Making Your E-Commerce Site Secure

Making Your E-Commerce Site Secure

PCI DSS was released in 1999 when Visa created a Cardholder Information Security Program. This was to respond to the rise in online credit card fraud. Currently, businesses are using the PCI DSS 3.2.1 standard to keep their e-commerce sites secure. The data security standard, PCI DSS 4.0 is set to be released very soon.

In the meantime, companies are relying on the 3.2.1 version to secure their credit and debit card transactions. The PCI DSS 4.0 standard's primary goal is to boost security with more support and flexibility than the current version. This standard is expected to help businesses comply in numerous ways. Payment orchestration will still be a crucial strategy for minimizing the scope and reducing ongoing maintenance costs.

Why Do People Confuse PCI SAQ A & A-EP?

Many online merchants prefer the PCI SAQ A standard because it is a simple and less time-consuming certification. Before the PCI DSS 3.0 version, certification was through a Direct Post, URL Redirect to a hosted payment page, or a JavaScript library.

Nowadays, most payment gateways and merchants use a Direct Post or JavaScript approach. Often preferring this over a URL Redirect. This is because their customers prefer the control it gives when creating their payment page. PCI DSS 3.0 stated that Direct Post offered greater scope and required more arduous SAQ A-EP. This may be the cause of confusion.

The iFrame Middle Ground

The second significant impact of the release of PCI DSS 3.0 was the indication that the iFrame approach enables a merchant to qualify for an SAQ A. The use of an iFrame became the neutral ground between the URL Redirect and Direct Post approach.

During this time, Spreedly responded quickly to establish an iFrame. The goal was to give their clients the same design freedom they enjoyed with the Direct Post. All while ensuring their approach was safe and had certification under the PCI SAQ A. Many of their current customers use Spreedly because of their iFrame system.

Providing PCI Compliance Clarification

To comply with PCI, larger entities are required to go through an on-site audit performed by a Qualified Security Assessor. The assessor will file a Report on Compliance if you pass the audit. However, mid-size and smaller businesses can avoid the audit. Instead, they must complete a self-assessment questionnaire and then file an Attestation of Compliance (AOC). Perform PCI compliance continually to adjust to changes. As such, organizations can modify their security controls to conform to updates.

The PCI SCC guidance helps demonstrate the council's thinking concerning the approaches that online merchants adopt when integrating payment pages. Some of these approaches include an inline iFrame, URL Redirect to a third-party hosted payment page, and embedded content in a merchant’s page like JavaScript built forms or Direct Post.

PCI SCC guidance to help the clients and other merchants:

  • Merchants who use an e-commerce store that uses iFrames to load their payment content from a PCI DSS compliant service provider may qualify to assess its PCI compliance. This is done through some of the controls featured in SAQ A. Which is the smallest subset of PCI DSS requirements. This is because most of the PCI DSS requirements are handled by the Payment Service Provider (PSP).
  • JavaScript or Direct Post approach makes online merchants eligible for the arduous SAQ A-EP. The merchant’s payment form sends the cardholder data to the Payment Service Provider without passing through the merchant's systems or website. This ensures you don't process, store or transmit cardholder data through the merchant systems. Since the merchant provides the payment form, the merchant's plans are in scope for more PCI DSS controls to protect their website against fraudsters who may change the form and access cardholder data.
  • Merchants who use the Direct Post approach qualify for PCI SAQ A-EP. However, they must meet the requirements of that SAQ. We advise merchants to consult their merchant bank or payment brands to determine if they should validate their PCI compliance and the reporting method that they should use.
  • When it comes to JavaScript, the analysis is the same as Direct Post. Since the merchant controls how to acquire and transmit cardholder data to the Payment Service Provider, the PCI DSS controls used by Direct Post also apply to the JavaScript method.

In Conclusion

The PCI 3.0 standard caused confusion on the best ways to create a safe and secure e-commerce site environment and the impact of PCI compliance. This guidance's release helps provide clear descriptions of the different ways to create a secure payment solution. However, there is a notable difference in the work required for PCI SAQ A and SAQ A-EP. For a merchant who wants to avoid SAQ A-EP requirements, there are advantages of using an iFrame over JavaScript or Direct Post methods.

Spreedly customers have also provided feedback about the ease and flexibility of using iFrame to customize their payment page over methods such as JavaScript or Direct Post.

Blog Categories

Recent Posts

Search Site
© 2012-2024    Contact   -   Privacy
magnifier linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram