Tips For Avoiding An E-Commerce Security BreachThursday, January 2, 2014
Right in the middle of the busiest shopping season of the year, Target was struck with a huge security breach. Millions of customers who swiped their credit or debit card at Target between the dates of November 27 and December 15 were at risk of having their private data stolen.
The incident with Target is just one of 600 data breach incidents in 2013. Data theft is a very real threat in the modern world. It can happen at the point of sale, as in Target’s case, but it can also happen on your website.
Does your nonprofit website include an e-commerce component? Can visitors make a donation, pay an event registration fee, or purchase something directly on your website, using their credit card? If the answer is Yes, then it’s your responsibility to make sure their private cardholder data is secure.
Below you will find some basic information regarding securing your credit card processing. However, you should only view this blog post as a starting point and confer with your technology providers, bank, merchant service provider, attorney, accountant and insurance agent.
Best Practices For Secure Credit Card Processing On Your Nonprofit Website
Follow PCI Standards
The first step in preventing data theft is to make sure your e-commerce software is compliant with PCI DSS—Payment Card Industry Data Security Standard.
These standards are updated every three years by a collaboration of the world’s top card issuers: Visa, MasterCard, American Express, Discover and JCB. Any organization that handles cardholder data is required to follow PCI standards. If your organization suffers a security breach and an investigation reveals that you were not PCI compliant, you could end up facing a huge fine.
PCI standards include:
- Sensitive card holder data must be encrypted and protected when it’s stored and when it’s transmitted across public networks.
- NEVER store CVVs, even if they’re encrypted.
- NEVER send unprotected PANs (Primary Account Numbers) by end user messaging technologies like email, instant messaging or chat.
- Keep your e-commerce software updated to the latest version in order to maintain the best possible security.
- Limit access to cardholder data. Only staff members who require it to do their job should have access. Assign a unique login ID to each member of your team so you can monitor individual activity within your e-commerce software.
More helpful resources for getting PCI compliant:
- Make sure the e-commerce software you’re using is compliant. View a list of PCI compliant e-commerce software.
- Assess your software’s compliance on a regular basis. You can do this by using the PCI DSS Self-Assessment Questionnaire, working with a Qualified Security Assessor (QSA), or working with an Approved Scanning Vendor (ASV).
So the big question is, was Target PCI compliant? That remains to be seen. But in many instances, the company that suffers a security breach is compliant. That’s why it’s important to supplement your PCI compliance tactics with the following additional best practices.
Require a strong password to login to your website.
Many e-commerce programs allow users to create a personal account so they can return to the website for multiple transactions. Make sure the password each user creates is strong and secure.
A strong password contains:
- At least seven characters
- A combination of uppercase and lowercase letters
- A number
- A symbol that can be found on the keyboard, such as ? or !
Secure your online store with SSL encryption
SSL (Secure Sockets Layer) is a technology that protects a visitor’s private information during a transaction. If a website is using SSL, a padlock will appear in the browser’s address bar.
Never print out customers’ credit card information.
Having a hard copy makes it way too easy for someone to steal. The only records of your customers' private cardholder information should be in an encrypted digital format.
Provide security training to staff
Communicate these data security practices to your entire team. Make sure they understand the importance of PCI compliance and the consequences of failing to protect cardholder data.
The Future Of E-Commerce Security
As disastrous as the Target security breach was, there is a silver lining. Data security experts now have even more reason to turn their attention to improving and strengthening current PCI standards and security software. Hopefully we’ll see increased data protection soon.
Target’s security breach has also served as a valuable reminder of the importance of e-commerce security. Today’s post is in no way a complete guide to protecting consumer data, but it’s a good place to start.
Target photo courtesy of technologytell.com
Here at Accrisoft, we power our customers’ e-commerce using Accrisoft Freedom Content Management System. Accrisoft Freedom makes PCI compliance easy by integrating with Authorize.Net Server Integration Method (SIM), a PCI compliant payment solution by CyberSource Corporation.
to learn more.