PCI Update "Best Practices for Securing E-Commerce"

by Viktor Ahrens and Dennis Yang.
The Information Supplement “Best Practices for Securing E-commerce” supports merchants and service providers in e-commerce in assessing the security of existing e-commerce solutions and selecting a suitable implementation.
The update of the document from 2013 had become necessary in order to keep up with developments since the initial release. The SAQ (Self-Assessment Questionnaire) A-EP, for example, which enables a simplified certification process for merchants who use Direct Post and JavaScript implementations, was introduced within this timeframe. In version 3.2, the SAQ A was furthermore extended by new requirements regarding user management and password security.
Apart from the different e-commerce solutions and examples, the Information Supplement also contains clarifications on merchants’ and service providers’ different responsibilities. Merchants and service providers who outsource their services to a third party provider entirely often erroneously assume that they are no longer responsible for the PCI DSS requirements. The information supplement provides clarifications on this issue.
The document also contains detailed explanations and diagrams on each of the individual e-commerce solutions regarding the PCI DSS scope, security risks, and costs and expenses. The document specifically addresses commonly offered solutions using URL Redirect, iFrames, Direct Post, Java Script, and APIs. Further topics surrounding e-commerce, such as “Tokenization” and “Encryption” are discussed in a concluding chapter on “Best Practices”.
The Guidance can be found on the official PCI SSC website here
If you have further questions or need assistance with your scope definition, please contact us. Our specialists are happy to help:
+49 6102 8631-190
vertrieb@usd.de
About the PCI Expert Tips:
With our PCI Expert Tips, we would like to keep you informed about changes to the PCI Security Standards and provide you with initial explanations as to what the changes entail and how they may affect you. Please always take our articles only as a general reference – they do not replace individual case-by-case evaluations.