Electronic commerce, commonly known as e-commerce, is the use of the Internet to facilitate transactions for the sale and payment of goods and services. E-commerce is a card-not-present (CNP) payment channel and may include:
- E-commerce websites accessible from any web-browser, including “mobile-device friendly” versions accessible via the browser on smart phones, tablets, and other consumer mobile devices.
- “App” versions of your e-commerce website, i.e., apps downloadable to the consumer’s mobile device or saving of the URL as an application icon on a mobile device that has online payment functionality (consumer mobile payments).
The objective of this information supplement is to update and replace the PCI DSS E-commerce Guidelines published in 2013. This information supplement offers additional guidance to that provided in PCI DSS and is written as general best practices for securing e-commerce implementations. All references in this document are for PCI DSS Version 3.2.
The guidance focuses on the following:
- Different e-commerce methods, including the risks and benefits associated with each implementation as well as the merchant’s responsibilities.
- The selection of public key certificates and certificate authorities appropriate for a merchant’s environment.
- Questions a merchant should ask its service providers (certificate authorities, e-commerce solution providers, etc.).
- General recommendations for merchants.