Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/31/2017
04:30 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

PCI SECURITY STANDARDS COUNCIL ISSUES BEST PRACTICES FOR SECURING E-COMMERCE

E-commerce Security More Important Than Ever For Merchants

WAKEFIELD, Mass., 31 January 2017 — Exponential online sales growth paired with the EMV chip migration in the US makes e-commerce payment security for merchants more important than ever before. As EMV chip technology continues to reduce face-to-face credit card fraud, the shift to e-commerce security becomes increasingly important to businesses large and small. To help merchants shore up their e-commerce platforms, today the PCI Security Standards Council released Best Practices for Securing E-commerce. The information supplement will educate merchants on accepting payments securely online and is an update to existing guidance previously published in 2013.

Securing the e-commerce environment continues to be critically important- a recent survey found that 66% of consumers claim they won’t purchase from an organization that has been breached.[1]  The Best Practices for Securing E-commerce information supplement includes practical recommendations and case studies to help merchants identify the best solution for their specific cardholder data environment. In addition to educating merchants, this latest resource from the Council also provides guidance for third party e-commerce service providers and assessors that support the ongoing security of e-commerce environments.

Following industry recommendations, in December 2015 the Council announced that all organizations that accept payment cards must use TLS 1.1 encryption or higher by June 2018. SSL/TLS encrypts a channel between two endpoints (for example, between a web browser and web server) to provide privacy and reliability of data transmitted over the communications channel. To underline the importance of using an encrypted channel, Google announced that beginning in January 2017, the Chrome browser will warn users when a website doesn’t use HTTPS. As there is still confusion in the industry regarding encryption and certificate selection, a large portion of the e-commerce supplement is dedicated to explaining SSL/TLS, with guidance on how to select a certificate authority, an outline of the different types of certificates and a list of potentials questions merchants can ask service providers regarding digital certificates and encryption.

The Best Practices for Securing E-commerce information supplement is a result of a Council-led Special Interest Group (SIG). SIGs bring together smart, experienced payment security professionals from a wide-ranging group of PCI stakeholders- including merchants, financial institutions, service providers, assessors and industry associations to address important security challenges related to PCI Security Standards.

“Our community of members boasts a wealth of payment security knowledge to protect e-commerce transactions all over the world,” said Troy Leach, Chief Technology Officer for the Council. “This information supplement is a testament to their collaboration and willingness to share their experience with others and provides easy to understand examples of e-commerce scenarios along with best practices to secure cardholder data and meet PCI DSS requirements. Their engagement on Council efforts like this paper, the Small Merchant Task Force, and other resource guides help educate merchants on how to make better business decisions to secure cardholder data. Our aim is to make cardholder data more secure in the most sensible way possible.” Additional comments from Troy on this supplement can be found in a Q&A on the PCI Perspectives blog.

Visit the Special Interest Group page to learn how your organization can provide expertise and develop practical payment security resources for the industry. Best Practices of Securing E-commerce is available on the PCI SSC website.

About the PCI Security Standards Council

The PCI Security Standards Council is a global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Connect with the PCI Council on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.

 

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...