Article

New PCI DSS Ecommerce Guidelines Stress TLS 1.1 Migration

Topic: Business NetworkingBy Michael PetersPublished Recently added
No ratings yet1,072 viewsSign in to rate
New PCI DSS Ecommerce Best Practices Replace Previous Guidelines Issued in 2013 Consumers love shopping online and are abandoning malls for mobile shopping apps in droves. However, online shopping environments offer multiple opportunities for hackers to steal payment card data. Even worse, as more brick-and-mortar stores implement card chip technology to defeat skimmers and other forms of POS system fraud, thieves are gravitating toward card-not-present (CNP) ecommerce environments, where the pickings are easier. In an effort to address the growing threat of ecommerce fraud and clear up confusion among merchants regarding encryption and digital certificates, the PCI Security Standards Council has just released a PCI DSS ecommerce information supplement with updated best practices for ecommerce cyber security, which replaces the previous PCI DSS ecommerce guidelines issued in 2013. Previously, the PCI Council had mandated that all online merchants implement TLS 1.1 encryption or higher by the end of June 2016, then later extended the deadline to June 2018. However, the PCI Council recognized that many merchants did not fully understand their responsibilities and options regarding encryption and digital certificates. The new PCI DSS ecommerce guidelines include a primer on SSL and TLS that explains the difference betwee SSL and TLS and how to select a Certification Authority (CA) and a public key certificate. There is also a list of questions merchants commonly have about certificate types and TLS migration options; four case studies outlining ecommerce security solutions in different data environments; and a section devoted to best practices for securing ecommerce sites. Understanding and Complying With the New PCI DSS Ecommerce Guidelines As the PCI Council itself points out, the new guidelines “[do] not replace or supersede requirements in any PCI SSC Standard.” They “[contain] revised content to address changes in risk and supporting technologies” and are meant to help merchants protect themselves against emerging threats and prepare for migration to TLS 1.1+ encryption. Although the TLS migration deadline is still over a year away, the PCI Council does not recommend waiting. There are numerous security vulnerabilities in SSL and early (pre-1.1) versions of TLS that are incapable of being fixed or patched. Any ecommerce site running SSL or early TLS is at serious reach of being breached and should upgrade as soon as possible. This is critical even for small ecommerce businesses. Hackers do not discriminate between sole proprietorships and multinational corporations, and a tiny startup may be less able to absorb the financial hit of a breach than a multinational. In addition to extensive information on TLS 1.1+ migration, the guidelines contain a list of best practices for securing ecommerce stores, including: • Know the location of all your cardholder data; use data flow diagrams to identify your systems, processes, and security controls. • If you don’t need it, don’t store it; PCI DSS 3.1 requires that merchants store cardholder data for only as long as they need to, and not store sensitive authentication data at all after authorization. • Evaluate the risks of your associated e-commerce technology; PCI DSS Requirement 12.2 mandates that organizations include their ecommerce environments in their annual risk-assessment process. • Conduct ASV scanning and penetration testing of ecommerce environments; even if you are outsourcing your web hosting and management, it is still your responsibility under PCI DSS to ensure that your vendor is conducting these important tests. The PCI Council also mandates comprehensive cyber security training for staff and recommends that merchants promote cyber security awareness among their customers. Although the latter is not a requirement for PCI DSS compliance, it is still an excellent idea. Security-aware customers are less likely to fall victim to credit card fraud, which benefits merchants by reducing fraud-related losses. Additionally, in our connected world, hacks no longer happen in a vacuum; cyber security is everyone’s responsibility.

Article author

About the Author

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions. He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.

Further reading

Further Reading

4 total

Article

Introduction There was a time when the call center was seen as a place where phones rang endlessly and agents simply answered questions. That picture has changed dramatically. Today the modern call center sits at the center of customer experience, quietly coordinating returns, managing fulfillment concerns, and shaping how customers feel about every interaction with a brand. Instead of reacting to problems, teams now guide customers through complex journeys. Their role has gr

February 6, 2026

Article

In today’s financial landscape, credit scores play a major role in determining access to loans, housing, and even employment opportunities. For individuals facing late payments, collections, or inaccurate credit reports, rebuilding credit can feel overwhelming. This is why many people turn to professional services for guidance. Among the growing number of Credit Repair Companies in Houston and providers offering Credit Repair San Antonio solutions, White Jacobs continues to

February 6, 2026

Article

Choosing the right POS terminal is more important now than ever. With customer expectations rising and payment methods changing quickly, businesses need a device that works fast, stays secure, and handles different payment types. The PAX A30 is a popular Android POS terminal that has gained attention for its modern design and strong features. In this review, we look at how well it performs in real life, what makes it stand out, and whether it can truly be called the best Andr

January 17, 2026

Article

Installing a rack mount server cabinet is an important task for anyone setting up a server room or a data center. These cabinets are designed to hold servers, networking devices, and other hardware safely and in an organized way. A well-planned installation helps improve airflow, manage cables neatly, and secure equipment, which makes the server room safer and more efficient. Whether you’re setting up a small office server or a larger business data center, knowing how to in

January 16, 2026