What is an ecommerce site owner’s worst nightmare?
– Is it shopping cart abandonment?
– Or the Lack of visitors on their website?
– Maybe its the inability to create a perfect omni-channel experience
– Or it could just be tough competition from big ecommerce giants
You got it wrong. These business challenges prevail in every industry and a merchant can overcome them by building a strong business strategy, market research, robust internet marketing and customer analysis. However, when having an ecommerce business, if you are not thinking about security breach, hacking or data theft, you are in for a rough ride. Not a single day passes by without us hearing about website hacking or thefts of credit card information and other sensitive data from ecommerce sites.
As a site owner, you have both a moral and a legal obligation to protect your customers from unscrupulous hackers looking to steal information. Money is not the only point of gratification for hackers. They enjoy the destruction they cause – whether it is putting a sick message on your site or destroying customer’s confidential accounts. In most cases, hackers simply enjoy ruining your reputation.
You can tackle business challenges, but it is unfortunately very difficult to overcome the havoc a hacker can do to your website. There is no option to hit the undo button. However, you can take steps to prevent hackers from attacking your website. One such step in the right direction is Payment Card Industry Data Security Standard (PCI DSS).
What is PCI DSS?
PCI DSS is a set of requirements designed to ensure that ALL
companies that process, store
credit card information, maintain a secure environment. The PCI SSC (www.pcisecuritystandards.org
), an independent body created by the leading payment card brands (Visa, MasterCard, American Express, Discover and JCB) administers and manages all PCI DSS.
I am a small ecommerce storeowner. Is PCI DSS for me?
PCI DSS applies to ANY organization no matter the size or merchant (who has a Merchant ID (MID), irrespective of the number of transactions that they accept, transmit or whether or not they store cardholder information in any form. It is applicable to all types of card payments: online, by mail, over the phone and even when using card machines.
What happens to organizations violating PCI?
Businesses found to be out of compliance with PCI may be subject to fines by the entity used to process credit card transactions. For such businesses, in case if theft of credit card data occurs due to their negligence, there is a possibility of much larger fines and fees. Banks and card brands are required to report the breach, which often results in the event making the news for all the wrong reasons.
Does having an SSL certificate mean that I am PCI compliant?
No. SSL certificates cannot secure a server from vicious attacks or intrusions. In addition to obtaining SSL protection, it is recommended that your ecommerce website is PCI compliant. Merchant who accept debit / credit cards, whether offline and online, must comply with the guidelines the PCI Security Standards Council enforces, to ensure they keep every customers payment data secure. Merchants face tough penalties in case of non-compliance.
What are the PCI compliance ‘levels’ and how are they fixed?
PCI compliance levels are based on Visa transaction volume across a 12-month period, and so fall within one of the four merchant levels provided below.
|1||Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year; Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.|
|2||Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.|
|3||Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.|
|4||Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.|
A merchant must complete the following steps to fulfill PCI’s requirements:
– Determine an appropriate Self Assessment Questionnaire (SAQ) for your business needed to validate compliance.
– Complete the Self-Assessment Questionnaire.
– Complete and obtain evidence of passing a vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Scanning is required for SAQ A-EP, SAQ B-IP, SAQ C, SAQ D-Merchant and SAQ D-Service Provider.
– Complete the relevant Attestation of Compliance.
– Submit the SAQ, proof of a passing scan (if applicable), and the Attestation of Compliance, as well as any other requested documentation.
As an advisor with PCI DSS expertise, we can help you develop a comprehensive security program to meet your PCI DSS compliance requirements. Our PCI DSS consulting services include:
– Conducting vulnerability scan
– Performing penetration tests to check defenses
– Analyzing web applications code
Some Tips To Follow:
– Cultivate habit of changing your admin password every 90 days. It is good security practice
– Never store your passwords on Browser – So next time when next browser ask you to store password – Say ‘Never”
– Don’t share your hosting account, FTP,SFTP passwords with anyone or give it third party.
– Consult your developer to restrict access of your admin. Remember prevention is better than cure.”