What is PCI ASV scanning and why does an ecommerce platform need it?

Approved Scanning Vendor scans are external vulnerability scans performed quarterly by a PCI-approved provider against any internet-facing system in the cardholder data environment. PCI DSS v4.0 requirement 11.3.2 makes them mandatory for any merchant or service provider above the smallest size band, including most ASEAN ecommerce platforms.

Can a pentest actually move the needle on fraud loss?

Yes, when the assessment is scoped to the application logic that the fraud team is fighting day to day rather than only the conventional OWASP Top 10. A targeted review of coupon engines, account-recovery flows and payment-method binding usually closes the controllable share of fraud, leaving only the harder behavioural component for the fraud-tooling team.

How often should an ASEAN ecommerce platform retest?

A quarterly PCI ASV cadence is the regulatory floor. We typically recommend a deeper application retest twice a year, with continuous external attack-surface monitoring in between. Engagements scale with deployment frequency rather than calendar time.

Will testing affect customer checkout or payment flows?

No. Exploit-class testing runs against a mirrored staging environment, and any production-side activity is read-only and time-boxed. nCrypt has run this engagement model across multiple Black Friday and 11.11 campaign windows without a single payment-flow disruption.

Does nCrypt support multi-market ASEAN deployments?

Yes. The team has delivered engagements covering Malaysia, Singapore, Indonesia, the Philippines and Thailand from a single Malaysia-based programme, with on-the-ground support for jurisdiction-specific regulators where required.

Back to Case Studies

E-CommercePCI DSS v4.0Fraud Reduction

ASEAN Fashion Platform Cut Fraud and Account Takeover at Scale

How nCrypt delivered quarterly PCI ASV scanning, a focused web and API pentest and a fraud-aware application review that drove a measurable drop in chargeback losses for a regional fashion retail platform. Client identifying details have been anonymised under the engagement non-disclosure agreement.

76%

Fraud Loss Reduction in 3 Months

99%+

Account Takeover Attempts Blocked

Quarterly

PCI ASV Scanning Cadence

8 weeks

From Engagement to First ASV Pass

Critical Web Findings on Latest Retest

Markets Covered Across ASEAN

The Client

A Fashion E-Commerce Platform Operating Across Five ASEAN Markets

The client is a fashion-focused e-commerce platform headquartered in Malaysia and operating consumer storefronts in five ASEAN markets, with daily order volume in the high five figures and a monthly active customer base in the low millions. The business model depends on a mix of own-label inventory and a marketplace of third-party sellers, each with a separate payout flow.

Engineering runs as a single platform team in Kuala Lumpur with regional growth and fraud teams embedded in each market. The technology estate is built on a Node.js monolith fronted by a global CDN, with a small set of Go microservices handling payments, fraud scoring and seller payouts. Card data is tokenised by a third-party gateway, but the platform retains substantial PCI scope through its checkout-page hosting model.

The engagement was triggered by two converging pressures. PCI ASV scanning had been failing for two consecutive quarters, putting the merchant agreement with the acquiring bank at risk. At the same time, the fraud team was reporting a steady month-on-month rise in chargeback losses concentrated on coupon abuse and account-takeover scenarios.

Engagement Summary

Sector: E-Commerce
Standards: PCI DSS v4.0, OWASP ASVS L2
Markets: 5 ASEAN
Cadence: Quarterly ASV, biannual deep pentest
Methodology: PCI ASV programme, OWASP ASVS L2, fraud-aware review

The Challenge

A Compliance Floor That Had Become a Revenue Risk

The repeated PCI ASV scan failures had escalated into a written notice from the acquiring bank, with a clear timeline before merchant-account restrictions would begin to bite. Each failed scan was rooted in a CDN-edge misconfiguration that the platform team understood in principle but had not been able to remediate cleanly without risking customer-facing performance.

The fraud loss line was the second pressure. A growing share of chargebacks had been traced to coupon-engine abuse — fraud actors purchasing high-value items at near-zero prices through automated combinations of stacked promotions — and to a parallel rise in account-takeover fraud driven by credential-stuffing pressure from regional botnets. The fraud team had implemented behavioural scoring but was hitting diminishing returns without underlying application-logic fixes.

