Rachana Desai is Fabric’s vice president of engineering and was previously the director of engineering at Twilio. Before this, she was a senior IT manager at Cisco where she managed a team of 25 people to roll out PCI standards across the organization. She also built online tools that supported digital transactions and payments while maintaining PCI compliance.
We’re grateful that Rachana is part of our team at Fabric and, as creators of e-commerce software, we wanted to pick her brain on how e-commerce businesses can achieve PCI compliance. After all, if you’re a fast-growing e-commerce business and new to PCI compliance, the PCI Security Standards Council website can be overwhelming.
To get a crash course on e-commerce PCI compliance and broader security best practices for e-commerce businesses, you can listen to the Coffee + Commerce episode featuring Rachana and get key takeaways from the episode below.
How do you start to secure e-commerce?
Start with the OWASP TOP 10 list to secure your frontend storefront. Then ask third parties that manage your checkout and payment systems if they are PCI compliant.
PCI compliance is just one aspect of securing e-commerce. There are other areas you need to look at, including injection flaws, broken authentication, and sensitive data exposure. These areas are directed in the OWASP Top 10 list that provides a list of the most common web application security risks and tips for minimizing them. If you’re just starting to think about how to secure e-commerce, start with this list. It’s especially helpful in helping secure the frontend storefront layer.
PCI compliance comes into play when you’re trying to secure checkout and payments. Since most of this functionality is handled by third-party providers, verify with them that they are PCI compliant, or at least taking the steps necessary to become PCI compliant. On the other hand, if you are storing checkout and payment data on your own servers, you’ll need to pursue PCI compliance yourself.
Are third party payment gateways PCI compliant by default?
Not necessarily. Ask them for their PCI compliance and security documents. Also check their public API docs to make sure encryption and tokenization are in play.
Using payment gateways like Stripe is popular because you can essentially outsource the task of PCI compliance to a cloud-based provider like Stripe. Most providers publish a document like this on their website that validates their PCI compliance certification and provides steps for securely integrating your digital storefront with their systems. That said, don’t assume that a payment gateway or other third party is PCI compliant. In addition to checking out their public documentation, ask the provider for internal security and PCI compliant documentation. Any third party handling sensitive information like credit card details and customer data should at least have this.
How should you start rolling out PCI compliant practices?
Start with data validation and ingestion on the frontend since that is the most vulnerable surface area.
Make sure personal identifiable information (PII) is passing through a secure data point when customers enter PII like their address. This data should be encrypted with strong cryptography to meet PCI standards. In addition to this, make PCI compliant practices part of your software development life cycle (SDFC). Many e-commerce businesses think about security after rolling out new features or feature enhancements but it should be an initial step in their SDLC, especially for businesses using microservices and custom applications.
What are PCI security considerations for headless commerce?
Headless commerce is the practice of separating frontend storefront from the backend commerce services and APIs. To complement the PCI compliant services on the backend, you must also ensure security on the frontend.
When developing a digital storefront, you need to take security measures into account that will help you reach PCI compliance. For example, when a customer enters their credit card information and the transaction fails because the zip code is wrong, the backend API will reject the transaction. But to prevent credit card fraud on the frontend, you should not trigger a specific alert that says the customer’s zip code is wrong. A message like this will help hackers gain access to the card and other sensitive information. Instead, create a message around some data being invalid.
Which component of PCI should e-commerce businesses focus on?
There are many acronyms and standards on the PCI Security Standards Council site. Don’t get overwhelmed. Focus your attention on PCI DSS.
Start by focusing on the PCI Data Security Standard (DSS): Requirements and Security Assessment Procedures. This focuses on encryption and data validation and is the main extension of PCI compliance. Beyond focusing on this extensive document, also check out the Getting Started with PCI page for merchants. This page walks you through everything you need to do at a high level and links out to more detailed resources.
When should e-commerce businesses start thinking about PCI compliance?
Incorporate PCI compliant security measures into your SDLC as soon as possible. But if you have already rolled out your e-commerce channels, look at how much fraud-related activity is costing you.
What else should e-commerce businesses know about PCI compliance?
Don’t forget about account identify and asking for certifications from nascent providers.
Make account identity features part of your review of PCI standards. So when the data transmission is happening a customer’s identity is not stolen. Also, if you are working with nascent e-commerce platforms or e-commerce SaaS, ask for their PCI compliance certifications and their SOC-2 compliance certifications. This is important since these third parties are holding your customers’ data in their environments. Again, If they don’t have these certifications, they should at least be working toward getting them.