How to defend against Account Takeovers
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of mandatory security standards for any organization that accepts, processes, stores, or transmits credit card information. It was created by the major payment card brands (Visa, MasterCard, American Express, etc.) to reduce credit card fraud and protect cardholder data.
If your e-commerce business accepts credit card payments, you are required to be PCI DSS compliant. Failure to comply can result in steep fines, loss of the ability to accept credit card payments, and liability in the event of a data breach.
The 12 Core Requirements of PCI DSS
The PCI DSS is built around 12 high-level requirements, which are organized into six goals:
Goal 1: Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Goal 2: Protect Cardholder Data 3. Protect stored cardholder data (encryption is key). 4. Encrypt transmission of cardholder data across open, public networks.
Goal 3: Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software. 6. Develop and maintain secure systems and applications.
Goal 4: Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know. 8. Identify and authenticate access to system components. 9. Restrict physical access to cardholder data.
Goal 5: Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes.
Goal 6: Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel.
Understanding PCI Compliance Levels and Validation
The specific requirements for validating your compliance depend on your transaction volume and how you handle cardholder data. Merchants are typically categorized into one of four levels (Level 1 being the highest volume, Level 4 being the lowest).
Validation is typically done by completing a Self-Assessment Questionnaire (SAQ). The SAQ is a document that helps you self-evaluate your compliance with the PCI DSS. The specific SAQ you need to fill out depends entirely on how you integrate with your payment processor.
The Easiest Path to Compliance: Reducing Your Scope
For most e-commerce businesses, the key to achieving PCI compliance is to reduce your scope. This means minimizing your interaction with sensitive cardholder data as much as possible. If you never touch the data, your compliance burden is dramatically lower.
How to Reduce Your PCI Scope:
The best way to do this is by using a payment solution that handles the sensitive data for you.
-
Hosted Payment Pages: The customer is redirected from your site to a secure page hosted by your payment gateway (e.g., PayPal Standard) to enter their payment details. The data never touches your servers. This typically allows you to use the simplest form, SAQ A.
-
iFrame or JavaScript-Based Integrations: This is the most common method for modern e-commerce sites. Your payment form appears to be on your website, but the sensitive fields (credit card number, CVV) are actually hosted within an iFrame or use a JavaScript library provided by your payment gateway (e.g., Stripe Elements, Braintree Drop-in UI).
- How it works: The customer's browser sends the cardholder data directly from their browser to the payment gateway's secure servers. Your server never sees or stores the raw credit card number. The gateway then gives you a secure, single-use "token" that you can use to process the payment.
- Compliance Benefit: This method typically allows you to qualify for SAQ A-EP, which is more involved than SAQ A but still far less complex than the requirements for handling data directly.
What NOT to do: Do not build a checkout form that collects credit card data and sends it to your own server, even if you only hold it in memory for a moment before passing it to a payment gateway. This brings your entire server infrastructure into PCI scope and requires you to meet much more stringent and costly compliance requirements (SAQ D).
Key Takeaways for E-commerce Merchants
- You MUST be PCI Compliant: It's not optional.
- NEVER Store Credit Card Data: Do not store credit card numbers, expiration dates, or CVV codes on your systems. There is no good reason to do this in modern e-commerce.
- Use a Compliant Payment Gateway: Partner with a reputable payment processor that provides a tokenization-based solution (like Stripe, Braintree, Adyen, or PayPal).
- Choose the Right Integration: Use an iFrame or JavaScript-based integration to keep sensitive cardholder data off your servers. This is the single most important decision you can make to simplify your PCI compliance.
- Keep Your Platform Secure: Even with a reduced scope, you are still responsible for securing your website. Keep your e-commerce platform (e.g., Magento, WooCommerce) and all plugins patched and up to date to prevent breaches.
Related Articles
What is an Account Takeover?
An overview of Account Takeover Attacks
Anatomy of a Credential Stuffing Attack
A step-by-step breakdown of how credential stuffing attacks are carried out, from obtaining stolen credentials to bypassing defenses and taking over accounts.
What is Anycast DNS?
An introduction to Anycast DNS
What is an Apex Domain?
A quick description about what an Apex Domain is.
Best Practices for API Key Management and Rotation
Learn the essential best practices for managing and rotating API keys to enhance security, prevent unauthorized access, and minimize the impact of key compromise.