Browsers may be a weak point in PCI DSS guidelines

Browsers may be a weak point in PCI DSS guidelines

If an eCommerce website uses a web browser to process credit and debit card orders, there may be risks involved, said Laurie Coffin, vice president of marketing at Quarri Technologies, on ChannelWeb. Websites that use browsers should be sure to have security methods in place, such as Symantec SSL certificates, to ensure people buying and browsing can be safe.

Coffin said suing browsers could be especially deadly for PCI compliance, as using browsers could put holes in a business' security and risk data loss, theft, malware and other so called "man-in-the-middle" attacks.

"PCI Requirement 3 mandates organizations must protect stored cardholder data, and this is generally done via encryption," Coffin said. "However, the encrypted data is unencrypted when rendered in the browser on the end point and in use. Data can remain in the web browser cache in clear text format, where it can be extracted by malware or end users. Even simple everyday tasks, such as cut, copy, paste and screen capture, put sensitive data in the system-wide clipboard, also rendered in clear text format and still accessible after the web session has ended."

One browser is trying to take the steps to improve things, at the very least. Google said it has released an update for its Chrome browser that will fix a problem with SSL certificates when users try to connect to the website through HTTPS. Even with this fix, the website said a problem may be reintroduced, but Karen Grunberg of Google Chrome said on the company's blog that they are "actively working on a fix for it."

Companies that are looking to deal with any kind of payment transaction online should look to follow PCI DSS guidelines as closely as possible. Companies should also work with those that specialize in encrypted keys, such as Symantec or Thawte, to bring in SSL certificates to make sure transactions are encrypted.