It's no secret that identity theft and customer information security has become a huge concern for anyone doing business on the web. Unfortunately there are far too many careless online merchants who improperly handle sensitive consumer data and countless unscrupulous individuals eager to take advantage of the situation. The industry is trying to do something about it, but it's extremely difficult when you are dealing with a rapidly moving target like the internet. One of the efforts to increase the security of online commerce is the movement toward PCI Data Security Standards. Will this be the solution? The magic bullet to kill identity theft and bring security to the web... Who knows, time will tell. But any effort to increase the security of online commerce is a worthwhile endeavor, so what can you do to see about being PCI compliant and make yours a safer site to do business with.
First of all, go to http://www.pcicomplianceguide .org/ and become more familiar with what PCI is and what you can do to better secure your online business. Next, if you have a Cartweaver site or any shopping cart site for that matter, what should you do? Let's take a look at what is required to have a "PCI secure site" and briefly discuss what can be done to see if your site measures up.
The following requirements are taken directly from http://www.pcicomplianceguide.org/pci-basics.html -- let's look at these one at a time and see how Cartweaver addresses the issues it can, and what steps you need should take to better secure your online store.
..................................
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- This is in your court as a developer. If using an Access database, make sure that it is stored in a safe non-brows-able folder, if you are using a SQL Server or MySQL database; be sure your host has it properly secured.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Yes! By all means change all default usernames and passwords and be sure you use something that is sufficient to ward off hack attempts. A good mix of numeric and alphanumeric characters and at least 8 to ten characters in length will be good and change them occasionally to be sure they don't get compromised.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
- Cartweaver NEVER stores this data -- it is handed off to the payment gateway and then promptly "forgotten". No matter what your client may say, never be persuaded to alter your site to store the credit card type, number, expiration date, or security code... Ever! Just don't go there. Truthfully, in a shared host environment there is no way to store this data securely. Treat it like the hot potato it is and hand it off as quickly as possible and be free of it.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Yes -- by all means get an SSL Certificate and have it properly installed in the root directory of your site. Resist the temptation to use the host's shared SSL if they offer one, get your own 124 bit encryption certificate and have it installed before your first transaction.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
- This would be the responsibility of your host. Have in-depth, frank discussions with your host to 1. Know what steps they take in this regard and 2. Make sure they continually monitor and maintain security. If they don't provide clear and detailed information about this issue, or get annoyed with your insistence of getting this information... change hosts!
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
- Again, Cartweaver does not store this data.
Requirement 8: Assign a unique ID to each person with computer access
- Cartweaver does this by allowing you to create individual admin accounts. Be sure your host does the same. Again risk is greatly minimized by the fact that credit card data is not stored. The with the exception of the email address, the data in your Cartweaver customer database is no more than what is freely accessible in the local telephone directory.
Requirement 9: Restrict physical access to cardholder data
- Once again -- this is not stored. If you choose a reputable payment gateway this data is secure. Neither you the developer, your employees, the merchant, nor their employees have any access to this data. You can't steal or tamper with something you don't have.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
- The credit card data is not stored in any way shape pr form, and with the SSL encryption it is securely transferred to your payment gateway -- that takes care of it from the application and your standpoint... Just be sure to use a qualified, reputable payment gateway and host.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
- Be proactive! Your application (Cartweaver) is secure provided your database is adequately secured and you have SSL in place and your usernames and passwords properly set. Beyond that, talk frankly with your host and payment gateway provider to be sure their end is taken care of.
Being able to do business on line safely and securely is the right of every person that chooses to spend their hard earned money online. Internet shoppers are showing a lot a trust when they make a purchase online. It is the responsibility of every online merchant, web application developer, web site developer and designer to do all they can to fulfill that trust by providing a safe, secure "place" to do business. I encourage you to take the time out from your day to day activities and focus on making sure your site meets the PCI standards. You and your customers will be glad you did.
Loading User Profile...
Login with Facebook