The PCI Security Standards Council (PCI SSC), has published the PCI DSS E-commerce Guidelines Information Supplement, a product of the E-commerce Security Special Interest Group (SIG). Solution providers can use this resource to educate their customers about how to best secure consumer payment data and suppport PCI DSS compliance efforts.
PCI Special Interest Groups (SIGs) are community-driven initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs.
In 2012, PCI Participating Organizations selected e-commerce security as a key area to address via the SIG process. More than 60 global organizations representing banks, merchants, security assessors and technology vendors collaborated to produce guidance that will help organizations better understand their responsibilities when it comes to PCI DSS; the risks they need to evaluate when considering ecommerce solutions; and how to determine their PCI DSS scope.
The PCI DSS E-commerce Guidelines Information Supplement provides an introduction to e-commerce security and guidance around the following primary areas and objectives:
E-commerce Overview – provides merchants and third parties with explanation of typical e-commerce components and common implementations and outlines high-level PCI DSS scoping guidance to be considered for each.
Common Vulnerabilities in E-commerce Environments – educates merchants on vulnerabilities often found in web applications (such as e-commerce shopping carts) so they can emphasize security when developing or choosing e-commerce software and services.
Recommendations - provides merchants with best practices to secure their e-commerce environments, as well as list of recommended industry and PCI SSC resources to leverage in e-commerce security efforts.
The document also includes two appendices to address specific PCI DSS requirements and implementation scenarios:
PCI DSS Guidance for E-commerce Environments – provides high-level e-commerce guidance that corresponds to the main categories of PCI DSS requirements; includes chart to help organizations identify and document which PCI DSS responsibilities are those of the merchant and which are the responsibility of any e-commerce payment processor.
Merchant and Third-Party PCI DSS Responsibilities – for outsourced or “hybrid” e-commerce environments, includes sample checklist that merchants can use to identify which party is responsible for compliance and specify the details on the evidence of compliance.
The information supplement can be downloaded from the documents library on the PCI SSC website at www.pcisecuritystandards.org/security_standards/documents.php.