Thursday, April 27, 2023

12 Best practise for securing E-commerce

 

In addition to meeting the PCI DSS requirements, the e-commerce merchants should also consider adopting the recommended security best practices for securing e-commerce business. Below given is a list of best security practice outlined by PCI SSC for e-commerce merchants

1.  Know your cardholder data 

Merchants are recommended to draw out a data flow diagram to map out the flow of Cardholder Data across various networks and systems.  This process will help merchants identify systems and connected systems that store process and transmit cardholder data. It clearly elaborates how the cardholder data is processed and flows within a network and across multiple networks.  It is also recommended that the merchants conduct a periodic review to ensure systems and applications implemented are updated and relevant.

2. Avoid storing cardholder data if not required


It goes without saying that the risk of data theft/breach gets eliminated if the merchants do not store CHD if not required. Ideally, merchants should consolidate the necessary cardholder data in a known location and isolate it from noncard holder environments. This will reduce the scope of compliance in context to the number of locations and the amount of cardholder data need to be protected. It will further help restrict the number of access points to the CDE that need to be secured.  So, remember, if your business does not have a legitimate reason to store CHD, it is best not to store it. However, it is important to note that merchants or businesses that have a legitimate reason to store CHD should never store Sensitive Authentication Data (SAD) – Magnetic Stripe data and Card Validation Code also known as CVC/CVV/CVV1/CVV2. 

3. Evaluate technology-related risks

Merchants should evaluate risks associated with payment applications and technologies they plan to use or implement for online payment. Whether an e-commerce solution is completely hosted and managed by the merchant, or partially outsourced to a third party, or fully outsourced to a third party shall result in different levels of risk for the merchant. The merchant must conduct a risk assessment to ensure all applications in use are secured and well managed. Either way, the PCI DSS requirement clearly calls for an annual risk assessment program to be conducted by Merchants. 

4. Third-Party payment application & PA-DSS

Consider using highly integrated payment technology to minimize risk security for your e-commerce. Merchants should opt for a PA DSS Validated third party payment application that is noted on the List of Validated Payment Applications. This shall reduce the scope of Compliance for Merchants but will however need to ensure that the third-party vendor is compliant and PA DSS Validated. Its important to be pointed out that the new standard PCI SSF has been introduced as the next upgrade of PA DSS.

You can also view our webinar on PA DSS and PCI SSF by clicking here : PA DSS and PCI SSF

5. Third-Party access to the merchant’s environment

E-commerce businesses that have third party vendors involved need to ensure that access given to them is restricted and limited only to their requirements. For security reasons, merchants should have in place multi-factor authentication for remote access into the merchant’s cardholder data environment. Merchants should also provide limited ID access that allows service providers to have access to CHD Environment only when required and at the time when merchants are aware of the access. This will limit the risk of a potential hack by malicious individuals using a service provider’s credentials for access. 

6. ASV scanning of E-commerce Environments

Be it an in-house payment application or a third-party application, conducting an ASV Scan is essential. The ASV scans help identify common vulnerabilities within the system and provides a report of those vulnerabilities. It is the merchant’s responsibility to ensure that the hosted environment clears from the scan test that is conducted every quarter. 

7. Penetration Testing of E-commerce Environments


Merchants are expected to conduct regular Penetration tests to ensure the cardholder data environment is well protected. Even if the merchant is using a third-party service, they are expected to ensure that the third-party conduct an annual test as per the PCI DSS requirement to ensure the CHD is safe and there is no room for a possible breach or hack. 

8. Deployment of firewalls

Merchants should consider implementing web application firewalls (WAF) and other necessary intrusion-detection technologies to limit access to unwanted traffic. From a security point of view, it is recommended that merchants deploy additional firewalls between the application server and the database server to limit risks from the Internet-connected web server. 

9. Deployment of anti-virus and malware software

Merchant should also ensure the deployment of anti-virus/anti-malware software on systems. Be it a system run by the merchants themselves or by the third party, having relevant anti-virus and malware software is essential 

10. Advanced monitoring tools

Having advanced monitoring tools like a change-detection solution (File integrity monitor – FIM), intrusion detection tool and NTP Server in place is essential. Merchants are expected to ensure their service providers have all the necessary monitoring tools in place to determine any potential threat.  Merchants are also advised to ensure their own systems are equipped with tools that monitor for intrusions.

11. Implementing security training for staff

Training your staff about security threats and making them aware of the potential risk is essential for businesses. Make them aware of the general security issues like social engineering techniques used by unauthorized individuals to gain access to areas with cardholder data. Ensure all staff is trained to use systems securely and follow the set procedures and guidelines during operation. Moreover, train them to take appropriate measures in the event of a suspected breach. 

12. Refer to PCI SSC resources

The PCI Security Standards Council has published numerable documents with guidelines, information, FAQ, and other related resources pertaining to information security initiatives. PCI SSC also provides a variety of training and educational resources for building security awareness within the payment card industry. These offerings include PCI Awareness, PCI Professional (PCIP), and PCI DSS training for Internal Security Assessors (ISA). Merchants and third-party service providers are expected to refer to these documents to ensure security and compliance to the PCI DSS Standards.

You can watch our webinar on how to secure E-commerce business using PCI DSS

https://www.youtube.com/watch?v=jZhIQ9J_Yks

No comments:

Post a Comment

Understanding SOC 2 Type 1 vs. Type 2: A Comprehensive Guide

  In today's rapidly evolving digital landscape, organizations are under constant pressure to demonstrate their commitment to security, ...