Hosted Payment Page/iFrame Best Practices
ClearGate has taken many steps to reduce the PCI burden for both VAR’s and Merchants with our Hosted solution, however, we still recommend that network admins at all levels take steps to ensure continued data security. While the infrastructure we have in place allows for card data to make its way to our gateway securely, independent websites are still vulnerable to third party attacks that can intercept sensitive data before it makes it to us.
Below are best practices as recommended by the PCI Security Standards board in their PCI DSS E-commerce Guidelines (January 2013):
Know the Location of all Your Cardholder Data
Data-flow diagrams provide an important aid to understanding the scope of the cardholder data environment by showing the actual flow of cardholder data as it is being transmitted across various networks and systems. Periodic review will ensure accuracy as changes to the environment may occur.
A well-designed data flow diagram will:
- Identify each system involved in the storing, processing and transmission of cardholder data (CHD)
- Identify any system connected to the systems which store, process or transmit cardholder data
- Illustrate how cardholder data is processed, for example, how CHD is managed within a web application’s functionality and pages, along with how the data flows within a network or across multiple networks
- Illustrate where security controls are implemented
- Illustrate and make a clear distinction between payments processed under the merchant’s responsibility (whether developed internally or purchased from a third party and integrated with a shopping cart) vs. payments processed solely within third party environments.
If You Don't Need It, Don't Store it
Eliminating any cardholder data that is not needed per PCI DSS Requirement 3.1, consolidating necessary cardholder data in known and manageable locations, and isolating all cardholder data away from noncardholder environments may reduce the number of locations and amount of cardholder data that require protection, as well as the number of access points to the CDE that need to be secured.
Evaluate Risks Associated with the Selected E-commerce Technology
Entities should thoroughly and carefully evaluate the risks associated with each e-commerce solution prior to selecting or implementing one. Whether an e-commerce solution is fully hosted and managed by the merchant, or is partially or fully outsourced to a third-party, results in different levels of risk for the merchant.
The flow and storage of cardholder data should be accurately documented as part of this risk assessment process to ensure that all components and third parties are identified and properly secured or managed. Once implemented, e-commerce environments should be included in an organization’s annual risk-assessment process.
Address Risks Associated with Outsourcing to Third-party Service Providers
Security is a critical element for any website, shopping cart or other e-commerce service. The following best practices are offered for consideration when outsourcing any component of a merchant’s e-commerce environment to third parties.
When evaluating potential services from third parties, e-commerce merchants should consider the following:
- Request quotes from multiple service providers in order to gain familiarity with the basic elements of a service offering and to learn about the available optional features.
- Ask for a description of security services. A company capable of supporting payment services should be able to describe their security capabilities in clear, non-technical terms and offer security as a part of their basic service.
- Buy payment services from an e-commerce service provider that can provide references from financial institutions or other payment service companies. Handling payments securely requires experience.
- Research prospective providers; there are numerous resources available online that provide customer reviews, service provider ratings, and even security breach history.
When engaging with service providers, merchants should have a contract or written agreement that:
- Specifies the responsibility for compliance with PCI DSS requirements for both the merchant and the service provider (per PCI DSS Requirement 12.8).
- Indicates how they meet applicable PCI DSS requirements.
- Identifies whether the service provider will undergo its own PCI DSS compliance validation or will support the merchant’s PCI DSS assessment each year for the services provided by the service provider.
When managing third-party service providers, merchants should consider the following:
- If outsourcing web-hosting services, ask the provider for standard hardware and software configurations, a defined schedule for updating hardware and software patches and versions, a 7x24x365 active monitoring service, and support for investigations in the event of a security breach.
- If outsourcing data storage services, verify whether the service provider can independently manage encrypted backups and database administration. Clarify these features in the agreement or contract, along with appropriate PCI DSS controls as applicable.
- If a service provider’s network infrastructure and processes have not been assessed for PCI DSS compliance, the service provider may find it difficult or costly to remediate identified security issues. When outsourcing environmental or network infrastructure, agree which company will pay to remediate such security issues before signing an agreement or contract.
- Review third parties’ signed Attestations of Compliance (AOC) to confirm their compliance status is current (like merchants, service providers should validate PCI DSS compliance annually), and that the services being provided to the merchant are covered by the service provider’s PCI DSS assessment.
- Verify that the service provider’s PCI DSS assessment identifies them as a service provider (not as a merchant).
