An e-commerce solution comprises the software, hardware, processes, services, and methodology that enable and support online credit card transactions. Merchants choosing to sell their goods and services online might choose various methods to achieve their own e-commerce payment such as either using their own e-commerce payment software, use a third-party developed solution, or use a combination of both.
Whatever the solution, this most likely include a variety of technologies to implement e-commerce functionality, including payment processing applications, application-programming interfaces (APIs), inline frames (iFrames), or payment pages hosted by a third party. In order to ensure PCI compliance, there are several key considerations to keep in mind regarding the security of cardholder data. Overall, the responsibility of maintaining compliance remains with the merchant in ensuring that payment card data remains protected. A merchant is also responsible for performing due diligence to ensure that the CHD is protected in accordance with PCI DSS.

E-commerce is the use of the Internet to facilitate online transactions for the sale and payment of goods and services. E-commerce falls under the “card-not-present” (CNP) type of payment method and includes:

1. E-commerce websites accessible from any web browser, including “mobile-device friendly” versions accessible via the browser on smart phones, tablets, and other consumer mobile devices.
2. “Mobile App” versions of the merchant’s e-commerce website, i.e., apps downloadable to the consumer’s mobile device that have online payment functionality (consumer mobile payments).

Although the merchant may be involved in initiating or triggering the transaction, it is always the cardholder the one who enters the payment information (i.e., cardholder data) on a website provided by the merchant. Alternatively, the merchant may trigger the sales process by sending the cardholder an e-mail message (i.e., invoicing) with a unique payment URL for them to complete the credit card transaction via the Internet.

There are at least 3 types of e-commerce implementations :

1. Merchant-managed e-commerce implementations that include proprietary or custom-developed shopping cart/payment application or an application implementation fully managed by the merchant.
2. Shared-management e-commerce implementations. These include implementations that make use of a URL redirection to a third-party hosted payment page, an inline Frame (or “iFrame”) that allows a payment form hosted by a third party to be embedded within the merchant’s web page(s), embedded content within the merchant’s page(s) using non-iFrame tags, direct post method, javaScript forms or a merchant gateway with a third-party embedded application programming interface (API).
3. Wholly outsourced e-commerce implementations. These tend to be the most common type of implementations where an external party in contract with the merchant conducts the entire process of ecommerce payment and bears the PCI risk and the need for compliance.

At McMaster University merchants must pass a PCI DSS compliance evaluation in order to become operational. The evaluation consists of various assessments to ensure that appropriate PCI compliance practices are followed. A Report of Compliance will be issued by the evaluator and this will be used by Finance to approve the go-live.

Whenever possible, ecommerce merchants and/or payment service providers should make use of security measures to prevent fraudulent activity and valuable cardholder data and sensitive authentication data from being stolen. These measures can be:

• Transaction volume limits
• Brute force detection
• Email verification
• Geo verification
• IP blacklisting/whitelisting
• HTTP header verification
• Identity verification
• Form input validation

Further to the above, encryption of all traffic that travels over public networks must be enforced as well as data that temporarily resides on locations such as cache memory or similar.
Web forms should disable autocomplete for fields accepting payment details, as this may cause the web browser to store a copy of those details after submission.
Form submission should use “POST” methods rather than “GET” methods, as described in the HTTP specification to prevent proxies and web servers to cache or log the contents of GET variables or query strings.
Payment forms being developed must avoid the inclusion of any third-party content such as analytics or content optimization components and/or restrict any third-party content to only that which has been thoroughly vetted and is trusted.

1. Know the location of the cardholder data at all points and times by identifying all the systems involved in the transaction, transmission and storing of CHD.
2. Avoid storing any data that is not needed.
3. Be familiar with all the risks associated with the specific technology being used.
4. Perform periodic security scans of the e-commerce environment.
5. Perform a pentest of the e-commerce environment at least once a year.
6. Use firewall rules to restrict access to the network environment where the e-commerce application is being hosted.
7. Ensure that an anti-virus, anti-malware or XDR solution is present on the in the environment where the e-commerce application is being hosted.
8. Ensure that all staff is trained to use the system securely and monitor, log and report on any alerts related to the e-commerce application.

Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard defined by the Payment Card Industry which outlines security requirements for organizations that handle payment card data. Payment cards include credit cards, debit cards and pre-paid cards; payment card data includes:

credit cardholder name, account number and expiry date
credit card verification or CVV code
credit, debit or pre-paid card Personal Identification Number (PIN)
information that is stored on the magnetic stripe
the card itself
The purpose of the PCI-DSS Standard is to protect individual card holders from identity theft.
For more information about PCI at McMaster University, please visit the Financial Affairs department web site.

Debit and credit card fraud is the most common type of incident and is essentially any attempt to obtain cardholder information with the intent of using that information to complete unauthorized transactions.

Skimming is the term used to describe the theft of credit card information described above. This can be done manually by copying or stealing receipts, or automatically by modifying a point of sale (POS) device. Merchants are advised to always attend closely to their POS devices, and to examine them for modifications daily.

Inappropriate or unauthorized access to PCI virtual terminals (C-VT), hosted pay page (HPP), or to systems hosting payment card data (D) may put cardholder data at risk. IT Security has published guidelines to safeguard the configuration of C-VT, POS or HPP based systems (eCommerce). System administrators are advised to monitor these systems closely for signs of unauthorized access.

Finally, card not present (CNP) is also a high risk scenario in which a merchant must trust that the transaction is authorized by the card holder without the card being present(i.e. via phone call). Merchants are advised to be cautious and vigilant about verifying the authenticity and authority of the purchaser to use the information they provide when performing CNP transactions.