Data security on the Web can be a baffling aspect of operating an online business, but the Payment Card Industry Security Standards Council says it doesn't have to be complicated.
The council announced Jan. 31 its guidelines for e-commerce data safety. The information is a result of research completed by the council's e-commerce security special interest group.
"With fraud migrating to the card-not-present environment, we needed more guidance on this topic," says Bob Russo, the PCI council's general manager.
The 40-page supplement explains e-commerce infrastructure and common implementations from firewalls to shopping carts in a way that is meant to be easy to understand, Russo says.
The document also breaks down PCI compliance responsibilities so that merchants, processors and vendors understand what each is required to do under the PCI data security standard, Russo says.
"In the end, this is about card data security, so the merchants and vendors need to know what to do," Russo says. "We understand that there are some merchants who would like to outsource everything and not have to worry about this, but we're not there yet."
Even for a merchant who uses third-party services, the guidelines allow that merchant to deal with security "from an informed, rather than uniformed, position," Russo adds.
The document provides information for vendors selling fraud-prevention software as well, Russo says.
Security consultant and PCI expert Walter Conway of Milwaukee-based 403 Labs LLC, worked on the special interest group that crafted the guidelines.
"There is always a risk of merchants just walking away from PCI in that there are 280 PCI elements to security and it's written in security-geek speak, so it can be daunting," Conway says.
The council has established shorter security tests and established guideline documents that are easier to comprehend, Conway says. The new e-commerce guidelines represent another step in keeping merchants from "walking away and being insecure."
Merchants and vendors can make simple changes to thwart many of the problems facing e-commerce data security, Conway says.
"It's hard to believe, but many merchants continue to use the default passwords put in the payment systems by the installers, or they will give the password out to too many people," Conway says.
A vendor can also "get lazy" and keep an identical password on a system that operates for numerous sites, rather than changing them, Conway adds. "If I am a hacker, and figure out the one password, all of the sudden I am into the company's entire business," he says.
Improperly configured firewalls remain a significant security risk, as does a security alert log that no one in the company checks on a daily basis, Conway says.
Even though fraudsters constantly change attack methods and operate as "extremely competent criminal enterprises," the PCI e-commerce guidelines will have a long shelf life, Conway says.
More than 60 global organizations, representing banks, merchants, security assessors and technology vendors made up the special interest group that developed the guidelines.