6. Use Secure Software
Credit card data is handled most often by software, not people, so make sure you're using secure software.
A few years ago, companies that had to comply with PCI's requirement for the development and maintenance of secure applications only had to make sure their software eliminated the Open Web Application Security Project's top 10 vulnerabilities. Those requirements became more stringent last year, when PCI SSC changed the language to include other collections of vulnerabilities, such as the SANS top 25 most dangerous software errors.
No wonder companies have trouble keeping up, says Veracode's Eng. Online companies have problems securing their sites against SQL injection and cross-site scripting, the top two threats on the SANS list, never mind the other 23 issues.
7. Protect The Web Server
The critical part of an online retailer's operation is the care and maintenance of its Web server and online store. The quarterly scan that e-commerce vendors must submit to can find security vulnerabilities. In addition, under PCI, software must be kept up to date and critical flaws patched within 30 days. That may be too long.
Merchants can use one of three strategies to protect their online stores and comply with PCI: Scan code for vulnerabilities and fix any problems as part of development; dynamically scan the website to identify and patch vulnerabilities; or use a Web application firewall to block attacks. But just having a WAF isn't enough. It must be configured correctly. "They tend to be configured very, very lenient," Eng says. "Many companies run them in a mode that never blocks a request."
Companies also must think like attackers. A cross-site scripting attack, for instance, lets an attacker inject content onto a vulnerable website to make it appear to come from that site. A cross-site scripting attack may not directly compromise a merchant's website, but attackers can use the technique to redirect customers to a lookalike site from which they can collect card data.
"If I'm a hacker and I can redirect you to a website, what prevents me from redirecting you to my bad site?" says Trustwave's Rosenberg. E-commerce vendors must find these vulnerabilities during development or a security scan and fix them. Alternatively, use a WAF to block these attacks, he says.
8. Authorized Users Only
Three PCI requirements deal with authorization. Restricting physical access to cardholder data may be the easiest one to comply with. While a brick-and-mortar store has to educate and monitor cashiers who handle credit cards every day, e-commerce employees never see an actual card. Yet an online retailer may have a harder time restricting access to card data, because so many employees have legitimate access to the systems that handle the data.
Employees and partners may also inadvertently weaken your company's data access policies by choosing poor passwords. A whopping 80% of breaches are caused by the use of weak or default administrator credentials, Trustwave said in its 2012 Global Security Report. In many cases, a third-party provider used the same password or a simple variant across many of its clients; a breach of one business led to the breach of all.
9. Encrypt, And Don't Lose The Keys
For companies that keep cardholder data, that data must be encrypted when stored and transmitted. It's all about turning cardholder data from gold data that attackers want into worthless straw that they can't access, says Mark Bower, VP of data security firm Voltage.
Techniques that encrypt transaction data and return a token, which is similar to a credit card number, to unencrypt the data are popular with merchants. By using end-to-end encryption, you cut down the number of PCI requirements and reduce the impact of breaches, because with tokenized data, even if attackers get the information, it doesn't constitute a breach, Bower says.
But encryption doesn't solve all of your problems. Many large breaches have happened because thieves were able to get the decryption key.
10. Don't Become A Check Box Culture
PCI isn't the be-all and end-all of information security. It's an "absolute bare-bones requirement," Hoff says. "It's like the sign that says 'No Running' by the pool. It doesn't mean you aren't going to have an accident."
Businesses should worry about threats beyond those covered by the PCI DSS. Attackers could use HTML injection, for example, to make Google's page-ranking bots see links in a merchant's site that aren't normally there. The result: An online retailer's site could be used to raise the page rankings of malicious websites. "You need to ask in this environment: How could I be attacked?" says Trustwave's Rosenberg.
Most important, online merchants must understand that to keep their customers, they must protect their customers' data, says Heartland's South. "Their basic obligation is that they have to protect their client's transaction. And that really has nothing to do with PCI. PCI is just a tool to get there."
More help is on the way: PCI SSC has an interest group developing guidelines for e-commerce security. Its initial report, due by December, should go a long way toward assisting all retailers in securing their customers' data.