If you run an ecommerce site you’ll no doubt be aware that you have to be aware of certain security considerations. Ecommerce sites have become a target for hackers in the past few years; they are after your customers’ data, their online identity information and their financial details. Payment card data, in particular, is at risk from cyber criminal activity. Some of the most high profile cyber attacks have been those that have involved the theft of customer credit and debit card data. One of those attacks, the Target breach of 2014, involved the loss of credit and debit card data from 40 million customers. In August of this year, ecommerce site Web.com was hacked with the loss of 93,000-customer credit card records. And these sorts of breaches are not only focused on larger organizations, there has been a year on year increase in the number of small to medium sized companies being targets of cybercrime. In fact, UK government research has shown that over 60% of smaller companies suffered a cyber security breach in the last year.
How to reduce your security risk
There are a number of ways that ecommerce sites can reduce the risk of cybercrime. A fundamental requirement for any ecommerce site and in fact any site that requires user registration, is to use a secured site, i.e. HTTPS (a secure version of HTTP) that works using the security protocol, Secure Sockets Layer (SSL) now known as Transport Layer Security (TLS). The use of a secure website means that any user’s data, communicated via that site, is protected. HTTPS sites use a technology known as a digital certificate to provide this protection. This certificate is commonly known as an SSL certificate. SSL certificates use encryption to transfer information between the client (usually a browser) and the relying party (usually a website). If anyone intercepts this transfer, e.g. a cybercriminal, they wont be able to decrypt the information because they don’t have the correct ‘encryption key’ to do so.
A certificate authority or CA issues digital certificates. The CA checks that the company it is issued to is real. The SSL certificate and HTTPS then needs to be correctly implemented to be effective. If it is not correctly implemented then certain areas can be compromised. It is vital to have the implementation of SSL done correctly as any information being shared with that website, including login credentials, can be stolen and used to log into the system and steal a user’s personal data and other information such as card details.
Payment Card Industry Data Security Standard or PCI-DSS Compliant Data Center Hosting
Compliance with the security regulations around payment card protection is an information security standard that is targeted at any company that deals with payment cards. PCI compliance is important as it sets a high standard of security for your customers’ data. It shows your customers that you take security seriously and that they can trust their sensitive financial data with you. Being complaint with a standard that is developed around payment card information gives you much better protection from the increasing threat of sophisticated cybercriminal activity. It helps you to build a more holistic security strategy, ultimately safeguarding your company finances from insurance and damages claims, as well as protecting your reputation and brand.
Payment card data that is held in a data center should be compliant with the PCI-DSS standards. This means the data center must have been configured to meet the PCI standards. However, anyone utilizing the services of a PCI compliant data center must also, themselves, provide evidence that they can meet the accreditation levels of PCI-DSS. This evidence of compliance requires a detailed knowledge of the regulations and the completion of a self assessment questionnaire (SAQ). The SAQ covers PCI-DSS requirements 9.1 to 9.4 and asks questions such as:
- Is physical access to publicly accessible network jacks restricted?
- Are procedures in place to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible?
- Are all visitors: Authorized before entering areas where cardholder data is processed or maintained?
And so on.
In addition to completion of a SAQ, there is a need for PCI scanning. PCI Scanning is a requirement that is periodic and needs to be carried out by an approved security scanning company, such as Comodo. A PCI scan will identify any misconfigurations and vulnerabilities in websites and other IT systems that are Internet facing. PCI scans are invaluable for ensuring that your systems are PCI compliant and security is optimized. They can recognize issues such as patch management problems and if web security measures have not been implemented correctly.
PCI scanning is a highly specialized task and must always be carried out by an approved vendor.
Making your ecommerce site secure and compliant
The creation of a secure and complaint ecommerce site is a specialized task. Centigen and Comodo have the specialist knowledge and experience to take your ecommerce site and get it to the standards needed in a landscape of increasingly sophisticated cyber attacks. Our seasoned professionals understand the complexities of web security methodologies and their correct implementation.
We build a site that you and your customers can depend upon to protect their payment card data and that allows you to develop a trusted environment between yourselves and your customers.
- Email: email@example.com
- Tel: +44 (0) 7718160026