Skip to McMaster Navigation Skip to Site Navigation Skip to main content
McMaster logo

Office of the AVP & CTO


PCI Auditing

Information Box Group

PCI Ecommerce Security

An e-commerce solution comprises the software, hardware, processes, services, and methodology that enable and support online credit card transactions. Merchants choosing to sell their goods and services online might choose various methods to achieve their own e-commerce payment such as either using their own e-commerce payment software, use a third-party developed solution, or use a combination of both.
Whatever the solution, this most likely include a variety of technologies to implement e-commerce functionality, including payment processing applications, application-programming interfaces (APIs), inline frames (iFrames), or payment pages hosted by a third party. In order to ensure PCI compliance, there are several key considerations to keep in mind regarding the security of cardholder data. Overall, the responsibility of maintaining compliance remains with the merchant in ensuring that payment card data remains protected. A merchant is also responsible for performing due diligence to ensure that the CHD is protected in accordance with PCI DSS.

E-commerce Transactions

E-commerce is the use of the Internet to facilitate online transactions for the sale and payment of goods and services. E-commerce falls under the “card-not-present” (CNP) type of payment method and includes:

  1. E-commerce websites accessible from any web browser, including “mobile-device friendly” versions accessible via the browser on smart phones, tablets, and other consumer mobile devices.
  2. “Mobile App” versions of the merchant’s e-commerce website, i.e., apps downloadable to the consumer’s mobile device that have online payment functionality (consumer mobile payments).

Although the merchant may be involved in initiating or triggering the transaction, it is always the cardholder the one who enters the payment information (i.e., cardholder data) on a website provided by the merchant. Alternatively, the merchant may trigger the sales process by sending the cardholder an e-mail message (i.e., invoicing) with a unique payment URL for them to complete the credit card transaction via the Internet.

Types of E-commerce implementations

There are at least 3 types of e-commerce implementations :

  1. Merchant-managed e-commerce implementations that include proprietary or custom-developed shopping cart/payment application or an application implementation fully managed by the merchant.
  2. Shared-management e-commerce implementations. These include implementations that make use of a URL redirection to a third-party hosted payment page, an inline Frame (or “iFrame”) that allows a payment form hosted by a third party to be embedded within the merchant’s web page(s), embedded content within the merchant’s page(s) using non-iFrame tags, direct post method, javaScript forms or a merchant gateway with a third-party embedded application programming interface (API).
  3. Wholly outsourced e-commerce implementations. These tend to be the most common type of implementations where an external party in contract with the merchant conducts the entire process of ecommerce payment and bears the PCI risk and the need for compliance.

PCI DSS Compliance Validation Requirements

At McMaster University merchants must pass a PCI DSS compliance evaluation in order to become operational. The evaluation consists of various assessments to ensure that appropriate PCI compliance practices are followed. A Report of Compliance will be issued by the evaluator and this will be used by Finance to approve the go-live.

Anti-Fraud Considerations

Whenever possible, ecommerce merchants and/or payment service providers should make use of security measures to prevent fraudulent activity and valuable cardholder data and sensitive authentication data from being stolen. These measures can be:

  • Transaction volume limits
  • Brute force detection
  • Email verification
  • Geo verification
  • IP blacklisting/whitelisting
  • HTTP header verification
  • Identity verification
  • Form input validation

Further to the above, encryption of all traffic that travels over public networks must be enforced as well as data that temporarily resides on locations such as cache memory or similar.
Web forms should disable autocomplete for fields accepting payment details, as this may cause the web browser to store a copy of those details after submission.
Form submission should use “POST” methods rather than “GET” methods, as described in the HTTP specification to prevent proxies and web servers to cache or log the contents of GET variables or query strings.
Payment forms being developed must avoid the inclusion of any third-party content such as analytics or content optimization components and/or restrict any third-party content to only that which has been thoroughly vetted and is trusted.

Best Practices

  1. Know the location of the cardholder data at all points and times by identifying all the systems involved in the transaction, transmission and storing of CHD.
  2. Avoid storing any data that is not needed.
  3. Be familiar with all the risks associated with the specific technology being used.
  4. Perform periodic security scans of the e-commerce environment.
  5. Perform a pentest of the e-commerce environment at least once a year.
  6. Use firewall rules to restrict access to the network environment where the e-commerce application is being hosted.
  7. Ensure that an anti-virus, anti-malware or XDR solution is present on the in the environment where the e-commerce application is being hosted.
  8. Ensure that all staff is trained to use the system securely and monitor, log and report on any alerts related to the e-commerce application.

PCI Incident Reporting

Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard defined by the Payment Card Industry which outlines security requirements for organizations that handle payment card data. Payment cards include credit cards, debit cards and pre-paid cards; payment card data includes:

credit cardholder name, account number and expiry date
credit card verification or CVV code
credit, debit or pre-paid card Personal Identification Number (PIN)
information that is stored on the magnetic stripe
the card itself
The purpose of the PCI-DSS Standard is to protect individual card holders from identity theft.
For more information about PCI at McMaster University, please visit the Financial Affairs department web site.

Identifying PCI Incidents

Debit and credit card fraud is the most common type of incident and is essentially any attempt to obtain cardholder information with the intent of using that information to complete unauthorized transactions.

Skimming is the term used to describe the theft of credit card information described above. This can be done manually by copying or stealing receipts, or automatically by modifying a point of sale (POS) device. Merchants are advised to always attend closely to their POS devices, and to examine them for modifications daily.

Inappropriate or unauthorized access to PCI virtual terminals (C-VT), hosted pay page (HPP), or to systems hosting payment card data (D) may put cardholder data at risk. IT Security has published guidelines to safeguard the configuration of C-VT, POS or HPP based systems (eCommerce). System administrators are advised to monitor these systems closely for signs of unauthorized access.

Finally, card not present (CNP) is also a high risk scenario in which a merchant must trust that the transaction is authorized by the card holder without the card being present(i.e. via phone call). Merchants are advised to be cautious and vigilant about verifying the authenticity and authority of the purchaser to use the information they provide when performing CNP transactions.

Reporting A PCI Incident

Upon detection of a PCI related information security incident, merchants and/or staff are instructed to:
NOT logoff or power off the affected system!
DO take note of pertinent information, including:

the time that the suspected incident occurred
the condition of the affected system
your merchant number
If the incident involves an active physical threat, including theft or tampering with a POS device, report this immediately to:

McMaster Security Services
905-525-9140 ext 24281, or 905-522-4135
Dial “88″ from any University phone

Report the incident, including the information detailed above, directly to Moneris: 1(866) 319-7450 only after the physical threat has been contained.
Report the incident, including the information above, directly to the IT Security team: OR (905) 525-9140 x28299 only after it has been reported to Moneris.
If the incident involves a known act of fraud, or tampering with a POS device, C-VT virtual terminal or Hosted Pay Page server:

Report the incident, including the information detailed above, directly to Moneris: 1(866) 319-7450.
Report the incident, including the information above, directly to the IT Security team: OR (905) 525-9140 x28299 only after it has been reported to Moneris.
If the incident involves a suspected act of fraud, or tampering with a POS device, C-VT virtual terminal or Hosted Pay Page server, take the following action:

Report the incident, including the information above, directly to the IT Security team: OR (905) 525-9140 x28299