E-commerce companies are increasingly relying upon third-party service providers to assist with processing credit card transactions. Outsourcing this activity can help ease the burdens of processing and securing transactions, as well as implementing many PCI DSS compliance requirements.
The merchant always bears final responsibility for compliance.
In response to this trend, the Payment Card Industry Security Standards Council recently released the PCI DSS E-commerce Guidelines that provide merchants with a clear path to PCI DSS compliance.
The primary focus of these guidelines is ensuring that merchants understand the risks associated with outsourcing. Outsourced payment-processing environments are vulnerable to all of the same Web security risks facing in-house implementations, including SQL injection, cross-site scripting, cross-site request forgery and security misconfigurations. The guidelines ensure that merchants select compliant service provider partners and clearly delineate the responsibilities for PCI DSS compliance that rest with the merchant and those that rest with the service provider.
Selecting a service provider
PCI-compliant e-commerce merchants may use a variety of service providers in their cardholder data processing environment. In many cases, the merchant elects to use an e-commerce payment gateway service, such as PayPal or Authorize.Net, to facilitate payment card transactions. This may involve interfacing directly with the merchant's shopping cart software. Merchants may also contract with Web hosting providers, such as FireHost or Terremark, to host software developed or purchased by the merchant. Finally, the merchant may use Infrastructure-as-a-Service providers such as Amazon Web Services or Rackspace to provide access to scalable computing resources.
In any of these scenarios, the e-commerce merchant is responsible for ensuring that it uses a PCI-DSS-compliant service provider and that the provider is contractually bound to maintain compliance. There are two options to fulfill this requirement: the easy way and the hard way.
In the easy approach, the merchant simply verifies that the service offering is listed on the Visa Global Registry of Service Providers. These providers have already had a Qualified Security Assessor validate their PCI DSS compliance and submitted the resulting documentation to Visa for review. Not surprisingly, merchants often choose this option. In the hard case, the merchant can take responsibility for performing the verification itself, either by inspecting PCI DSS compliance reports provided by the service provider, or including the provider's infrastructure as part of the scope of the merchant's own PCI DSS compliance verification. Large organizations with more specific or complex payment-processing needs may have to go this route.
Understanding PCI e-commerce responsibilities
The division of responsibilities for the implementation of PCI DSS controls varies depending upon the nature of the service provided. However, it is important to remember that the merchant always bears final responsibility for compliance. In other words, "The buck stops here." In the words of the guidance document, "the merchant is ultimately responsible for ensuring that each service provider protects the integrity and confidentiality of the payment card data that is being stored, processed, or transmitted on the merchant's behalf."
In the simplest scenario, the e-commerce merchant outsources all card-processing activities to a service provider. This might take the form of the merchant using HTML iFrames to pull the payment processing pages into its website from the service provider's Web server. In this scenario, the merchant never interacts with credit card information and the bulk of the PCI DSS compliance responsibility rests with the service provider. If the merchant selects a validated service provider and implements the payment process in accordance with the merchant's instructions, the majority of security controls must be implemented by the service provider. Many merchants in this category are eligible to use the fastest path to compliance validation: Self-Assessment Questionnaire A (SAQ A).
In situations where the merchant manages the e-commerce transaction processing, such as through custom-developed payment applications or a self-hosted commercial payment application, the merchant bears full responsibility for complying with PCI DSS. There is no service provider in the mix, and the full burden of PCI DSS compliance rests on the shoulders of the merchant.
Many merchants don't use a scenario that fits into one of these black-and-white categories and choose a hybrid approach to e-commerce that involves some management by the merchant along with the involvement of a service provider. For example, a merchant might purchase Web hosting from a service provider and use that hosting service to implement a custom shopping cart application. In this scenario, the merchant and service provider share responsibility for PCI DSS compliance. The service provider must operate a network, data center and Web-hosting platform that comply with PCI DSS, while the merchant must build and operate a PCI-DSS-compliant shopping cart application on top of the compliant infrastructure offered by the service provider.
PCI DSS compliance for wholly outsourced environments
It's important to remember that a PCI e-commerce merchant never escapes responsibility for PCI DSS compliance and must take some actions, even in wholly outsourced environments. For example, the merchant is always responsible for ensuring that it uses only PCI-DSS-compliant service providers. That not only means choosing a compliant vendor from Visa's above-mentioned list, but also verifying that any chosen providers remain on the list. All merchants must also implement policies and procedures for managing those service provider relationships. If the merchant does come in direct contact with cardholder information, it must ensure that the scope of those activities is complaint with PCI DSS. Finally, the merchant must submit compliance verification materials (normally in the form of SAQ D) to its merchant bank on an annual basis.
Cloud service providers offer tremendous potential to simplify the cardholder data environments of many e-commerce merchants. Merchants that carefully select PCI-DSS-compliant providers may realize significant savings in both direct costs and the time spent on security and compliance activities. Merchants must, however, ensure that they verify and monitor the service provider's compliance status.
About the author:
Mike Chapple, Ph. D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as site expert on network security, is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
This was first published in June 2013