thePCI Portal

Best Practices for Securing eCommerce Information Supplement

Best Practices for Securing eCommerce Information Supplement is a great doc full of comprehensive info! The objective of this information supplement is to update and replace the PCI DSS E-commerce Guidelines published in 2013.

Its a comprehensive 64 page document.  Useful info for anyone who does or is considering e-commerce. 

A couple of the tidbits that I was glad to be reminded about:

  • Remember your MSSPs!

“The service provider or the services may be considered in scope for a merchant’s PCI DSS compliance if the security of the solution is impacted by this service and the service provider has not performed its own assessment.

Examples of common e-commerce support services that may impact cardholder data security include:  Managed services, including WAF or log-management services”

  • They include flow diagrams, impacts and recommendations for every common (and some uncommon) method of doing ecommerce. I have drawn those flow diagrams very often in meetings and the depiction of the connections that occur directly between the customer browser and the payment service provider (PSP) are always the aha moment for someone.

Section 2.2.3 reminds us why everybody wants to use IFrames: 

At present, a merchant implementing an e-commerce solution that uses IFrames to load all payment content from a PCI DSS compliant service provider may be eligible to assess its compliance using a reduced list of controls identified in SAQ A, the smallest possible subset of PCI DSS requirements, because most of the PCI DSS requirements are outsourced to the PSP.

Ever notice that saying the phrase “smallest possible subset of PCI DSS requirements” is like singing the sweetest song?  

I think a couple coloring errors crept into the final PDF though.  (Coloring was my best subject in kindergarten!  OK, I lie, I was never a good colorer.).


I think the red and green are mixed up above. 


Iframe and URL Redirect are green?  Not even yellow for Iframe?

I think other information in this document makes the case that IFrame should be yellow in this table:

·        “SAQ A for PCI DSS version 3.2 includes additional PCI DSS requirements to address ongoing threats to merchant web servers that redirect customers to third parties for payment processing.”

·        “The IFrame e-commerce method is usually easier for merchants to secure, and results in fewer applicable PCI DSS requirements and lower risk of merchant systems being compromised (although not as low as the redirect method).”

But this is a minor quibble. Great thanks to the members of the SIG group who put this information together (especially the volunteers!)!  It is detailed, accurate, technology current and well presented.

Ad below this line:


Leave a Reply