PCI DSS in an eCommerce world - Introduction

How eCommerce changes the way PCI DSS works

Mar 02, 2023

person using laptop computer holding card — Photo by rupixen.com on Unsplash

The PCI DSS (Payment Card Industry Data Security Standard) is a technical standard for those companies who store, process and transmit cardholder data.

It is the industry security baseline for pretty much any company that wants to do any type of payment processing

I have written extensively on this standard before which you can check out below:

Cloud Security, A.I. and career advice

How to get PCI DSS experience without a job

The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to reduce payment card fraud by increasing security controls around cardholder data The new version of the standard came out last year and companies who deal with card data have been given a grace period by which they ne…

2 years ago · 2 likes · 1 comment · Taimur Ijlal

Getting certified with PCI DSS is seen as quite intimidating given the number of requirements that have to be complied with .. however the process itself is quite straightforward

It goes a bit like this:

Formalize the scope of your environment
GAP against the standard
Fix the gaps
Undergo the final audit and get compliant

However in an E-Commerce world , PCI DSS compliance can be a bit different which is what I wanted to discuss today.

This article is part of a multi-part series covering PCI DSS compliance in e-commerce environments and the different risks that are present with each approach

PCI DSS and E-Commerce

Most e-commerce businesses are small merchants who neither have the time nor the resources to become compliant with PCI DSS .. in this case they usually prefer outsourcing the entire e-commerce payment process to a third party

Outsourcing the payments side of E-commerce makes sense as taking on the entire burden of a PCI DSS audit can be quite a hassle along with the associated costs, manpower, technical configurations etc.

At the same time, outsourcing has significant impacts on how PCI DSS compliant comes into play:

The two main options when it comes to outsourcing are :

Outsource the entire e-commerce website
Outsource the payment page

1. Outsourcing the entire e-commerce website

This can be seen as the easiest way .. simple outsource the entire e-commerce hassle onto a 3rd party who have to worry about PCI DSS compliance, security etc.

Customers can easily search for compliant service providers on websites like the VISA approved list below:

https://www.visa.com/splisting/searchGrsp.do

Most service providers are happy to offer these offerings to merchants as a part of an overall product offering. The merchant gets the full e-commerce package with product search, shopping cart, checkout etc.

PROs of this approach are obvious as the merchant just has to make sure the service provider will remain PCI Compliant and make sure a written agreement is there that they will protect cardholder data
CONs are the limited customization that are possible especially if you want to control the user experience end to end. The website is hosted and controlled entirely by the service provider and it can be jarring for users to be redirected to another website for payments.

2. Outsourcing the payment page

Another technique is to maintain the entire e-commerce website yourself but simply move the payment processing aspect to a service provider

In this way merchant can control the entire experience except when it comes to storing, processing or transmitting cardholder data.

There are multiple ways of doing this each with their own pros / cons and obligations.

The Redirect process : In this process, the merchant will request a payment page from the service provider on which the customer will enter their card details and send them for processing. Merchant does not store, process or transmit the cardholder data

The iFrame: In this process, a mini-page is embedded within the merchant’s website which is isolated from the merchant website. Again the merchant does not store, process or transmit the cardholder data, HOWEVER it is possible for attackers to attack the iFrame if they get access

The Direct Post: In this method, the merchant has more control over the process and send ( or POSTS ) the data directly to the service provider. This also means that additional PCI DSS controls come into play compared to the previous methods.

API: In this method, the merchant has FULL control over receiving the payment before sending it to the service provider. This also means that potentially the entire PCI DSS requirements may come into play along with the greatest flexibility over the process.

This conclude the introduction of this series on PCI DSS in Ecommerce. In the next part, we will go over these methods and the security aspects of each of them

I hope you enjoyed reading this. If you are interested in learning more about PCI DSS then do check out my recently released masterclass on Udemy.

☁️ The Cloud Security Guy 🤖

Discussion about this post