Standard: PCI Data Security Standard (PCI DSS) Date: April 2017 Authors: Best Practices for Securing E-commerce Special Interest Group PCI Security Standards Council Information Supplement: Best Practices for Securing E-commerce Information Supplement • Best Practices for Securing E-commerce • April 2017 Document Changes Date Document Version Description Pages January 2013 1.0 Initial release All January 2017 1.1 Expanded and revised Various content based upon the Securing e-Commerce Special Interest Group April 2017 1.2 Corrected entries in table, Various Section 2.7 typographical and grammatical errors The intent of this document is to provide supplemental information. Information provided here does ii not replace or supersede requirements in any PCI SSC Standard. Information Supplement • Best Practices for Securing E-commerce • April 2017 Table of Contents Document Changes ................................................................................................................................................. ii 1 Introduction ........................................................................................................................................................ 5 1.1 Background ................................................................................................................................................... 5 1.2 Intended Audience ........................................................................................................................................ 7 1.3 Terminology .................................................................................................................................................. 7 2 Understanding E-commerce implementations ............................................................................................... 8 2.1 Shared-Management E-commerce – URL Redirects ................................................................................... 8 2.2 The iFrame .................................................................................................................................................. 10 2.3 The Direct Post Method (DPM) ................................................................................................................... 13 2.4 JavaScript Form .......................................................................................................................................... 15 2.5 The Application Programming Interface (API) ............................................................................................ 17 2.6 Wholly Outsourced E-commerce Solutions ................................................................................................ 19 2.7 Advantages and Disadvantages of E-commerce Methods ......................................................................... 20 2.8 PCI DSS Validation Requirements ............................................................................................................. 21 2.9 The Intersection between E-commerce and Other Payment Channels ..................................................... 22 2.10 E-commerce Scoping Considerations ......................................................................................................... 23 2.11 Additional Considerations ........................................................................................................................... 26 3 Public Key Certificate Selection ..................................................................................................................... 34 3.1 Brief History on SSL and TLS ..................................................................................................................... 34 3.2 Selecting the Certification Authority ............................................................................................................ 34 3.3 Selecting the Appropriate Type of Public Key Certificates ......................................................................... 35 3.4 Tools for Monitoring and Managing E-commerce Implementations ........................................................... 36 4 Encryption and Digital Certificates ................................................................................................................ 37 4.1 Certificate Types (DV, OV, EV) and Associated Risks ............................................................................... 37 4.2 TLS 1.2 Configurations ............................................................................................................................... 39 4.3 Merchant Questions on Certificate Types and TLS Migration Options ....................................................... 40 5 Guidelines to Determine the Security of E-commerce Solutions ............................................................... 44 5.1 E-commerce Solution Validation ................................................................................................................. 44 5.2 Validation Documentation ........................................................................................................................... 45 5.3 PCI DSS Requirement Ownership .............................................................................................................. 46 6 Case Studies for E-commerce Solutions ...................................................................................................... 47 6.1 Case Study One: Fully Outsourced Redirect .............................................................................................. 47 6.2 Case Study Two: Fully Outsourced iFrame ................................................................................................ 49 6.3 Case Study Three: Partially Outsourced (JavaScript-Generated Form) .................................................... 51 6.4 Case Study Four: Merchant Managed (API) ............................................................................................... 53 7 Best Practices .................................................................................................................................................. 55 7.1 Know the Location of all Your Cardholder Data .......................................................................................... 55 7.2 If You Don’t Need It, Don’t Store It .............................................................................................................. 55 7.3 Evaluate Risks Associated with the Selected E-commerce Technology .................................................... 55 7.4 Service Provider Remote Access to Merchant Environment ...................................................................... 56 7.5 ASV Scanning of E-commerce Environments ............................................................................................ 56 7.6 Penetration Testing of E-commerce Environments .................................................................................... 56 The intent of this document is to provide supplemental information. Information provided here does iii not replace or supersede requirements in any PCI SSC Standard. Information Supplement • Best Practices for Securing E-commerce • April 2017 7.7 Best Practices for Securing e-Commerce ................................................................................................... 57 7.8 Implement Security Training for all Staff ..................................................................................................... 58 7.9 Other Recommendations ............................................................................................................................ 58 7.10 Best Practices for Consumer Awareness ................................................................................................... 58 7.11 Resources ................................................................................................................................................... 59 Acknowledgments ................................................................................................................................................. 62 About the PCI Security Standards Council ......................................................................................................... 64 The intent of this document is to provide supplemental information. Information provided here does iv not replace or supersede requirements in any PCI SSC Standard. Information Supplement • Best Practices for Securing E-commerce • April 2017 1 Introduction Electronic commerce, commonly known as e-commerce, is the use of the Internet to facilitate transactions for the sale and payment of goods and services. E-commerce is a card-not-present (CNP) payment channel and may include: . E-commerce websites accessible from any web-browser, including “mobile-device friendly” versions accessible via the browser on smart phones, tablets, and other consumer mobile devices . “App” versions of your e-commerce website, i.e., apps downloadable to the consumer’s mobile device or saving of the URL as an application icon on a mobile device that has online payment functionality (consumer mobile payments) The objective of this information supplement is to update and replace the PCI DSS E-commerce Guidelines published in 2013. This information supplement offers additional guidance to that provided in PCI DSS and is written as general best practices for securing e-commerce implementations. All references in this document are for
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages64 Page
-
File Size-