PCI Council releases guidelines to aid merchants with cloud and e-commerce choices

13 Feb 2013

New guidelines on staying secure when using e-commerce and cloud services have been published by an open forum for developing payment card security standards.

Explaining the reasons for issuing the new guides, the Payment Card Industry PCI Security Standards Council said that while anti-fraud initiatives like chip and PIN have worked well in thwarting criminals who want to steal credit card data in person, many e-commerce sites are less well protected.

Attackers often exploit old vulnerabilities, like SQL injections, to compromise online stores, the PCI said. Good coding practice can address this weakness but securing e-commerce sites remains a challenge – especially for small merchants, said Jeremy King, European director for the PCI SSC.

The e-commerce guide includes input from more than 60 businesses and 150 individuals. It’s intended to highlight the risks, as well as provide guidance on undertaking e-commerce in a more secure way that protects cardholder data.

“This guide explains in an easy-to-understand way the different options to working with a third-party provider and the issues a merchant needs to be aware of, and what areas they are responsible for as a merchant,” King told Siliconrepublic.com.   

Many merchants are working with third parties for various parts of their e-commerce services, and King said this was a welcome development for smaller firms that don’t have in-house expertise.

“You can improve your security and reduce your scope – if you don’t have cardholder data coming into your environment, then your PCI DSS [compliance] becomes so much easier,” he said.  

E-commerce and cloud computing guidelines

The e-commerce document, which can be downloaded here (pdf file), is aimed at helping senior managers or business owners to ask the right questions of their e-commerce provider or software developer, to ensure their systems are not open to attack. “It ensures you can get the best level of protection without being an IT expert,” King said.

The PCI DSS Cloud Computing Guidelines (pdf file) were compiled with input from more than 100 organisations worldwide, including banks, merchants, security assessors and technology vendors.

The document aims to help companies identify and address the security challenges for different cloud architectures and models, and understand their PCI DSS responsibilities in order to secure customer payment information when adopting these technologies.

King warned that outsourcing by itself doesn’t remove responsibility from the merchant who still needs to carry out due diligence on an e-commerce or cloud service provider.

“People are going to do it. What we want to do is to give them the best help we can, so they don’t fall foul of it so their data is not all over the place.”

With the cloud guidance document, the intent is to avoid business owners assuming that compliance just involves ticking a box, but to make them aware of where the responsibility lies for protecting cardholder data.

“Know who is responsible for what, and how does that map into PCI DSS. You don’t want to spend time and effort getting PCI compliant and then put some systems in the cloud and throw that wide open,” said King.

Gordon Smith was a contributor to Silicon Republic