Many brick-and-mortar merchants maintain some type of e-commerce environment. For those of you experienced in management of PCI, this has obvious implications: assessment of infrastructure, firewalls, web servers, server administration, access controls, cardholder data encryption, storage, retention and transmission, database administration and management procedures, web application development processes, logging/auditing, file integrity monitoring, and physical security of the hosted environment – and that’s just what applies directly to the e-commerce environment. A full PCI assessment of the organization would include significantly more, and would be subject to the architecture and the specific nature of that organization’s business models. Basically, that’s a mouthful for saying that e-commerce would require a lot of work during a PCI assessment.
Some organizations that operate an e-commerce environment might find that it is a significant chunk of their business compared with their retail operations. Others find that it’s a very small part. A brick-and-mortar retailer that sells gift cards on the web is an e-commerce retailer, even if this amounts to less than 1% of their revenue. In my travels, I’ve run across this model of e-commerce operations quite often. In other experiences, I’ve seen the opposite extreme – a mixed retailer that derives a significant portion of their revenue from e-commerce operations such as direct fulfillment, store pickup and personal shopper services. In all cases, the responsibility for protecting cardholder data in the e-commerce environment is the same – and frequently utilizes the same or similar technologies, regardless of scale.
Given the amount of attention that e-commerce operations draw during a PCI assessment (which is not in any way meant to detract from the amount of attention drawn to retail POS systems, back office operations and ancillary systems), it is no wonder that there is lots of conversation around the outsourcing of the e-commerce environment. Like anything else treated by PCI DSS – the workload is dramatically reduced through the reduction in scope. Take e-commerce out of scope, and the organization’s PCI DSS program is free to focus on other areas of compliance.
But what parts of an e-commerce environment may be taken out of scope? And is it possible to take the entire e-commerce environment out of scope? The answer is both: “It depends” and “It varies” just as surely as e-commerce environments themselves both depend and vary according to their architecture. But before we can tackle this, let’s be sure that we understand what an e-commerce environment actually is.
We are all familiar with the large e-tailer environment – the ones with the popular web pages that have categories upon categories of items for sales, shopping carts and secure transaction pages for placing orders. We also touched on the retail sites that allow you to purchase gift cards, or to order merchandise or to pre-order items for in-store fulfillment. Clearly, these are also e-commerce operations. In all of these cases, a website at some point completes a purchase by collecting cardholder data from a buyer and then enters order information into some type of an order fulfillment or an order management system. This much is clear. What is also clear is what most often is NOT an e-commerce site: Any site that does not prompt for payment, and doesn’t allow you to purchase anything. There may be catalog items, and pricing information, even product availability information that lets you look up store stock in real-time – but the site never handles any cardholder data. Lots of content and pretty pictures, perhaps flashy videos, but no cardholder data. No, not within scope of PCI. But what about the web site that has a combination of both? It has all of the flash, the ads, the interactive product guides and also allows for you to purchase items – right from your browser. Definitely an e-commerce site and definitely in scope for PCI? Right? Once again, the answer is “It depends” and “It varies.”
In the next blog post, we will examine the implications of distributing these systems across multiple architectures, and the impact that outsourcing some or all of this will have on the PCI scope.
See you then!
Permalink | Email the Author |
Subscribe to PCI/PA-DSS Compliance Blog |
You can trackback from your own site.