Out-Law News 2 min. read
17 Oct 2016, 3:35 pm
Alexander Norell, head of governance, compliance and risk at information security company Trustwave, told Out-Law.com that businesses behind e-commerce websites will face new duties under revised payment card industry data security standards (PCI DSS) from 1 November.
Norell said that some of the businesses may only have a "small PCI footprint" at the moment, but that the changes to PCI DSS regime will bring them further into scope of the requirements.
PCI DSS is the main standard related to the storing and transmission of payment card data and it sets out 12 requirements specifying steps which should be taken to ensure payment card data is kept safe both during and after transactions. The rules affect businesses that accept online payment card transactions.
Norell said that changes to the "threat landscape" prompted the PCI DSS regime to be updated earlier this year to account for the risk posed by so-called 'man-in-the-middle' (MIM) attacks. MIM attacks occur where hackers intercept communications between two parties and pass themselves off as one of the parties involved in the communications in the hope of being sent data meant for the other party.
Norell said that MIM attacks present a risk in circumstances where e-commerce sites outsource payment processing to a payment service provider (PSP). That is because site operators will generally use 'redirects' or 'iframes', which are technical means of connecting consumers to the websites of PSPs to facilitate payment.
The PCI Security Standard Council updated the PCI DSS framework to require additional security controls to be applied to these links between e-commerce sites and payment processing sites, Norell said.
"The minimum e-commerce sites have to do is ensure that there are no default security settings in place, such as default passwords," Norell said. "They will have to ensure that [administrator] accounts are unique to individuals and not generic or shared, secure passwords of good length and complexity are in place and that old or inactive accounts are removed. Approximately 80% of MIM attacks [on e-commerce businesses] have happened due to these controls not being in place."
Norell said that businesses that manage their own e-commerce sites must implement the new technical measures. He said that where companies outsource the e-commerce side of their business then they must ensure that their supplier of those services implement the required security measures through updating their contracts with those providers.
Many online retailers might not realise that they are subject to the new requirements until after the 1 November deadline, Norell said. This is because businesses that process less than one million transactions a year can self-assess and validate their compliance with the PCI DSS framework and may only check for updates on the PCI DSS regime at certain times of the year, he said.
Larger online retailers that process more than one million transactions a year must have their compliance with the PCI DSS framework independently audited annually by designated quality security assessors (QSAs).
Under the new PCI DSS rules, the large online retailers will need to ensure that their QSA can carry out on-site auditing at their own business or at their e-commerce vendor when they outsource that function of their business, Norell said.
Although the new security measures should be relatively inexpensive to implement, online retailers that outsource e-commerce services to other companies can expect those suppliers to demand an increase in payment to meet the cost of upgrading their security measures, Norell said. They can also expect the cost of arranging QSA audits to rise, he said.
"If companies are not able to show that they are compliant they will potentially run the risk of a fine as well as the additional risk of being compromised," Norell said. "If a breach occurs the cost implications could grow exponentially because not only could the businesses have to carry out a forensic investigation and potentially pay fines and perform remediation activities, they could also suffer damage to their reputation and brand."
