, representation or warranty by AT&T and is subject to change. Your Web Hosting service is subject to the Terms and Conditions (T&Cs), which may be found at http://webhosting.att.com/Terms-Conditions.aspx . Service terms and Fees are subject to change without notice. Please read the T&Cs for additional information. © 2010 AT&T Intellectual Property. All rights re served. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Table of ContenContentstststs Introduction ........................................................................................................................................................ 3 Create a New Redirect ...................................................................................................................................
    [Show full text]