thePCI Portal

Category: ecommerce

Cloudy Breach

The Register has a story about a breach at cloudy service supplier Aptos. Aptos has several cloud services.  POS in the cloud.  Ecommerce in the cloud (didn’t see that one coming!). etc.  The timeline of what happened is: Feb 2016 – There was a breach and malware installed in the cloud. Nov 2016 – Aptos…

Best Practices for Securing eCommerce Information Supplement

Best Practices for Securing eCommerce Information Supplement is a great doc full of comprehensive info! The objective of this information supplement is to update and replace the PCI DSS E-commerce Guidelines published in 2013. Its a comprehensive 64 page document.  Useful info for anyone who does or is considering e-commerce.  A couple of the tidbits…

Redirect, but don’t forget

  Thanks to the PCI Guru for bringing this story to my attention with this post. In the continued vein of “Don’t descope your redirecting ecommerce web server!“, the The Foregenix Digital Forensics and Incident Response Team talks about some of the risks that remain in your ecommerce payment channel, even if you are redirecting, using…

TLS, SSL and PCI – The links

I got tired of hunting these down regularly.  Here are the official TLS and SSL reference links in one spot: SSL/Early TLS: Working with an ASV on Failed Scans http://blog.pcisecuritystandards.org/working-with-an-asv-on-failed-scans INFORMATION SUPPLEMENT Migrating from SSL and Early TLS Version 1.0 Date: April 2015 Author: PCI Security Standards Council – Includes: Preparing a Risk Mitigation and…

Don’t descope your redirecting ecommerce web server!

Another fresh article regarding the risks to consider when implementing a fully redirected e-commerce solution.  Benj Hosack writes about something the forensics team at Foregenix have seen.  While it discusses a few variants that are not specifically of the SAQ A variety, it has a few relevant examples of risks. And don’t forget about the old paypaul.ca…

Who is a service provider for a SAQ A ecommerce only Merchant?

The Scenario: Low volume ecommerce only merchant.  Website does a full redirect to a PCI compliant provider payment page so payment processing is fully outsourced.  The payment provider page is actually the Merchant’s acquirer (not a middleman). All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service provider (the acquirer!). Merchant does…