Best practices for securing cardholder data in e-commerce environments.

Posted by Marco Borza on Mar 27, 2020 11:40:46 AM
Marco Borza
Find me on:

According to The Enterprise Guide to Global E-commerce by Shopify, a 246.15% increase is anticipated in worldwide e-commerce sales from 2014 to 2021. This doesn’t just mean that a vast amount of buying and selling happens online but also that it is a highly attractive and profitable field for cybercriminals to take advantage of.

It is vital for e-commerce merchants to deploy the best practices for securing cardholder data.

E-commerce solutions consist of hardware, software, processes, services, and methodologies that facilitate and implement online transactions. Merchants may consider different methods of implementing online payments to their platform such as developing their own e-commerce payment checkout or using a URL Redirect, inline frames (iFrame), Direct Post Method (DPM), JavaScript Form, Application Programming Interface (API), or wholly outsourced e-commerce solutions. Although these methods differ in technology used and implementation applied, none of them completely remove the burden of compliance from the merchant.

Here are the key points to keep in mind, regardless of how you implement online payments on your e-commerce platform:

  • No option completely removes the merchant’s responsibility to protect cardholder data (CHD). No matter to what extent the payments are outsourced, the merchant is responsible for ensuring the cardholder data is secure. Due diligence should be performed by the merchant to ensure that the service provider protects CHD in accordance with PCI DSS requirements.
  • If third-parties are engaged, the merchant should have a contract that outlines precise PCI DSS responsibilities to ensure that each party understands and implements PCI DSS best practices. You can find more information about third-party security assurance in this PCI Council Information Supplement. It is vital that your business partners carry the same security levels. We have a dedicated article to this here.
  • The merchant should monitor connections and redirects to the service provider since they can be compromised. It is the merchant’s responsibility to ensure the integrity of the e-commerce solution.

Best practices 

Ensuring PCI DSS compliance of e-commerce merchants dealing with online payment transactions is required and paramount to set an important baseline for security, protecting cardholders and merchants' reputations.

Here are 6 industry best practices that any merchant should follow:

  1. Know the location of all your cardholder data. You could create a data-flow diagram to map out the flow of CHD and the way it is transmitted across various networks and systems. To make sure it is updated and relevant, you should commit to periodically reviewing it.
  2. Don’t store information you don’t need. Merchants who do not store any CHD automatically provide stronger protection by having eliminated a key target for data thieves. So remember, if your business doesn’t have a legitimate reason to store CHD, don’t do it.
  3. Never store Sensitive Authentication Data (SAD). While businesses might have a legitimate need to store CHD, it is imperative to make sure SAD is never stored in your systems.
  4. Evaluate the risks associated with the chosen method of implementing online payments. You should assess the risks of each option before implementing it. Whether the payments are handled in-house or are partially or fully outsourced results in a different level of risks for your business.
  5. Consider using payment integration technologies that would minimise the impact of security for your e-commerce, for example by opting for payments full redirect to PCI DSS compliant third parties.
  6. Train your staff to use all systems securely and to be aware of the potential consequences of not doing so.

We offer various PCI DSS compliance services powered by our own technologies that you can learn more about here.

Topics: PCI DSS