At its core, the idea is to have e-commerce websites use a
certificate authority that is tied to the PCI Industry, and for
the browser to somehow indicate this (e.g., with a ($)
icon, similar to the lock icon).
Existing approaches:
--DV Certificate: Validates your domain. Provides protection
against man-in-the-middle attacks, but does nothing to
protect against malicious endpoints..
--OV Certificate: A big fat lie. Same as DV.
--EV Certificate: DV and validates the company name of the
end-point.
--PCI Banner: PCI Assessors often offer "Credit Card Safe"
badges. However, scammers can trivially fake such badges.
Browser indicators in the address bar are harder to fake
(though not quite impossible).
Proposed Approach: PCI/DV or PCI/EV Certificate: Validates that you are PCI
complaint.
Pre-emptive rebuttals:
--1. Won't this increase barrier to entry?
Mom and Pop shops have 3 choices:
A) Don't bother. Maybe the lock icon will be enough.
B) Use an interstitial payment gateway.
C) Their payment processor can validate their site for e-
commerce.
--2. Won't it be a huge mess to force companies to comply
with requirements from both PCI-DSS and the CA/Browser
forum?
Yes. This can be simplified by having PCI validated
processors countersign the certificate, possibly as an extra
property attached to standard certificates. This signing
hash could be provided to standard authorities, who would
bolt it onto certificates that they generated.
--3. Why should sites be forced to use PCI-DSS signing?
PCI-DSS is already enforced by contract with credit card
processors. The only extra work this adds is that
processors will need to validate payment sites (or those
sites can be seen, deservedly, as being less trustworthy).
--4. This proposal is very US-centric.
True