There’s a great deal of nervousness amongst eCommerce merchants concerning the perennially thorny topic of compliance with the Payment Card Industry Data Security Standard (PCI DSS), according to Phil Brindley, CTO, The Bunker.
Phil stated: “There has always been ambiguity surrounding what falls within scope, and this was highlighted when news of the TalkTalk hack broke. As the latter pointed out, companies are not legally obliged to encrypt sensitive customer data, including bank details, unless they are actually processing payment card information.
“However, merchants and payment service providers (PSPs) have been asking more questions since PCI Version 3.1 came into effect in April 2015, which followed Version 3.0 in January 2015,” he continued.
Prior to Version 3.0, merchants handling fewer than 6 million transactions per year (i.e. Levels 2-4 under PCI DSS) could use a hosted payment page from a PCI-compliant PSP to de-scope their own web infrastructure. All they had to do was complete a self-assessment questionnaire (SAQ) and Attestation of Compliance.
Under Version 3.1 however, the responsibility of compliance for all 12 key areas falls on the merchant, irrespective of whether they’re working with a PSP.
“Yet we’ve seen too many instances where merchants continue to assume that their infrastructure is not in scope because they outsource aspects of their payments page. This assumption is incorrect.
“The bottom line is that if merchants are being told by their PSP that they’re out of scope because they use a hosted payment page – whether via a URL redirect or inline frame (iframe) – they are being sold false information and are exposing themselves to the risk of substantial fines and reputational damage,” he continued.
“Prior to the introduction of Version 3.0, merchants processing under 6 million transactions a year and using a hosted payment page were required to complete SAQ-A, which at 14 questions and an Attestation of Compliance was relatively simple.”
“But while SAQ-A still exists for Version 3.1 and has seen only minor revisions, merchants who use hosted payment pages are now subject to the SAQ A-EP (Electronic Processing), which has 139 questions and calls for a quarterly ASV Scan and annual penetration test.”
The SAQ A-EP has been introduced because the PCI Standards Security Council (SSC) now recognises that a merchant’s web infrastructure could impact the security of payment transactions. For example, an attacker gains access to the underlying host operating system running a merchant’s website, edits the file controlling the redirect and points it to a fake payment page where an unsuspecting consumer’s card details are harvested.
With many e-commerce merchants are concerned not only the continued ambiguity surrounding the self-assessment requirement, but also further shifts in relevant standards at a time of renewed effort in the fight against cybercrime.
“In 2015 the US National Institute for Standards and Technology (NIST) announced it no longer deemed Secure Socket Layer (SSL) as acceptable for protection of data due to inherent weaknesses in the protocol. Meanwhile, the SSC has published details of PCI DSS Version 3.1, which states both SSL and Transport Layer Security (TLS) 1.0 can no longer be used after 30 June 2016.
“This renewed focus and the fallout from TalkTalk and other high-profile breaches has meant eCommerce merchants are now re-evaluating their approach to cybersecurity and taking more advice. Unfortunately, we’re seeing that the advice they’re taking is incorrect. Here at The Bunker, we’ve been shocked at the number of merchants approaching us having been ill advised, mis-sold to, or simply unaware they’re actually in scope of PCI – and especially SAQ A-EP. Given that there are thousands of merchants across the UK, the level of confusion we’re seeing is indicative of a much wider problem.
NOTES TO EDITORS
About The Bunker
The Bunker provides Ultra Secure Hosting, Cloud, Colocation and IT Services from within the UK’s most secure facilities, outside the M25 yet within easy reach of London.
At The Bunker, we put security first and keep some of the most demanding businesses Ultra Secure and available. Our data centres are former nuclear bunkers upgraded with millions of pounds of investment in networking infrastructure, fire suppression, power and cooling.