By the year 2019, it is expected that more than 2 billion people worldwide will buy goods and services online. This is a huge opportunity – both for businesses and for criminals seeking sensitive cardholder data. Criminal hackers will always seek out the lowest hanging fruit. They use computer programs that perform exhaustive searches – seeking and attacking any website that is misconfigured or has exploitable vulnerabilities. Keeping hackers at bay requires due diligence. Here are a few best practices from the PCI Security Standards Council to help you keep your e-commerce site secure.
Know the Location of Your Data
You cannot protect sensitive cardholder data if you don’t know where it is! A data flow diagram will help your organization understand the scope of the cardholder data environment by showing the actual flow of cardholder data as it is being transmitted across various networks and systems.
If You Don’t Need It, Don’t Store It
Consolidate all necessary cardholder data in known and manageable locations and isolate all cardholder data away from non-cardholder environments. If done correctly, this can reduce your risk and simplify compliance efforts.
Use Encryption – But Not Just Any Old Version
Secure Sockets Layer (SSL)/Transport Layer Security (TLS) encryption is necessary for any website that accepts credit card data: it protects credit card data by encrypting transmissions between a browser and a website. Make sure your website uses the latest version of encryption- ideally TLS 1.2 or above. According to the National Institute of Standards and Technology, there are no fixes or patches that can adequately repair SSL or early TLS. The PCI Security Standards Council requires all organizations to upgrade to TLS 1.1 or TLS 1.2 by 30 June 2018.
Work with Your Service Provider
If you are a small merchant, it’s possible you use outside providers to help secure cardholder data. Make sure you understand what they do for you and talk to them to understand how they protect card data. These Questions to Ask Your Vendors can help.
This is in no way an exhaustive list for securing e-commerce platforms, but it is a good place to start. For more information, the Council has issued a special interest group paper entitled “Best Practices for Securing E-commerce.” The paper discusses these best practices and much more to help merchants accept payments securely through online platforms.
About the Author
As communications specialist for the PCI Security Standards Council, Lindsay Goodspeed drives awareness of PCI security standards and resources for the protection of payment card data.