A hostile environment: payments, the PCI DSS and UK digital businesses

The objective of PCI is to decrease the probability of an attacker stealing credit card data from an e-commerce transaction.

Banks make it convenient for us to use cashless payment by credit cards because it is an incredibly profitable business for them, especially since the burden of protecting credit card vital information has been shifted to the merchants.

With PCI, the responsibility of protecting a customer’s valuable information is now firmly placed on the shoulders of the merchants.

In the recent years, two types of attacks against merchants which do not directly process cardholder data have been reported. I believe these attacks were “man-in-the-middle” (MITM) based. Even though, these merchants completed SAQ A since their payment processing was outsourced.

To be eligible for SAQ-A and avoid the fines, your entire e-commerce payment (HTML form) page used to collect cardholder data must be fully outsourced.

No provider will exempt you from PCI compliance; however, they do decrease your PCI scope.

Using Stripe checkout (SAQ A) or stripe.js (raw tokenize —>SAQ A-EP) reduces your exposure. Stripe creates and styles the credit card form for you. All the merchant does is, drop in a JavaScript snippet. The JavaScript is used to encrypt the credit card data, and sent over SSL to be processed by Stripe API. As a merchant, you must ensure your SSL is configured for Strong Encryption using sufficient key length.

Stripe’s JavaScript library will prevent a retailer from processing raw credit card data, thus reducing the merchant’s PCI scope.

SAQ A is extremely challenging to achieve, even if you are using an iframe from a third party (such as Stripe or Braintree) or redirect based checkout (such as PayPal). MITM attack is a possibility because the consumer may be re-directed to the criminal’s payment page, thought this can be detected.

Unless the totality of all payment pages presented to the consumer’s browser starts immediately from a third-party PCI DSS approved service provider”. If any part of a payment page arises from the merchant’s website or a non-compliant service provider, the implementation is not acceptable for SAQ A