- Merchants hosted within a shared environment (i.e., more than one merchant’s website is hosted on a common server) should note that shared hosting providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers, in addition to all other applicable PCI DSS requirements. Confirm that the PCI DSS assessment of a shared hosting provider includes all applicable requirements.
ASV Scanning of Web-hosted Environments
PCI DSS Requirement 11.2 for external and internal vulnerability scanning applies to e-commerce websites because they are part of the cardholder data environment. When a merchant outsources website hosting and/or management to a third-party hosting provider, the merchant may not have control over the scanning process. The following best practices apply to merchants using third-party web hosting:
- Ensure that ASV scanning is being carried out as specified by PCI DSS Requirement 11.2.
- If a merchant’s e-commerce site is hosted in a shared environment (more than one merchant’s website on the same server), there are two options available for scanning:
- The hosting provider can undergo ASV scans on their own and provide evidence of compliant scans to the merchant; or
- The hosting provider can undergo an ASV scan as part of each of their merchant’s ASV scans.
- Ultimately, it is the merchant’s responsibility to ensure their hosted environment receives a passing result on a quarterly basis from appropriately scoped ASV scans.
Best Practices for Payment Applications
- Use SSL/TLS when transmitting cardholder data internally (for example, at cardholder data ingress and egress points) within the merchant’s network.
- Due to the dynamic nature of e-commerce environments and frequent changes to websites and web applications, and as traditional firewalls may not have the capability to inspect the contents of encrypted network traffic, consider implementing a web-application firewall (WAF) or additional intrusion-detection technologies.
- Follow PA-DSS when internally developing and implementing payment applications/shopping carts to help ensure that the application will support PCI DSS compliance.
- Consider using third-party payment applications that are PA-DSS validated and noted on the list of Validated Payment Applications as “acceptable for new deployments” (see the PCI Council website for the current list of Validated Payment Applications).
- Note that some payment brands require the use of PA-DSS validated payment applications where third-party payment applications are in use. Merchants should consult with their acquirers or the payment brands to understand applicable requirements.
- The correct installation of a payment application is critical to the protection of payment card data. The payment application’s PA-DSS Implementation Guide (obtained from the payment application vendor) should be followed when installing and configuring the payment application to ensure that the product is implemented in a manner that supports PCI DSS compliance.
- Regularly review any links (such as URLs, iFrames, APIs etc.) from the merchant’s website to a payment gateway to confirm the links have not been altered to redirect to unauthorized locations.
Implement Security Training for all Staff
- Ensure all staff are trained to use systems securely and to follow defined procedures. Training should include awareness of potential security threats and the appropriate action to take in the event of a suspected breach.
- Train technical staff to properly manage security including firewalls, digital certificates, and SSL encryption.
- Train all internal staff to be aware of general security issues such as social engineering techniques used by unauthorized individuals to gain access to areas with cardholder data.
- Assign a specific team member(s) to monitor and report on any and all security alerts issued by the card brands and other security websites to stay current on emerging threats.
- Consider implementing an additional firewall between the application server and the database server to further reduce risks from the Internet-connected web server.
- Limit displays of account numbers to the minimum necessary for the consumer to complete their purchase. For example, once the account number is verified, don’t display the full number back to the consumer in the order summary or receipt.
Best Practices for Consumer Awareness
Provide awareness for consumers to protect their payment card data when making online purchases. Examples of such guidance could include:
- Don’t use public, untrusted computers for e-commerce transactions. Public computers may not be secure and could be capturing payment card data as it is being entered.
- Don’t make purchases when connected to an unsecured wireless network (for example, using your laptop computer with a public WiFi connection), unless you have a personal firewall on your computer.
- Be aware of “shoulder-surfing” if entering payment card data in a public location.
- Keep personal computers up-to-date with security patches.
- Always ensure your computer is running anti-virus software that is updated with the most recent virus signatures and definitions before connecting to the Internet.
- Always check for signs of a secure web page, for example, look for the “HTTPS” prefix in the web address or the little “padlock icon” at the top or bottom of the web browser, a green address bar, or a security seal before entering payment card data.
- Use strong passwords that cannot be easily guessed (for example, don’t use your date of birth or your name as a password).
- Keep your passwords private. For example, don’t write them on a piece of paper attached to your computer (especially if you are in a public place), and don’t save them in a file on a computer that is shared with others.