MAGENTO VULNERABILITIES IMPACT PCI COMPLIANCE

Magento, a popular e-commerce platform, released multiple security patches this year, several addressing critical and high credit card data breach vulnerabilities. Merchants that haven’t deployed security patches, as required by PCI standards, are vulnerable to remote exploits that can compromise customer account and credit card data.

One cross-site scripting (XSS) flaw potentially allows an attacker to add malicious JavaScript code to a comment via the PayFlow Pro payment module. The JavaScript code is executed server-side when the targeted site’s administrator views the attacker’s order.

PCI Compliance Requirement 6: Develop and maintain secure systems and applications. All critical systems must have the most recently released software patches to prevent exploitation. The average merchant relies upon third party developers for web site maintenance, but unless specifically contracted to update the e-commerce software and add-on modules, don’t count on it.

Only 16.4% of organizations that had suffered a data breach were compliant with Requirement 6, compared to an average of 64% of organizations assessed by our QSAs in 2014- Verizon 2015 PCI Compliance Report.

Payment gateway implementation requirements have changed over time as a result of cross-site scripting and cross-site request forgery (CSRF) to meet current PCI Compliance standards. Merchants should verify all components of their ecommerce ecosystem are current, and have a system for ongoing monitoring and updating.

RESOURCES

  • Magento Security Center
  • VISA MAGENTO SECURITY ALERT, July 2016
  • Christine Speedy, 3D Merchant Services, offers Magento payment gateway module for merchants to improve their omnichannel customer experience and mitigate risk. B2B customer benefits include friction-less payments across all sales channels; text and email Express Checkout, customer invoice portal for 24/7 ACH, credit card, wire and more payment types, and US EMV with level 3 processing. Magento and ERP modules combine to provide a powerful array of solutions to improve cash flow and profits while maximizing security. 954-942-0483.

 

 

Volusion for B2B? No way!

Volusion for B2B ecommerce shopping cart is unacceptable. B2B companies are going omnichannel, yet Volusion lacks critical tools distribution companies need to maximize profits, security, and efficiency.

  1. Payment gateways and level III data– Wholesalers average 30% premium in merchant fees because NO Volusion payment gateways help businesses properly qualify for level 3 interchange rates across ALL sales channels, from ecommerce to retail. They have continually ignored requests to support, instead adding dozens and dozens of ‘me too’  gateways that are pretty much all alike.
  2. Retail – B2B retailers need US EMV options that support their needs. Whether it’s signature capture terminals like the Verifone MX915, or mobile terminals. None of their gateways has ever supported level 3 processing for retail, and is there even an US EMV terminal with P2P encryption certified for any processor today that works with Volusion?
  3. Omnichannel flexibility and PCI Compliance – How many business to business companies have a sales force taking phone orders? What is Volusion doing to help secure that transaction and help prevent fraud? Not nearly enough.

Over the decade that I owned a Volusion B2B ecommerce store, I recommended them over and over again. So much that their product development reached out to me to ask if there was anything I needed. It’s been seven years and the one thing I wanted, a modern payment gateway that meets business to business needs, they still haven’t done, even though the work is minimal. Why not? Well I’m tired of waiting and if someone finds my positive reviews online, I want everyone to know, there are many compelling reasons why I do not recommend Volusion for B2B ecommerce.

Magento B2B Payment Gateway Developer Selection – CenPOS vs Authorize.net vs

Which is the best payment gateway for Magento developers B2B clients?

The answer lies in Magento top user concerns, which are security & PCI Compliance, cost, customer experience and flexibility with other systems including ERP and accounting.

Security and PCI Compliance: PCI should be a non-issue as any payment gateway being suggested for a B2B company should be level 1 PCI Compliant. However, developers can help merchants reduce PCI Compliance burden by partnering with a B2B payment gateway specialist who can recommend payment gateway solutions compatible with all business needs, not just Magento. For example, does the business also send invoices from an ERP? Do salesmen or credit managers get credit card numbers via fax or phone? Magento developers are not experts in payments and cannot be expected to ask the right questions to help solve unrelated compliance problems.

Internal and external fraud protection are critical. At a minimum, the payment gateway must support 3-D Secure, including Verified by Visa and MasterCard SecureCode to shift liability for certain types of fraud from merchant to card issuer.

Payment Gateway Cost: The worst mistake is recommending or selection a payment gateway based on per transaction cost. The payment gateway plays a critical role in interchange rate qualification, which comprises over 95% of merchant fees. Gateway capabilities, and lack thereof, can literally double the cost of credit card acceptance for B2B. The most important base criteria is it must support Level 3 processing. There are many nuances to qualifying transactions correctly, that most credit card processor salesmen don’t understand, so there’s little expectation a developer would have the global financial expertise to recommend the best choice.

Treasury Management: Where are your customers? Where are your offices? What currency do you want to collect and bill in? Authorize.net has virtually nothing to help manage cross-border sales. CenPOS has a multitude of treasury solutions that can be customized.

For example, a company bills everything from the US, but also has operations in Canada and the European Union. Authorize.net will process every transaction in USD. The company pays cross-border fees on foreign issued cards, which now exceed 1% in some cases, and then pays again to repatriate revenue back to the EU or Canadian operations. CenPOS automatically identifies and processes the transaction in the local issuer currency, avoiding costly cross-border fees and more expensive US interchange rates, and deposits in the regional account. It does this seamlessly with no special developer programming.

Customer Experience: Will the gateway enhance or detract? In most cases, there’s very little difference in the checkout experience, but for B2B, there’s a bigger picture. What if the customer buys via multiple channels? Sharing tokens across multiple channels, including for emailed invoices may be important. A holistic look at all sales channels and payment methods is essential, but it’s not a good use of a developers time, thus deferring to payment expert will yield a better ROI for developer and better result for the business.

