Electronic security has always been a hot topic, especially when it’s related to consumers’ personal or payment information. High profile breaches like Target and Sony PlayStation have confirmed it isn’t just small or unknown businesses consumers need to be concerned about.
Ecommerce Security: A History
Back in 2006, the payment card industry (MasterCard, Visa, American Express, etc.) created a council called the “Payment Card Industry Security Standards Council,” or “PCI.” The council released a body of standards known as the “PCI Data Security Standards,” or “PCI DSS.” The PCI DSS consisted of 12 primary requirements, with over 300 sub-requirements as of version 3.0.
The way it was supposed to work: Merchants agree to certain terms in order to be allowed to accept each type of credit card. PCI leverages those agreements to mandate merchant compliance to PCI DSS. Then, if credit card or other personal information is stolen from a noncompliant merchant, PCI can fine the merchant extensively.
This all sounds good in practice, but the PCI DSS were so thorough (as they should be), the cost for small merchants to be compliant was prohibitive. Most merchants made little to no effort to adhere to the standards, and the PCI never aggressively enforced the standard.
What we ended up with was an organization set up primarily as a CYA (cover-your-ass) mechanism so that if cardholder data were stolen, the PCI could shift blame by pointing to violations in their standards. To be honest, PCI standards are so difficult to follow that even companies that dutifully attempt to comply with the DSS could be found lacking after a breach.
Back then, so few merchants had proper security — including intrusion detection software/systems (IDS) — that even if they were breached, they likely wouldn’t know about it, and it’s unlikely the perpetrator would have made an announcement. The only way these types of events were discovered and traced back to merchants was a correlation of data by the card issuer.
Ecommerce Security Today
Although there’s been some improvement in data and software security, it isn’t as dramatic as you might think. From my perspective, the biggest change today is awareness — merchants are realizing there are people out there that want their customer data.
As a service provider, Atlantic BT is keenly aware of the risks associated with storing credit card and personal data. We maintain a cyber liability policy — something to look for in your service providers — and do not allow credit card information to be stored on the systems we own or manage without an acceptance of risk and liability by the business.
So where does that leave customers? The short answer is: Better off. Only in very rare cases is it actually necessary to store credit card information, because credit cards can be processed without long-term storage — removing the temptation for attacks by miscreants. Even recurring payments can be handled with a unique identifier token used to reference a credit card stored on a merchant gateway (which is a secure credit card processor).
Ecommerce Security Tips for Business Owners and Executives
As a site owner, you’re responsible for the security of the data transmitted or stored on your site, server and/or network. Your customers and the PCI don’t have a relationship with your contractors, web developers, data center vendor, etc., so if there’s a problem, they’re going to expect you to make it right — and that might cost you a lot of money.
Use this checklist to protect your customers — and yourself — from theft and financial loss:
- Only work with vendors who understand cybersecurity and carry appropriate insurance coverage for the type of work they do.
- Perform regular security audits — and make sure you set up automated logging and intrusion detection.
- Perform regular audits of your security and make sure you have automated logging and intrusion detection setup.
- Do not store credit card and personal information longer than necessary. We recommend recurring payments be processed using tokens for third party gateways that are secured for long-term credit card storage.
