evolve but they do so often at a more languid pace than does the technology
itself. Toss in economic considerations and you've got a real Ecommerce conundrum...
Recent literature published in the PCI Knowledge-base examines security and
compliance migrations, cost reductions, and virtualization in recessionary
times. Ecommerce solution provider ShopVisible offers up
insights into its own PCI assessment process while trying to stay on top of
recent Ecommerce security news in order to provide its clients and readers a
glimpse into the rapidly blossoming arena of Ecommerce payment protection.
For many online merchants, or at least those wrestling with PCI and security
measures to protect the CDE or cardholder data environment, the strident 12
requirements of PCI coupled with serious security budgets and IT infrastructure
has created headaches and handicapped wallets...especially now. For many, as
evidenced in the PCI Knowledge-base's expert’s blog, the arduous compliance
process has become tarnished by a "checklist mentality and ineffective
implementation and enforcement." It can be argued as a best practice in
Ecommerce, or at least in an effort to pass compliance levels, that reducing
risk and documenting to assessors that effective controls are in place exudes
risk management policy, and thereby can help cut costs during the
PCI security experts have been discussing sophisticated elements
of online commerce and their relation to development of both policy and technology.
For instance, with regards to network segmentation and scope, the PCI
Knowledge-base notes that “network segmentation is still not a requirement, for
some reason, but it’s the single action that will save you the most money in
the assessment.” In the PCI 1.2 version, segmentation is discussed and noted as
being adequate along with the appropriate network diagrams if in place. One solution
available to many merchants with the right budget is a variation of a network
monitoring tool. These can “tell you, continuously, of attempts to access specific
network resources.” They can in doing so show the assessor the positive impact
of your network segmentation policy and thereby quantify risk and help cut back
on PCI compliance costs.
Store sampling is another facet of the compliance process
and in PCI 1.2, “the goal of the sampling process is to understand the risks
posed by stores, since many security breaches originate there…” one here must
show the assessor that store policy is commensurate with Ecommerce provider
policy and high levels of consistency are maintained constantly again helping to
reduce risk and cut costs. Again, automated tools can benefit providers here in
an attempt to cut time and costs resources associated with manual configuration
management. The PCI Knowledge-base notes that “the ability to place server configuration
under change control is valuable for both PCI requirement 2, as well as requirement
10.” Automated tools will often justify a smaller sample size thus again reducing
The latest post from the PCI Knowledge-base also delves into
discussion of compensating controls in the Ecommerce eco-system and states that
“while compensating controls are too often used as a PCI cost cutting technique
by merchants, they are really the heart and soul of risk management relative to
PCI…a weak process for documenting and quantifying risk usually shows up in poorly
defined compensating controls, which can cause compliance failure and additional
assessment and technology costs.”
Basically, PCI compliance is an arduous process for any
company regardless of organizational complexity, IT infrastructure and budget
size. Above are just a few methods to try and cut back costs. When selecting an
Ecommerce provider, it helps to do your due diligence and “in PCI 1.2, there is
specific mention of the need to prove due diligence as to risk ‘prior to
engaging’ service provider, and need to prove ongoing ‘monitoring’ of compliance
status.” Keep monitoring policies up to date and maintain a vigilant stance
with regards to data centers. Just because you’re PCI compliant does not mean
that a hardened data center will mandate policy to keep you compliant. Prove to
your data center, your assessor and to your clients that you care about risk. Show
them PCI is an ongoing process and one dedicated to secure online transactions.
The more safely your merchants sell, the more they will appreciate all your
ShopVisible is an Ecommerce solution provider intent on security, integration and SEO.
