How to Reduce Your Online Business’s PCI Burden

June 3, 2016 • Published Categories Best Practices Tags , ,

Prepare Your Online Business for PCI 3.2

As they continue to evolve, the PCI DSS and its corresponding Self-Assessment Questionnaires (SAQs) are reflecting an increasing scrutiny on the way online businesses implement and manage the e-commerce functionality.

Online Retailers in Hackers’ Crosshairs

The majority of PCI scrutiny stems from concerns surrounding the following two trends

  • Payment card fraud is moving online:
    • There was a 30% year-over-year increase in online retail fraud attempts between 2014 and 2015 (Source: ACI Worldwide)
    • By 2018, card-not-present fraud is expected to be nearly four times greater than card-present fraud (Source: Javelin Strategy & Research)
  • Hackers are infiltrating online shopping carts:
    • Nearly 75% of legitimate websites have unpatched vulnerabilities (Source: Symantec)
    • At 40%, the percentage of web application attacks is the highest it’s ever been (Source: Verizon DBIR 2016)

The fact is, there are various technologies and processes for online payment, many of which are insecure. And that’s exactly why many online retailers are on a path to data breach.

E-Commerce and the Online Business PCI Burden

The PCI Security Standards Council (SSC) has evaluated the various e-commerce implementations and categorized their level of breach risk by assigning them to three very different SAQ levels:

PCI SAQ 3.x for E-Commerce

As the chart shows, the online business PCI burden is lowest with the SAQ A and highest with the SAQ D-Merchant.

Options for Reduced Burden

Of course the easiest way to reduce your PCI burden is to entirely outsource your business’s Internet presence or to at least entirely outsource your site’s payment page to a PCI-compliant service provider.

If neither of these options are practical for your business, then you should at minimum ensure you have a strong, well-configured Web Application Firewall (WAF) in place to create an additional layer of security for your website.

A QSA-guided PCI self-assessment is another option. The A-EP and D-Merchant SAQs are highly complex, so having a PCI Qualified Security Assessor guide you through the process can save a tremendous amount of time and hassle. In this type of engagement, the QSA acts as an advisor, ensuring you’ve correctly defined your card data environment as well as gathered together all the proper evidence of compliance. The QSA can also quickly clarify any questions or issues that may arise.

 Looking for guidance? We can help.

If your business has a website that accepts payments—or the website is your business—now is the best time to evaluate your compliance responsibility. Click here to access the PCI SAQ 3.2 Debrief for E-Commerce.

Leave a Comment