The marketplace dimension added complexity. Third-party sellers operated their own promotional campaigns, exposing the central coupon engine to logic that had not been designed for arbitrary external configuration. Seller-side fraud and buyer-side fraud shared a single technical attack surface that no previous assessment had treated as one engagement.

Finally, the platform had a non-negotiable release cadence around regional sale events including 11.11, 12.12 and the Hari Raya campaigns. Any engagement had to fit cleanly around peak-traffic windows and produce remediation guidance that the platform team could land between sale events without freezing the product roadmap.

Our Approach

A Continuous Programme Anchored to PCI ASV and the Fraud Backlog

nCrypt structured the engagement as a continuous programme with three workstreams. The PCI ASV workstream took on the quarterly scanning obligation directly, including the configuration work required to bring the CDN edge into line with PCI DSS v4.0 ciphers, headers and TLS settings. The first attestation pass landed inside eight weeks of engagement start.

The application workstream delivered a focused web and API pentest mapped to OWASP ASVS Level 2, with an explicit fraud-aware overlay developed jointly with the client's fraud team. Every flow that had appeared on a chargeback report was walked through with the engineers who owned it, and the resulting test cases ran against both the storefront and the seller-side coupon configuration surface.

The continuous-assurance workstream took over after the initial deep assessment. External attack-surface monitoring runs continuously against all five market domains, the PCI ASV cadence is anchored to the quarterly cycle, and a deeper application retest is scheduled twice a year to track residual risk on new feature launches.

Joint working sessions with the fraud team made the difference on the fraud-loss outcome. Rather than handing over a report, nCrypt's consultants paired with fraud analysts during the assessment, so that the technical findings landed in the backlog with chargeback-data context already attached. This compressed the time from finding to fix and gave the fraud team confidence to retire compensating rules that were no longer needed.

Findings

Where the Programme Cut Loss the Fastest

Critical

Coupon-Engine Server-Side Trust Failure

The promotion engine accepted client-supplied price deltas without revalidating against the canonical catalogue. Combined with weak rate limiting on checkout, this allowed bulk-fraud actors to purchase high-value items at near-zero prices through automated tooling.

Critical

Account Takeover via Predictable Password-Reset Token

The password-reset flow generated tokens with insufficient entropy and a long validity window. Combined with credential-stuffing pressure from regional botnets, this produced a measurable account-takeover loss line on the monthly fraud report.

High

PCI ASV External-Scan Failures on Edge CDN Configuration

The edge CDN was misconfigured to advertise legacy TLS ciphers and an out-of-policy HTTP header set, producing repeated PCI ASV scan failures that had been blocking quarterly attestation for two consecutive cycles.

High

Mobile API Lacked Per-Device Binding for Saved Payment Methods

Stored card-on-file tokens could be re-used from a freshly authenticated session on a new device with no additional challenge, allowing a determined attacker who had completed account takeover to immediately monetise stored payment methods.

Medium

Inventory Microservice Exposed Internal Stock Levels

An internal microservice intended for warehouse use had been exposed externally through an over-permissive API gateway rule, leaking real-time stock-level data that competitors had begun scraping at scale.

Outcomes

Compliance Restored and Fraud Loss Driven Down

The first PCI ASV attestation passed inside eight weeks of engagement start, restoring the merchant agreement with the acquiring bank and removing the immediate revenue risk. The CDN configuration that had blocked two consecutive quarters was rebuilt against an explicit PCI-aligned baseline, with automated drift detection added to the release pipeline so that the same regression would not recur.

On the fraud line, chargeback losses fell by roughly three quarters within the first three months following remediation of the coupon-engine and account-takeover findings. The account-takeover share of total chargeback volume in particular was effectively eliminated once per-device binding was applied to stored payment methods and the password-reset token entropy was raised.

Twelve months on, the platform has retained nCrypt for a continuous-assurance retainer covering quarterly PCI ASV scanning, biannual application pentests and continuous external attack-surface monitoring across all five market domains. The fraud team reports that the working partnership between application security and fraud has become the model for how new product surfaces are launched.

Related Work