PCI SSC Releases E-commerce Guidelines Paper
Prior to the 2011 PCI community meeting, I submitted a proposal asking the council to sponsor a SIG (Special Interest Group) to help the e-commerce ecosystem better understand e-commerce security, because I felt that there was a lack of common understanding of this topic.
I had heard e-commerce merchants state—incorrectly—that PCI DSS didn’t apply to them because they used hosted payment pages. Merchants were also confused by the different connection methods offered by their payment gateway, such as hosted payment pages or APIs, they didn’t understand the varied security implications of the different connection methods.
After a full year’s work, the final document is now available. You can find it here: https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf
The big takeaways from the document are that none of the common e-commerce implementations eliminate PCI DSS requirements entirely, and that the roles and responsibilities of merchants and service providers do vary, depending on the integration type. For example, fully outsourced implementations such as APIs, iFrames, and hosted payment pages have more scope reduction potential than merchant on-premise implementations. It’s all about choices and tradeoffs.
So what should merchant do to minimize their responsibility and scope, while maximizing checkout usability? Options that maximize scope reduction disrupt the consumer checkout process and are hard to customize. On the other hand, on-premise options that maximize usability increase scope.
Voltage SecureData Web with Page-Integrated Encryption offers the best of both worlds. Merchants only need to add a few lines of code to an existing checkout page to encrypt cardholder data at the point the consumer enters it in the browser. The cardholder data remains encrypted until it reaches a trusted host destination, such as a payment processor, for decryption. The checkout retains branding and flow while maximizing scope reduction. Find more information about Voltage SecureData Web with Page-Integrated Encryption here: http://www.voltage.com/resource/voltage-secure-data-web/