Ecommerce merchants processing orders and maintaining a website is an immense time-consuming step to growing a business. Grappling with PCI compliance and delving deeper into its origins, existence and proliferation are another daunting task to say the least. Recently the NRF or National Retail Federation issued a merchant survey investigating PCI compliance and small online retailers. Out the polled group, 19% of non-compliant merchants said they had little to no understanding of this payment security process that is becoming increasingly imperative today in Ecommerce. Another 26% stated they lacked “the financial or technical resources to meet the standard, which covers a dozen broad areas from physical and network security to protecting” the CDE or cardholder data environment and maintaining commensurately structured security policies. Interestingly however, 86% of those polled claimed to feel somewhat familiar with PCI and its Ecommerce requirements. A burgeoning problem for many merchants is that PCI standards evolve as do online threats and the emergence of security standards for making online transactions. New requirements are forced upon retailers in an effort to better protect cardholder spending money online. Analogously, PCI is implementing regulatory changes that will also affect payment processors and software providers. In summer 2010, new changes will occur that will dramatically affect both small online merchants and enterprise-size larger retailers alike. -Pending PCI reqs.: any payment software handling cardholder data must comply with the PCI subset, Payment Application Data Security Standard… -Pending PCI reqs.2: imposed by MasterCard, all merchants accepting credit cards online and in particular, those larger companies (level II merchants) must use 3rd party auditors to assess their PCI compliance What does this mean? For starters, smaller merchants will be taking on increased spending in order to remain compliant. Further, larger merchants will have to be assessed by outside parties and done so in a more stringent manner than previous iterations of PCI compliance mandated. So how can merchants, small or large, reduce the heightened cost of Ecommerce and PCI compliance? Internet Retailer and PCI KnowledgeBase advise not to store cardholder information if at all possible. Currently, under the PCI mandates, only “retailer systems, networks, servers, databases and software-that hold cardholder data fall under PCI.” Maintaining a strict and structured distance from the CDE will encourage PCI audit exclusion for Ecommerce merchants, small or large.
***Chart created from
Internet Retailer, “Don’t Look Now.” Don
Davis, Sept. 2009, p. 21***
Annual Transaction Volume
IR's no. of Merchants
6 million cc
1-6 million cc
20,000-1 million cc/Ecommerce payment
under 20,000 Ecommerce; under 1 million total
Rates of Compliance: 1-93% 2-88% 3-57% 4-NA ShopVisible is an Ecommerce solution based in Atlanta, GA.
Securing Ecommerce database information is crucial for service providers and storefront hosts in an effort at preventing hacking and ensuring transparent data transfer. For Ecommerce provider ShopVisible, it is both optimal and advantageous to utilize TDE or Transparent Data Encryption. While processes such as these are blossoming continuously, it seems noteworthy to briefly hit upon past versions of the SQL server as well to better illustrate how Ecommerce protection functions have emerged and where the gaps still exist for things like PCI compliance. SQL 2000: This version carries with it little to no encryption capability; code developers must create unique code for client applications to ensure data encryption. SQL 2005: Here Microsoft procured a new encryption feature at the column level (or cell level) for sensitive data. In this case development applications encrypt the data at the database level, however, some degree of architectural tweaking is still needed internally to modify the process and to work with the 2005 version. SQL 2008: This is where TDE comes into play and for companies like ShopVisible, if client database files were to become corrupted or stolen, Microsoft now has implemented new heightened levels of encryption protection in the Enterprise edition. While the protective features of Transparent Data Encryption can become quite granular, there are several main features to highlight with regards to the ShopVisible Ecommerce platform. -merchant files and related data stored in the database are encrypted with real time IO encryption tools thereby ensuring that in order to restore the database, the user must possess the original encryption certificate and the master key -database level encryption occurs so the users utilize minimal resources for data retention and protection whereas in the past this was an arduously layered process -when working with the SQL 2008 version, there is no need for recoding or reconfiguring encryption applications -ease of implementation… -if in your Ecommerce ecosystem, processes such as database mirroring or log shipping occur naturally, the mutual correspondence between the two databases will be encrypted each and every time log transactions are sent Upon the enabling (or disabling) of TDE, databases are marked as being encrypted and the server will commence a background thread often deemed an “encryption scan” which will then scan and encrypt all database files. Upon completion, all database files on disk become encrypted as will log files written to disk. At the page level database encryption of files is performed then encrypting the pages before they are ever written to disk and decrypted for memory storage. Utilizing TDE will not increase the database encryption size however. Microsoft openly states that when enabling TDE, it is imperative for the user to back up both the certificate and private key related to it. If either of these are lost and not backed up in an appropriate manner database entry will not be possible. Even in the case that TDE is no longer being used in the Ecommerce data transfer process, the encrypting certificate should be held by the developer or technical lead so that other related process can be turned on and off…
ShopVisible is an Atlanta, GA based Ecommerce solution provider intent on security, scalability and reliability.