NetSPI Imformation Security Consulting
NetSPI Blog

Posts Tagged ‘pci security’

What Happens When a Merchant Outsources Their e-Commerce Environment? Part I

| Monday, April 5th, 2010

Many brick-and-mortar merchants maintain some type of e-commerce environment. For those of you experienced in management of PCI, this has obvious implications: assessment of infrastructure, firewalls, web servers, server administration, access controls, cardholder data encryption, storage, retention and transmission, database administration and management procedures, web application development processes, logging/auditing, file integrity monitoring, and physical security of the hosted environment – and that’s just what applies directly to the e-commerce environment. A full PCI assessment of the organization would include significantly more, and would be subject to the architecture and the specific nature of that organization’s business models. Basically, that’s a mouthful for saying that e-commerce would require a lot of work during a PCI assessment.

Some organizations that operate an e-commerce environment might find that it is a significant chunk of their business compared with their retail operations. Others find that it’s a very small part. A brick-and-mortar retailer that sells gift cards on the web is an e-commerce retailer, even if this amounts to less than 1% of their revenue. In my travels, I’ve run across this model of e-commerce operations quite often. In other experiences, I’ve seen the opposite extreme – a mixed retailer that derives a significant portion of their revenue from e-commerce operations such as direct fulfillment, store pickup and personal shopper services. In all cases, the responsibility for protecting cardholder data in the e-commerce environment is the same – and frequently utilizes the same or similar technologies, regardless of scale.

Given the amount of attention that e-commerce operations draw during a PCI assessment (which is not in any way meant to detract from the amount of attention drawn to retail POS systems, back office operations and ancillary systems), it is no wonder that there is lots of conversation around the outsourcing of the e-commerce environment. Like anything else treated by PCI DSS – the workload is dramatically reduced through the reduction in scope. Take e-commerce out of scope, and the organization’s PCI DSS program is free to focus on other areas of compliance.

But what parts of an e-commerce environment may be taken out of scope? And is it possible to take the entire e-commerce environment out of scope? The answer is both: “It depends” and “It varies” just as surely as e-commerce environments themselves both depend and vary according to their architecture. But before we can tackle this, let’s be sure that we understand what an e-commerce environment actually is.

We are all familiar with the large e-tailer environment – the ones with the popular web pages that have categories upon categories of items for sales, shopping carts and secure transaction pages for placing orders. We also touched on the retail sites that allow you to purchase gift cards, or to order merchandise or to pre-order items for in-store fulfillment. Clearly, these are also e-commerce operations. In all of these cases, a website at some point completes a purchase by collecting cardholder data from a buyer and then enters order information into some type of an order fulfillment or an order management system. This much is clear. What is also clear is what most often is NOT an e-commerce site: Any site that does not prompt for payment, and doesn’t allow you to purchase anything. There may be catalog items, and pricing information, even product availability information that lets you look up store stock in real-time – but the site never handles any cardholder data. Lots of content and pretty pictures, perhaps flashy videos, but no cardholder data. No, not within scope of PCI. But what about the web site that has a combination of both? It has all of the flash, the ads, the interactive product guides and also allows for you to purchase items – right from your browser. Definitely an e-commerce site and definitely in scope for PCI? Right? Once again, the answer is “It depends” and “It varies.”

In the next blog post, we will examine the implications of distributing these systems across multiple architectures, and the impact that outsourcing some or all of this will have on the PCI scope.

See you then!

Permalink | Email the Author | No Comments

Tags: , , , ,

The Far-Reaching Impact of the PCI DSS

| Thursday, August 6th, 2009

The last few years have seen a great deal of discussion, arguing, hand-wringing, and posturing within the retail / hospitality community regarding the PCI DSS.  It has also driven a lot of investment in technology–and a lot of investment by technology companies.

Then PA-DSS came along. The PCI Council took a voluntary program (PABP) and turned it into a robust, mandatory security standard, the impact of which is still being absorbed by software vendors that provide solutions to retail and hospitality merchants. Again, there was much hand-wringing, posturing, and general frustration (this time from the vendors.)

The remarkable thing to me is the degree to which, until very recently, this consternation over PCI and its applicability and requirements has largely been isolated to the retail / hospitality community. Slowly, the rest of the business world is waking up to the fact that PCI reaches far beyond retail. Electronic currency (i.e., debit and credit) is not a payment mechanism isolated to any one vertical; instead, it’s increasingly used by consumers in all aspects of their spending.

This realization ’process’ looks an awful lot like the classic grieving process–denial, anger, bargaining, depression, and finally, acceptance–and is the same process that the retail community has gone through for the last five years (for L1 & L2 merchants I think we’ve pretty much gotten to the acceptance stage). A lot of hospitals, higher education organizations, healthcare technology firms, and the like are really just beginning this process – denial is still a big part of the conversations that we have with these organizations.

Now, this is certainly not a universal situation. NetSPI is working with some very forward-thinking, security-focused organizations on PCI and related security initiatives, but it’s common enough to note and it’s where we spend a lot of time working to educate the broader community. Luckily, we have a lot of experience with these other industries and can help our clients work through this process with more than just a retail/hospitality perspective.

The fact that other standards are also applicable in some instances may be causing some of the difficulty in accepting the fact that PCI is important and applies. HIPAA, for example, has security requirements to protect personal health information. I have had numerous conversations about PCI with companies in healthcare that have sounded something like “I have to adhere to the HIPAA security standards, so I’m covered.” Actually, if you take credit card payments, and you are just worrying about HIPAA’s security requirements, you have a serious problem.

Anyone that takes or manages electronic payments–healthcare providers, lawn care companies, hospitals, insurance companies, doctor’s offices, accounting firms, tax preparation services, plumbers, event scheduling services, etc, etc, etc, etc.–is subject to PCI’s requirements. The software vendors that service and support all of these industries and handle PCI-relevant information within their solution are also subject to PCI’s requirements (via PA-DSS).

So my advice – learn to accept PCI and take the steps today that will help make compliance more efficient and improve overall security. Find a partner that is focused on PCI guidance, not just auditing.  Make sure that they understand your industry, ask good questions that go beyond the scope of compliance, and give you honest feedback.

If you accept electronic payments, PCI applies to you. If you are in denial, you need to move through your grieving process quickly so that you can make critical decisions and take the actions required to protect your organization and minimize risk.

Permalink | Email the Author | No Comments

Tags: , , , , , ,