While online retail isn’t a new phenomenon, many retailers are still behind when it comes to proper security measures for this form of business. With fraud claims and chargebacks rising exponentially in 2021 due to quarantine and increased online customers, these security measures related to PCI DSS eCommerce are only becoming more necessary, not less. The landscape for retail cybersecurity is changing, and technology and business operations must continually change with it. 

Here, we’ll discuss some of the security surfaces that retailers face, and why compliance with frameworks like PCI DSS is so important. 

PCI DSS eCommerce Security for Point-of-Sale Systems

Traditionally, Point of Sale (POS) systems are meant simply to process payments and help employees take orders or purchases from customers. With cloud platforms for retailers and streamlined connections between POS systems, online catalogs and storefronts, and off-site databases, however, it is increasingly common for hackers to attempt to hack or fool POS systems.

While POS devices are typically used during purchases where the consumer is present at the point of sale, malware and other malicious software can compromise devices that read, process, store or transmit protected credit information. This is particularly the case if the POS system uses a common operating system without proper security measures or upgrades installed. 

For example, the MalumPOS malware, discovered in 2015, infiltrates POS systems utilizing Oracle MICROS systems and scans for connected payment processing devices to steal credit and debit card information. At this point, it both scrapes memory in the infected systems while collecting and transmitting card data to a third-party hacker where they can access that user’s information to attempt to steal funds from the card. 

While in-person transactions might seem safe, they aren’t foolproof. Merchants without the proper security measures in place could be putting consumer information at risk. 

Online Cybersecurity for Card Not Present (CNP) Transactions

While there are some threats for in-person POS terminals, the large majority of credit card theft and fraud occur due to CNP transactions through online terminals. There are a few reasons for this:

• The card isn’t present. This goes without saying, perhaps, but it’s important to note that there are completely different sets of concerns that go into CNP transactions. For example, a customer using an online shopping portal can provide card information without having a physical card (usually through stolen numbers). Likewise, it’s harder for merchants to dispute these transactions when fraud or chargebacks occur because there is no physical verification of the card.
• There is no additional security via chip reader. Many POS terminals and card readers use EMV chip readers that provide additional security against fraud. Some technologies replicate this more or less for online purchases, but it isn’t the same.
• Data lost or stolen during transit. While it isn’t the most common threat, it is still possible for hackers to intercept and steal information sent during a transaction if that information isn’t encrypted properly. This is more common when the transaction traffic is moving between a website and a server or an additional cloud service.

With that in mind, PCI DSS requires specific controls and safeguards in place for CNP transactions:

1. Using secure HTTPS and other secure methods for data transmission. When handling the transmission of private credit or banking data from a customer, ensure that any time that data moves, it is encrypted. If you are accepting via the web, then utilize SSL certificates and HTTPS. If you are managing credit information in the background, then using some form of SSL, SFTP, or TLS (at the latest possible version) will help you protect data and stay compliant.
2. Utilize strong encryption for stored credit data. If you save customer payment data for repeat purchases or recurrent billing, then encrypt your data with at least AES-256 standards.
3. Don’t store card data if possible. If you don’t have to store credit card data, then don’t. This isn’t a possibility for most online merchants, but if it is, take advantage of it.
4. Secure any back-end CMS software you use. Many CMS services run on the cloud and handle private customer data, which means that they need to have compliant encryption in place to protect that data. Furthermore, your employees need to have the training to handle this data, and your Identity Access Management (IAM) software needs to have clear user permission access in place. 

Many of these items also carry over to in-person commerce, but they are extra necessary with online transactions. 

Physical and Administrative Security Controls in PCI DSS eCommerce

Even with eCommerce, that data has to travel and reside in a physical location. With PCI DSS eCommerce requirements, merchants still have to provide necessary physical controls and administrative security measures for their technology to prevent unauthorized access:

1. Restricting physical access to servers and workstations: Any location containing private cardholder data should have clear protections against unauthorized access, including locks or entry keypads on server rooms, identification badges, video cameras, and so on. No employee should have unrestricted access to private credit data, and there should be no gap in surveillance for anyone working physically with machines storing that data.
2. Have procedures and technologies to authorize visitors: any personnel visiting a data center should be logged and observed and have restricted access to server rooms or workstations where credit card data is stored.
3. Inventory all media: this includes cataloging and controlling access to hard drives, disks, or CD-based media. This also includes having security in place to destroy such media effectively after it is retired from use–this goes equally for hard disk and even notes are written on paper on a sticky note. This also means ensuring all records from online and offline sales are secured. Finally, control any media distribution within your organization and with any partners or vendors.
4. Provide clear documentation on administrative protocols related to storage, destruction, and handling of data: Your procedures on managing credit data should be clear and in writing, with clear documentation of those procedures. 

These requirements are in place for both physical transactions and CNP online transactions. However, it can be easy to forget that even an online CNP transaction generates records, data, and a paper trail of private information. As such, merchants meeting PCI DSS compliance standards must use proper security to process and store customer credit card information from the point of sale to its use. 

Conclusion

PCI DSS might not be required by law, but if you’re processing credit cards with any major card network, you’re running up against PCI DSS. This is just as true for online merchants as physical brick-and-mortar retailers… and, in reality, we can admit that in 2021, any retailer is probably an online merchant. 

If you want to learn more about meeting PCI DSS eCommerce standards for your online or physical store, or preparing for the upcoming PCI DSS 4.0 update planned for 2021, call Continuum GRC at 1-888-896-6207 or contact us with the form below.