The PCI Security Standards Council (PCI SSC) has released new guidelines to help e-commerce merchants keep their customers' data safe.
The digital security landscape is a complicated one where the roles, risks and responsibilities of involved parties can quickly become muddled. That confusion of course, can lead to stagnation when it comes to finding (and implementing) fixes - on both an individual site and industry level.
“Take SQL injections as an example. This is not a new attack, and something we’ve known about in the industry for years. Yet it continues to be one of the most common methods by which e-commerce websites are compromised, said Bob Russo, general manager, PCI Security Standards Council.
Over 60 organizations representing banks, merchants, security assessors and technology vendors collaborated to produce guidance that will help organizations better understand their responsibilities when it comes to PCI DSS; the risks they need to evaluate when considering ecommerce solutions; and how to determine their PCI DSS
The guide, which comes at a time when ecommerce fraud is rising, includes an overview of ecommerce and PCI DSS. and outlines common vulnerabilities in ecommerce that merchants should consider when developing or choosing ecommerce software and services.
The guidelines also include best practice recommendations on securing ecommerce environments and a checklist of responsibilities that outlines, when payments are outsourced, which elements of security the merchant and the payments company are responsible for.
“This can be addressed through simple, prudent coding practices, but merchants often don’t know where to start. These guidelines will help them better understand their responsibilities and the kinds of questions they need to ask of their service providers. In the case of SQL injections, one of the most important items to request of an e-commerce service provider is a description of the security controls and methods it has in place to protect websites against these vulnerabilities.”