It's no secret that e-commerce allows businesses both small and large to open their doors to a wider audience of customers - making shopping more convenient while lowering overhead. But along with a wealth of opportunities come new risks that - if unmanaged - can cause irreparable damage to a business' finances and reputation.
Failing to take the necessary steps to secure your e-commerce website can lead to financial loss, fines, fees, higher transaction costs, and perhaps hardest of all to recover from: loss in customer trust.
So, how do you make e-commerce safe for your business and your customers? Luckily, the credit card industry has come together to outline twelve common sense steps to help implement a proactive e-commerce security plan. These steps are the effective requirements for Payment Card Industry Data Security Standard (PCI DSS) compliance and are designed to ensure that all companies that transmit, process, or store credit card information maintain a secure environment.
NOTE: While this article focuses on e-commerce transactions, PCI DSS compliance is required for ALL companies that transmit, process, or store credit card information.
PCI DSS requirements
Build and maintain a secure network
1) Install and maintain a firewall configuration to protect cardholder data.
2) Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data
3) Protect stored cardholder data.
4) Encrypt transmission of cardholder data across open, public networks.
Maintain a vulnerability management program
5) Use and regularly update anti-virus software or programs.
6) Develop and maintain secure systems applications.
Implement strong access control measures
7) Restrict access to cardholder data by business need-to-know.
8) Assign a unique ID to each person with computer access.
9) Restrict physical access to cardholder data.
Regularly monitor and test networks
10) Regularly test security systems and processes.
11) Track and monitor all access to network resources and cardholder data.
Maintain an information security policy
12) Maintain a policy that addresses information security
Once you're compliant, make it official and get certified!
Certification is required by most merchant/gateways and is typically offered as part of your merchant/gateway account. The certification process includes a detailed questionnaire as well as a periodic scan of your website to ensure protection against the latest vulnerabilities.
Beware of common PCI compliance myths
Many believe that PCI compliance is not relevant to their specific situation. Phone orders, card-present (terminal-based) transactions, card-not-present (virtual terminal) transactions, and use of third party processors are ALL situations where PCI DSS compliance is required.
Tips and Advice
- Maintaining consumer card information within your network is a large security consideration that complicates your PCI DSS compliance. If you don't need to maintain customer credit card information, don't. If you do, you may want to consider using a tokenized payment data system through a third party merchant/gateway such as authorize.net's Customer Information Manager (CIM) service.
- In order to best protect your customers, we highly recommend that consumer and financial data be strongly encrypted before being stored within your network.
- Maintain only the information you need - and restrict access to sensitive information on a "need to know" basis.
- Keep in mind that PCI DSS compliance is an ongoing commitment - as is your commitment to your customer's safety. You'll want to keep abreast of the latest threats and solutions in order to respond quickly as new threats are discovered.
- If you want to further reduce your risk, you can talk to your insurance provider about breech protection - which will help to address costs associated with a data breech. Note that this is not an alternative to PCI DSS compliance - and in fact most insurers standards are in-line with or more exhaustive than PCI DSS standards.
It all comes down to trust.
Your customers expect a safe experience when shopping on your website. If that expectation is not met, the damage may be irreparable. Protecting the personal and financial information submitted on or through your website is by no means easy, but it is significantly easier and less costly than trying to recover from a breech.
Need help or advice?
Reach out to us at 718-381-9515 or firstname.lastname@example.org.
For more information on PCI DSS security standards and requirements:
NOTE: the above is intended as an introduction and is by no means an exhaustive - or even terribly detailed - account of what is needed to implement a secure e-commerce website. If you're evaluating your risk or planning to make your website more secure, we highly advise that you discuss your unique situation with a qualified professional.