Greg Rosenberg is a Security Engineer at Trustwave. In today’s guest column, he explains new standards for PCI DSS compliance that will impact online merchants who accept credit card payments directly through a merchant credit card account on their websites.
You may recall, many years ago, when service providers selected your ecommerce security solution to keep you out of scope for PCI DSS compliance. Many ecommerce merchants chose that route so they would not be required to install security technologies to remain in compliance with the Payment Card Industry Data Security Standard.
PCI DSS is a standard designed to protect merchants and their customers’ cardholder data no matter how they process transactions. It appears that some merchants took this as carte blanche to avoid any (or very inadequate) security controls for their web environments. Hackers took notice and have been exploiting this weakness to the industry’s detriment.
In an effort to decrease that risk, the rules for e-commerce merchants are changing. On Nov. 7, 2013, the PCI Security Standards Council is scheduled to release the newest version of PCI DSS – PCI DSS 3.0 – which will require that ecommerce merchants take many more steps to achieve compliance so they can better protect their customers’ card holder information.
To understand the changes, one must first understand the definition of scope under PCI DSS. At a high level, any system, person or process that stored, processed or transmitted cardholder data was “in scope” for PCI. This meant the merchant would need to perform security checks and install security technologies to help protect their customers’ cardholder data and become PCI compliant. In the ecommerce world, if you had a shopping cart or payment page that collected customer card data then your environment was in scope.
Many merchants found this compliance process to be too difficult, time consuming or expensive and thus looked for alternatives such as the “redirect.” Service providers proposed to merchants that when it came time to collect cardholder data, their website should redirect the customer’s cardholder information to the service providers’ PCI compliant environment. The merchant’s website would not even be transmitting cardholder data. The website would just send the data right to the service provider and therefore the onus would be on the service provider’s side to maintain most of the PCI compliance requirements.
Because of the complexity of the redirect system, many merchants were unknowingly still at risk of a destructive data breach. They were not required to perform risk assessments to help ensure they had the proper security controls, processes, monitoring and alerting in place and cyber criminals seized the opportunity. They exploited ecommerce websites that lacked adequate protection and quickly realized they could intercept customer card data.
For example, a hacker could change the code on a website using one of the redirects. Instead of the customer typing his cardholder information into the legitimate service provider’s system, he is directed to a hacker’s website that looks exactly like the real payment page. Once the bad guys capture the sensitive information, they then send it to the real gateway for authorization and settlement. This is called a “man in the middle” attack and it allows hackers to intercept data and then sell it (or use it for fraudulent purchases) at a later date. It appears that this style of attack was taking place too frequently so the PCI Security Standards Council is changing the rules.
Though the final language has yet to be released, the Council has made it clear that under PCI DSS 3.0 – scheduled to go into effect as a voluntary standard Jan. 1, 2014 and will be mandated beginning Jan. 1, 2015 – all ecommerce merchants, including those who have been redirecting the processing of payments, will have to install and maintain additional security controls.
The standard currently states that anything that impacts the security of these environments, even if they do not store, process or transmit cardholder data, will be in scope for PCI DSS 3.0. In other words, the new standard requires merchants to implement policy and procedural controls as well as security technologies that will help prevent their customers’ cardholder data from ending up in the wrong hands. These technologies may include vulnerability scanning or adding a Web Application Firewall (the exact controls have not been identified yet).
In the end, PCI DSS 3.0 will require merchants to invest more money into security and play a larger role in helping ensure credit card information is processed securely. What should merchants do now to prepare? Here are some helpful tips:
- Perform a risk assessment to understand the risk posed to your systems and data.
- Verify you have the appropriate security controls in place to help secure your systems.
- Install security controls that monitor your systems and alert you about any suspect activity.
- Train your developers in OWASP secure coding principles.
- Perform a penetration test on your website to identify vulnerabilities that may lead to a compromise.
- Work with a Qualified Security Assessor (QSA) to understand what you need to do to become PCI compliant.