Owning a business which sells online (ecommerce) can be a big win and also a big risk, something which PCI compliance aims to address. Once your site is able to capture customer details and take payments the risks from malicious damage become far higher than a static website. The flow of payments between banks, credit/debit cards and payment platforms like Paypal, Apple Pay, Google Pay and others are monitored by those platforms to look for patterns of fraud. Hacking an e-commerce site has a high potential reward if you can grab card details and use them to buy a pile of merchandise before the card owner realises they’ve been compromised.
The PCI DSS Standards
This leads to the PCI DSS standards used to measure the safety and security of e-commerce websites. Achieving PCI compliance is way more complicated than installing a plugin, as it concerns the end-to-end flow of customer data from the point of capture on a web form to your companies’ internal network, staff and security policies.
PCI requires you to review and harden every aspect of your technology:
- The physical environment of servers
- The maintenance of server hardware and operating system
- The maintenance and security of your e-commerce platform (such as Woocommerce, Magento and others)
- The setup, access and administration of the entire tech stack
- The network configuration and security of any systems involved or near to your e-commerce platform
- The policies and procedures surrounding the staff who come into contact with your e-commerce platform and customer data
- The defensive technology layers put in place to prevent unwanted access to your site and servers
Firms can take at least two approaches to PCI compliance:
- Self-assessment and goodwill
- External review and examination by an approved security vendor
An example of site risk
Using the Foregenix site scanner here you can discover the relative level of risk and some of the issues on your website. Here’s an example of a site which remains below the global and baseline site risks over a long period and is in acceptable health.
Here’s an example of a site which urgently needs repair work to lower the level of risk:
If your site looks like the second one – get in touch with us as we can help with a short term and long term plan.
Self Assessment for PCI Compliance
The self-assessment route is supported by different versions of the PCI Self Assessment Questionnaires’ (PCI SAQ) which provide a very detailed approach to examining your situation. The SAQs don’t tell you what to do to achieve compliance but the wording of the questions is pretty clear when you need to apply technology fixes, or have policies and procedures in place. What the self-assessment route doesn’t do is give you any objective confidence that you really have met the standard – or that your technology really is up to scratch.
Externally Assessed PCI Compliance
A formal route to compliance using an external third party also uses the questionnaire approach, but this time someone with experience will guide you on which path is appropriate, and actually require evidence of compliance. One service you must acquire is that of an Approved Scan Vendor (ASV). An ASV is a technology service which you use to scan your website looking for vulnerabilities and producing a report which your external assessor will want to see. An example of an ASV is HackerGuardian, this runs in the background periodically and gives you the concrete evidence of where your site and server stand. Once you have a site scan and a PDF report, a formal review is made by the ASV by a human who will grant (or not) a status of Pass or Fail.
Your external assessor will review your ASV scan report along with your evidence to address the questionnaires to produce a final Attestation of Compliance (AOC) which is the evidence of PCI Compliance. This AOC is the vital report which a payment processor would want to see should there ever be any fraudulent activity in or related to your website.
Defending Your Site
One layer of defence which is vital for an ecommerce site is that provided by platforms like Sucuri and CloudFlare. Both these services interject themselves into your DNS chain and become the guardian and access route to any online sites or assets you own. The clever thing these platforms do is become the owner of any DNS requests to visit your site where they can be examined and if necessary stopped before they even reach your website. Not only can they look at the source of requests and their location, but also examine the incoming URL for legitimacy. For instance, one approach to hacking a site is to send sneaky URL requests to files or scripts on your site which may not be visible, but could be open to compromise. Sucuri or CloudFlare can not only stop these requests but already have a built-in library of malicious traffic which they block.
And also the unwanted ‘denial of service’ (DOS) attack – you want your site crawled by legitimate search engine bots but not bombarded by hackers scraping your site looking for ways in. Both Sucuri and Cloudflare provide the means to block unwanted ‘bots and to react to a DOS attack, right at the source. In our opinion services like this are essential for e-commerce sites.
What should you be doing?
- If you have no idea about the safety of your website, use this scanner which shows the level of risk for your site: https://www.foregenix.com/solutions/technology/webscan
- Find a suitable website security scanner service which provides a detailed report on your site security issues
- Decide on who in your firm is accountable for website safety and security and talk to us about site security
- Ask your payment provider if they have detected any fraudulent transactions related to your site
Don’t wait for that call from the payment processor telling you your site has caused fraud – be proactive and begin using the tools above to find out where you stand. Call Brandex for a free assessment of your current site risk and recommendations on how to move forward.