HackDig : Dig high-quality web security articles for hacker

Hosted Payment Pages, the Payment Services Directive and PCI DSS Validation & Reporting

2015-07-07 17:20

Following the release of PCI DSS v3.0 in November 2013, both the PCI SSC and Visa Europe sought to clarify the validation and reporting requirements for the e-commerce payment channel.

From the ECB's 'Guidelines on Internet Payments Security' on strong customer authentication in clause 7.5: 'PSPs offering acquiring services should require their e-merchant to support solutions allowing the issuer to perform strong authentication of the cardholder for card transactions via the internet. The use of alternative authentication measures could be considered for pre-identified categories of low-risk transactions, e.g. based on a transaction risk analysis, or involving low-value payments, as referred to in the PSD.'

The guidance from the PCI SSC (May 2014) and guidance from Visa Europe (July 2014) made it clear that either a full redirect or iframe method containing a hosted payment page (HPP) would currently be acceptable for validation and reporting to SAQ A (or using those parts in a full report on compliance, depending upon transaction volumes or as required by a card scheme or acquirer).

But move on a year. The payment service provider (PSP) sector is coming under increasing regulation. PSPs are subject to the Payment Services Directive (PSD) which was implemented in the UK through the Payment Services Regulations 2009 (PSRs), which came into effect on 1st November 2009.

The PSRs affects firms providing payment services and their customers including banks, building societies, e-money issuers, money remitters, non-bank credit card issuers, and non-bank merchant acquirers. Thus whilst it is not directly applicable to e-commerce merchants (or emerchants as the PSD refers to them), the PSPs that provide e-commerce merchants with payment systems are affected.

Following an extensive consultation process, and a draft published in October last year, the European Banking Authority (EBA) published its final guidance in December 2014. This guidance is known as the Final Guidelines on the Security of Internet Payments and comes into effect next month on 1st August 2015.

This places obligations on PSPs to impose certain security requirements on e-commerce merchants. For example PSPs must require their ecommerce merchants to support solutions allowing the issuer to perform strong authentication of the cardholder for card transactions via the internet.

Furthermore the guidance requires PSPs to encourage merchants never to store "sensitive payment data", and places an obligation on PSPs to include requirements in their contracts and to carry out regular checks" of its ecommerce merchants:

From the ECB's 'Guidelines on Internet Payments Security' on protection of sensitive payment data in clauses 11.2 and 11.3: 'PSPs should ensure that when exchanging sensitive payment data via the internet, secure end-to-end encryption 20 is applied between the communicating parties throughout the respective communication session, in order to safeguard the confidentiality and integrity of the data, using strong and widely recognised encryption techniques.' and 'PSPs offering acquiring services should encourage their e-merchants not to store any sensitive payment data. In the event e-merchants handle, i.e. store, process or transmit sensitive payment data, such PSPs should contractually require the emerchants to have the necessary measures in place to protect these data. PSPs should carry out regular checks and if a PSP becomes aware that an e-merchant handling sensitive payment data does not have the required security measures in place, it should take steps to enforce this contractual obligation, or terminate the contract'

Perhaps of most note is the guidance that states PSPs should require e-commerce merchants to use a full redirect rather than any other type of architecture, and that this excludes any framed hosted payment page:

From the ECB's 'Guidelines on Internet Payments Security' on customer education and communication in clause 12.5: 'Acquiring PSPs should require e-merchants to clearly separate payment-related processes from the online shop in order to make it easier for customers to identify when they are communicating with the PSP and not the payee (e.g. by re-directing the customer and opening a separate window so that the payment process is not shown within a frame of the e-merchant)'

Whether this will actually filter through from PSPs to their e-commerce customers, or from the acquiring banks to their merchants is yet to be seen. The UK's Financial Conduct Authority (FCA) has stated it will not be able to comply with the guidance. Regardless of this, leading merchants that do not already use a full redirect are investigating what changes might be necessary to achieve this and the level of user experience possible. The reasons to move to a full redirect are to reduce the risk to cardholder data, to lower the risk of a cardholder data incident, and to change at a time of their choosing before it is imposed through a contractual obligation.

For some merchants this may entail moving to a different PSP that is able to offer suitable PSP-hosted templates and configuration to provide a suitable user interface (UI) for web desktop and mobile users that supports all the options the merchant requires, such as internationalisation.

Some nations, PSPs and acquiring banks may also be waiting for the implementation of the Payment Services Directive 2 (PSD2), possibly in 2017. The intention of PSD2 is to harmonise the approaches across member nation states, and also to reduce the inappropriate use of exemptions.

Source: D-ICP-dna-evitceriD-secivreS-tnemyaP-eht-segaP-tnemyaP-detsoH/7/7/5102/ku.rellewdnekrelc.www

Read:3451 | Comments:0 | Tags:awareness legislation PCIDSS design technical specification

“Hosted Payment Pages, the Payment Services Directive and PCI DSS Validation & Reporting”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud