As they continue to evolve, the PCI DSS and its corresponding Self-Assessment Questionnaires (SAQs) are reflecting an increasing scrutiny on the way online businesses implement and manage the e-commerce functionality.
Online Retailers in Hackers’ Crosshairs
The majority of PCI scrutiny stems from concerns surrounding the following two trends
- Payment card fraud is moving online:
- There was a 30% year-over-year increase in online retail fraud attempts between 2014 and 2015 (Source: ACI Worldwide)
- By 2018, card-not-present fraud is expected to be nearly four times greater than card-present fraud (Source: Javelin Strategy & Research)
- Hackers are infiltrating online shopping carts:
- Nearly 75% of legitimate websites have unpatched vulnerabilities (Source: Symantec)
- At 40%, the percentage of web application attacks is the highest it’s ever been (Source: Verizon DBIR 2016)
The fact is, there are various technologies and processes for online payment, many of which are insecure. And that’s exactly why many online retailers are on a path to data breach.
The PCI Security Standards Council (SSC) has evaluated the various e-commerce implementations and categorized their level of breach risk by assigning them to three very different SAQ levels:
As the chart shows, the online business PCI burden is lowest with the SAQ A and highest with the SAQ D-Merchant.
Of course the easiest way to reduce your PCI burden is to entirely outsource your business’s Internet presence or to at least entirely outsource your site’s payment page to a PCI-compliant service provider.
If neither of these options are practical for your business, then you should at minimum ensure you have a strong, well-configured Web Application Firewall (WAF) in place to create an additional layer of security for your website.
A QSA-guided PCI self-assessment is another option. The A-EP and D-Merchant SAQs are highly complex, so having a PCI Qualified Security Assessor guide you through the process can save a tremendous amount of time and hassle. In this type of engagement, the QSA acts as an advisor, ensuring you’ve correctly defined your card data environment as well as gathered together all the proper evidence of compliance. The QSA can also quickly clarify any questions or issues that may arise.
If your business has a website that accepts payments—or the website is your business—now is the best time to evaluate your compliance responsibility. Click here to access the PCI SAQ 3.2 Debrief for E-Commerce.