How Secure is Your Store?

July 17, 2006

According to Aaron Biddar, president of Control Scan, 40% of e-commerce sites comply with MasterCard’s standards for data protection — and he considers that number optimistic. (http://www.ecommercetimes.com/story/51756.html)

Most store owners aren’t aware that there are established standards for protecting customers, but they all know it’s important. Getting hacked or inadvertently leaking customer data is almost always the end of an online shop — not only do customers loose trust, but the business risks having their ability to process credit cards revoked.

With the risks so high, why is compliance so low? Three big reasons:

  • Lack of awareness. The standards are typically not emphasized or included in merchant account contracts, compliance audits are practically unheard of, and standards generally aren’t brought to the attention of business owners until after something has gone wrong.
  • Too many standards. Visa has a standard. MasterCard has a standard. American Express and Discover have standards. There are government privacy and accounting standards (HIPAA, Sarbanes-Oxley). There are even standards that are combinations of different standards.
  • High learning curve. Data security is a highly technical issue. The typical business owner doesn’t understand firewalls, encryption standards, or application security, and neither do their customers. It’s simply not possible to educate everyone about every aspect of security.

Where To Start?

The best first step to securing an e-commerce shop is to put someone in charge of security, preferably someone on staff who has some technical knowledge of how your site works and how it’s hosted. The person should also have a good rapport with staff who interact with your website and customers. It’s important to make this an official role in your business, rather than an afterthought looked after by whomever has a spare moment.

Download, print, and keep handy a copy of the Payment Card Industry Data Security Standard (PCI-DSS) — the closest thing there is to an industry standard, and the most likely to be enforced by Visa and MasterCard. Although the PCI-DSS is fairly technical, it’s important for your security person to understand the essential components and concepts. If they don’t, it’s worth while to contract a third party to help them through the learning curve, and assist with issues specific to your web site. Finding the right person is worth writing another article about — in the meantime, feel free to ask me questions.

Talk with your vendors. The PCI-DSS has requirements that may not be possible to meet — limitations imposed by your e-commerce platform, hosting company, or other third party vendors may make it impossible to know whether or not you can actually meet the criteria of the PCI-DSS. Savvy vendors should be able to offer solutions and advice to help you gain compliance, and those who know nothing about PCI-DSS should become aware of the issues it raises.

What’s Next?

The consortium behind the PCI-DSS is revising the standard in the next few months, based on feedback from vendors. The changes aren’t expected to be particularly radical, and the core principals still apply, so the current PCI-DSS is still a very good guide to protecting customer data.

I’ll post an update when those changes are published.

Are You Experienced?

I’m interested in hearing from people and vendors who have experience helping e-commerce sites become PCI-DSS compliant — I work with a lot of e-commerce shops, and I’m always looking for vendors to refer clients to. Thanks!

3 Responses to “How Secure is Your Store?”


  1. Nice article. I own Renown Merchant (http://www.renownmerchant.com) and have gone through the PCI-DSS documents to make sure that we adhere to the guidelines. I think it’s good that VISA, MasterCard, etc… force companies like mine to ensure data is being protected and handled properly because it’s good for everyone and reminds store owners in particular that an SSL certificate isn’t the end all security solution. Server security and proper data handling/protection is just as, if not more, important that browser security.

  2. Peat Says:

    Tim: I completely agree that there’s more to security than an expensive VeriSign certificate. I think it’s important that merchants understand that services such as yours are only part of the equation, and that they have to be aware of how orders are handled and who accesses customer information within their organization. That said, having compliant vendors is very important, because merchants have very little (if any) control over what goes on inside of your systems.

  3. Aaron Biddar Says:

    I would love the opportunity to speak with anyone who needs assistance in both understanding and achieving compliance.

    Aaron Biddar
    President
    ControlScan


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: