The PCI DSS (Payment Card Industry Data Security Standard) is a technical standard for those companies who store, process and transmit cardholder data.
It is the industry security baseline for pretty much any company that wants to do any type of payment processing
I have written extensively on this standard before which you can check out below:
Getting certified with PCI DSS is seen as quite intimidating given the number of requirements that have to be complied with .. however the process itself is quite straightforward
It goes a bit like this:
Formalize the scope of your environment
GAP against the standard
Fix the gaps
Undergo the final audit and get compliant
However in an E-Commerce world , PCI DSS compliance can be a bit different which is what I wanted to discuss today.
This article is part of a multi-part series covering PCI DSS compliance in e-commerce environments and the different risks that are present with each approach
PCI DSS and E-Commerce
Most e-commerce businesses are small merchants who neither have the time nor the resources to become compliant with PCI DSS .. in this case they usually prefer outsourcing the entire e-commerce payment process to a third party
Outsourcing the payments side of E-commerce makes sense as taking on the entire burden of a PCI DSS audit can be quite a hassle along with the associated costs, manpower, technical configurations etc.
At the same time, outsourcing has significant impacts on how PCI DSS compliant comes into play:
The two main options when it comes to outsourcing are :
Outsource the entire e-commerce website
Outsource the payment page
1. Outsourcing the entire e-commerce website
This can be seen as the easiest way .. simple outsource the entire e-commerce hassle onto a 3rd party who have to worry about PCI DSS compliance, security etc.
Customers can easily search for compliant service providers on websites like the VISA approved list below:
Most service providers are happy to offer these offerings to merchants as a part of an overall product offering. The merchant gets the full e-commerce package with product search, shopping cart, checkout etc.
PROs of this approach are obvious as the merchant just has to make sure the service provider will remain PCI Compliant and make sure a written agreement is there that they will protect cardholder data
CONs are the limited customization that are possible especially if you want to control the user experience end to end. The website is hosted and controlled entirely by the service provider and it can be jarring for users to be redirected to another website for payments.
2. Outsourcing the payment page
Another technique is to maintain the entire e-commerce website yourself but simply move the payment processing aspect to a service provider
In this way merchant can control the entire experience except when it comes to storing, processing or transmitting cardholder data.
There are multiple ways of doing this each with their own pros / cons and obligations.
The Redirect process : In this process, the merchant will request a payment page from the service provider on which the customer will enter their card details and send them for processing. Merchant does not store, process or transmit the cardholder data
The iFrame: In this process, a mini-page is embedded within the merchant’s website which is isolated from the merchant website. Again the merchant does not store, process or transmit the cardholder data, HOWEVER it is possible for attackers to attack the iFrame if they get access
The Direct Post: In this method, the merchant has more control over the process and send ( or POSTS ) the data directly to the service provider. This also means that additional PCI DSS controls come into play compared to the previous methods.
API: In this method, the merchant has FULL control over receiving the payment before sending it to the service provider. This also means that potentially the entire PCI DSS requirements may come into play along with the greatest flexibility over the process.
This conclude the introduction of this series on PCI DSS in Ecommerce. In the next part, we will go over these methods and the security aspects of each of them
I hope you enjoyed reading this. If you are interested in learning more about PCI DSS then do check out my recently released masterclass on Udemy.