Friday, April 6, 2012

MasterCard Guidance on Hosted Payment Pages

One of the best and most common ways to reduce your PCI scope for ecommerce transactions is to use a hosted payment page using a PCI compliant service provider. But a hosted payment page (sometimes called a hosted order page) is not a silver bullet. It does not cause PCI to go away, but it can reduce your scope and cost of PCI compliance.

Recently MasterCard has published a PCI White Paper: Hosted Payment Pages. That document describes how these hosted payment pages work. Just as importantly, the white paper describes the risks merchants still face even after outsourcing. Two of these are man-in-the-middle (MITM) attacks (where the bad guys come between your site and your hosting provider) and phishing attacks aimed at the cardholder's computer.

MasterCard recommends remediation actions (especially for MITM attacks) including regular external vulnerability scans of your server, keeping current with security patches, and developing your code securely. As a QSA, I find it disappointing that the PCI Council's SAQ A does not require any of these actions. Please don't let that fact keep you from securing your ecommerce sites. The SAQs are a guide. You still need to be secure.

I recommend you download MasterCard's paper. It reinforces the earlier bulletin from Visa Europe that I've mentioned earlier.

1 comment:

  1. This is a good paper, and has been published by MasterCard previously. The only difference is that this version adds links to MasterCard's other online security resources.