Back to all posts

Taylor Havlisch

February 13th, 2017

5min Read

E-Commerce Security Tips from the PCI SSC

Here’s a fact that’s not-so-surprising: more than half of Americans (51%) prefer to shop online rather than in stores. If we’re talking about Millennials, that number reaches 67%.

The (somewhat obvious) thing to note about e-commerce, is that the customer payments are card-not-present transactions. That means, customers aren’t swiping or dipping their cards; they’re inputing sensitive information like their card number, billing address, etc. If more than half of shoppers are spending their time purchasing products and services from their phones, tablets and computers, they need to have a certain level of trust in the businesses they’re buying from that the sensitive information they're providing is going to be kept safe.

Just this week, the PCI Security Standards Council released their Best Practices for Securing E-Commerce, an informational supplement to earlier guidelines published in 2013 "meant to educate merchants on accepting payments securely online."

It’s a long document (64 pages to be exact), so we’ve reviewed it and taken a few easy-to-digest highlights. First, they’ve laid out the types of e-commerce solutions to consider:


URL Redirects (Shared-Management E-Commerce)

This is when a customer is redirected from a merchant’s website to a third-party page.


This is a method of embedding a web page within another web page, while isolating the embedded frame from the parent web page so information cannot be manipulated.

Direct Post Method (DPM)

This is typically used by larger merchants that would like more control over the look and feel of their platform. The DPM uses the merchant’s website to create a shopping cart and payment page. When a customer enters their information in the payment form, it’s sent directly to the payment processor rather than the merchant’s system.

JavaScript Form

Also used by larger businesses, this too originates from the merchant’s website where the customer’s browser requests JavaScript code from the payment processor to create the payment form.

Application Programming Interface (API)

This is a method of system-to-system data transmission where the merchant is in complete control, by creating a payment page and hosting the payment information before transmitting the data to the payment processor. This type of e-commerce solutions is generally used by larger organizations with specific processing needs.

Wholly Outsource Solutions

These solutions include those those that are hosted entirely on a service provider’s technological infrastructure, like a hosted shopping cart. This type of solution can reduce the number of responsibilities associated with managing PCI compliance.

Now that you’ve seen the options, the PCI Council laid them out in the chart below to demonstrate the risks and benefits of each:

When selecting the best e-commerce solution for you, the PCI Council has provided a few elements of security to consider:

Encryption + Temporary Storage

PCI Council standards require that cardholder data must be encrypted across open, public networks, both in transit and in storage. Make sure the solution you choose protects your customers’ information at the very instant it’s shared.

Anti-Fraud Measures

In addition to requesting the security code on the back of a credit card (or front of an American Express), you can use other verification methods like 3D Secure, which uses a customer pre-defined password to verify payments.

Suspicious Activity Protection

The use of fraud-detection tools such as transaction monitoring and alerting services like Kount, can help track any attempts at fraudulent charges.

Data Caching Avoidance Mechanisms

It is recommended that web forms disable autocomplete particularly for the fields that request payment information, so that copies of sensitive information are not stored within browsers.

Third-Party Content in Payment Forms

If third-party content like images are included on a payment form, that’s a vulnerability for the merchant and opportunity for a potential hacker to steal sensitive information.


Tokenization is the process of replacing card data with tokens, so that in the event of a data breach, hackers would have no use with the accessed tokens.

Here are a few other tips we pulled that will be useful when determining and managing your best e-commerce solution:

  • You should consult your acquirer or payment brand directly to determine your PCI validation requirements.
  • Know the location of you cardholder data and even consider implementing data-discovery software that can help you find any unencrypted card numbers. More importantly, if you don’t need the information, then don’t store it.
  • Train your staff to properly manage security including firewalls and digital certificates.
  • Confirm the provider you use is conducting the annual penetration tests required by the PCI Council.
  • Understand how and when a service provider may be accessing your systems for maintenance.
  • When using a third-party payment application, consider using a name that’s included on the PCI Council’s list of “Validated Payment Applications.”

While it may seem daunting, securing e-commerce transactions shouldn’t be difficult if you’re using the right technologies. If you’d like more details on anything mentioned here, let us know in the comments section below.

Connect with us

blog comments powered by Disqus