Online shopping cart security is a big issue in today’s world of credit card and identity thieves.
You must take measures to protect yourself and your customers. Fortunately, a security standards organization called PCI Security Standards Security Council, which formed in 2006, has created a set of standards that will help you ensure that your customer’s data is secure.
These standards include the following categories:
- Building and maintaining a secure network
- Protecting cardholder data
- Maintaining a vulnerability management program
- Implementing strong access control measures
- Regulary monitoring and testing networks
- Maintaining an information security policy
Sounds like a lot of big words, huh?
How can I make this easy?
If you’re taking credit card payments directly on your site and storing credit cards on your server, this is a very big deal for you and you must take responsibility for complying with each of these standards.
However, as a small online merchant, you can setup your system so that the heavy lifting falls to someone with stronger arms.
One way to do this is to setup Paypal Payments Standard to handle all your credit card transactions. Your buyers place their purchases in the cart on your site, then are taken directly to Paypal’s servers to check out. Once they have submitted their credit card or Paypal information and made their purchases, they are sent back to your site. Paypal takes care of all the security details so you don’t have to.
If you’re a larger merchant and you’ve setup a merchant account with Authorize.net, you can still let the big guys do the heavy lifting. You just need to check with your online store provider and Authorize.net to find out how your system is accepting payments. You will want to make sure that your system is using one of the following methods to connect with the payment gateway:
- Authorize.Net’s Simple Checkout (You create order buttons that you install on your site and customers click to purchase. Typically used for sites that take donations or sell one item per order.)
- Server Integration Method (SIM) (A secure, hosted payment gateway for merchants without an SSL certificate. All data is received on the Authorize.net site.)
- Automated Recurring Billing (ARB) (Subscription data is stored and processed on the Authorize.net’s secure server, not on yours.)
- Customer Information Manager (CIM) (Allows you to store customers’ payment information on Authorize.net’s secure servers, as well as the payments process for returning customers and recurring transactions.)
Any of these methods will lead your customers to their servers to input critical payment details and then lead them back to your site once payment is completed.
Can I wash my hands of PCI Compliance?
Does this mean that you don’t have to worry about PCI compliance once you are using one of these methods? No! You still need to make sure you’re meeting these standards with your own servers and your home or office network. However, you’ve just greatly reduced your liability by letting the payment processors do what they do best.
You still need to make sure that you:
- Change default passwords and usernames (such as “admin”) when you install your shopping cart software
- Remove vulnerable portions of your software, such as the install directory (check with your software provider or web developer on this one)
- Avoid storing cardholder data on your site or on an unencrypted server
- Check to make sure your software does not have security flaws that allow “SQL injection,” which hackers use to access your data through form boxes on your site
- Update your software in a timely manner, especially when security updates and patches are released
- Make sure you log user activity in your online store files
- Frequently review your logs for suspicious activity
- Regularly perform vulnerability scans (ask your software provider and host for information on how to do this, or if they are completing this step for you)
Failure to complete any one of these tasks can lead to disaster for your online small business. Questions? Let me know!