Flexibility: Payment acceptance types, global availability, omnichannel integrations, flexibility and scalability are all factors in choosing not only the best B2B payment gateway for Magento, but also for the entire organization. For example, if there’s also a retail component, US businesses also need an EMV solution that supports level 3 processing for retail. If the distributor is global, how many countries is the gateway available in?

Back Office Efficiency: If you’ve ever done research in Authorize.net reports, and then in CenPOS, you’ll appreciate the massive difference between download and search vs dynamic drill down within CenPOS online reports. CenPOS reports were designed with input from today’s businesses, not those of over a decade ago. Too many differences to mention here.

There’s a plethora of misinformation across multiple industries ranging from consultants to developers. Defaulting to Authorize.net or Payflow Pro because they’re two of the oldest payment gateways, is an injustice to the end user. Payment gateway selection plays a crucial role in business profits, security and efficiency. By partnering with a payments expert, clients are provided the best solution, and Magento developers can grow revenues with specialty implementation and add-on services the expert recommends.  

“I have some knowledge of Magento, including as a developer in it’s early years, but I’m not a Magento expert,” says Christine Speedy, owner of 3D Merchant Services and B2B payment gateway expert. “Likewise, there are great B2B Magento developers, that are not payment gateway experts. By partnering, we can offer businesses more appropriate solutions to maximize profits and security, while also mutually benefiting. “

PCI SECURITY STANDARDS COUNCIL RELEASES PCI DSS E-COMMERCE SECURITY GUIDELINES

— PCI Special Interest Group offers guidance to merchants to help secure payments accepted over the Internet—

WAKEFIELD, Mass., January 31, 2013 — Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards published the PCI DSS E-commerce Guidelines Information Supplement, a product of the E-commerce Security Special Interest Group (SIG). Businesses selling goods and services over the Internet can use this resource as a guide for choosing e-commerce technologies and third-party service providers that will help them secure customer payment data and support PCI DSS compliance efforts.
PCI Special Interest Groups (SIGs) are community-driven initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs.
In 2012, PCI Participating Organizations selected e-commerce security as a key area to address via the SIG process. More than 60 global organizations representing banks, merchants, security assessors and technology vendors collaborated to produce guidance that will help organizations better understand their responsibilities when it comes to PCI DSS; the risks they need to evaluate when considering ecommerce solutions; and how to determine their PCI DSS scope.
“Take SQL injections as an example. This is not a new attack, and something we’ve known about in the industry for years. Yet it continues to be one of the most common methods by which e-commerce websites are compromised, said Bob Russo, general manager, PCI Security Standards Council. “This can be addressed through simple, prudent coding practices, but merchants often don’t know where to start. These guidelines will help them better understand their responsibilities and the kinds of questions they need to ask of their service providers. In the case of SQL injections, one of the most important items to request of an e-commerce service provider is a description of the security controls and methods it has in place to protect websites against these vulnerabilities.”
The PCI DSS E-commerce Guidelines Information Supplement provides an introduction to e- commerce security and guidance around the following primary areas and objectives:

  •  E-commerce Overview – provides merchants and third parties with explanation of typical e-commerce components and common implementations and outlines high-level PCI DSS scoping guidance to be considered for each.
  • Common Vulnerabilities in E-commerce Environments – educates merchants on vulnerabilities often found in web applications (such as e-commerce shopping carts) so they can emphasize security when developing or choosing e-commerce software and services.
  • Recommendations – provides merchants with best practices to secure their e- commerce environments, as well as list of recommended industry and PCI SSC resources to leverage in e-commerce security efforts.

The document also includes two appendices to address specific PCI DSS requirements and implementation scenarios:

  •  PCI DSS Guidance for E-commerce Environments – provides high-level e-commerce guidance that corresponds to the main categories of PCI DSS requirements; includes chart to help organizations identify and document which PCI DSS responsibilities are those of the merchant and which are the responsibility of any e-commerce payment processor.
  • Merchant and Third-Party PCI DSS Responsibilities – for outsourced or “hybrid” e- commerce environments, includes sample checklist that merchants can use to identify which party is responsible for compliance and specify the details on the evidence of compliance.

The information supplement can be downloaded from the documents library on the PCI SSC website at https://www.pcisecuritystandards.org/security_standards/documents.php.
Merchants who use or are considering use of e-commerce technologies in their cardholder data environment, and any third-party service providers that provide e-commerce services, e- commerce products, or hosting/cloud services for merchants can benefit from this guidance. This document may also be of value for assessors reviewing e-commerce environments as part of a PCI DSS assessment.
As with all PCI Council information supplements, the guidance provided in this document is supplemental and does not supersede or replace any PCI DSS requirements.
“E-commerce continues to be a target for attacks on card data, especially with EMV technology helping drive so much of the face-to-face fraud down in Europe and other parts of the world, said Jeremy King, European director, PCI Security Standards Council. “We are pleased with this guidance that will help merchants and others better understand how to secure this critical environment using the PCI Standards.”
Those interested in learning more about this guidance and how to use it are invited to join the PCI Council for a webinar on February 7 and 14, 2013. Visit the PCI SSC website for more information and to register: https://www.pcisecuritystandards.org/training/webinars.php.
About the PCI Security Standards Council
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has over 600 Participating Organizations representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit: pcisecuritystandards.org.
Connect with the PCI Council on LinkedIn: http://www.linkedin.com/company/pci-security- standards-council Join the conversation on Twitter: http://twitter.com/#!/PCISSC