SecureSiteCommerce.ComPany

Part 7 – Restrict access to cardholder data by business need-to-know

PArt 7 of the PCI compliance guidelines deals with access to cardholder data. Basically this data must only be available to people who need to have access based on their job, and systems must be in place to ensure data isn’t accessible to people who should not be viewing it.

Cardholder data should only be available to certain users based on job. They should have access only to portions of data which are required for their job. A form is required to be signed by management personal which specifies exactly what access each individual needs for their job. An automated access control system must also be in place. This system should by default deny all priveleges to all people, and only grant those to each individual as their particular job requires.

Part 6: Develop and maintain secure systems and application.

Part 6 of the PCI compliance standards is to develop and maintain secure systems and application. This can be a difficult task, although it is also one of the most crucial. These days technology crime is a common occurrence and vendors do their best to keep up with vulnerabilities by patching their software. The first step to maintain compliance is to ensure that evaluated and tested patches for 3rd party software are installed.

The next part of this deals with both developing your own software and having a test environment that is not part of the production portion of your information systems. Software for your company must be developed to maintain security when dealing with sensitive information. A separate testing environment is required to ensure that critical data is no exposed during development. Software must be developed in accordance with industry standards including but not limited to a login/logout system, logging, and maintaining a software lifecycle. All code should be tested extensively before being made “live.” Another portion of compliance that is tightly coupled to this is maintaining change control procedures.

The final portion of this section of compliance deals with your internet presence. Websites and software exposed to the internet must be thoroughly tested and kept up to date. Industry standards in regards to internet security must be maintained and verified. Finally, there must be aplan in place to review new threats and vulnerabilities on an ongoing basis and address them promptly.

In these tough economoic times, it may be the perfect time for companies to look into starting or expanding the e-commerce portions of their business. E-commerce affords unique opportunities as more shoppers are keeping their car keys on kitchen hooks and looking for deals online. What are some ideas a business may use to bolster their online sales? The following are some ideas.

Have a website people want to do business with. Alright, I’ll admit this applies in all economic times. However, consider that more potential customers are spending time online these days looking for deals. Does your website get the viewer’s attention? Is it inviting? Does it clearly show what you have available and make it easy to purchase from you? These are some questions a business owner should be asking themselves.

Offer your customers some incentives. If you have customers that have signed up, now is a good time to contact them with personalized and unique offers. If they have done business with you in the past, it is much more likely they will again. Don’t forget about new customers either by offering deals right on your website! Something many customers are attracted to is free shipping. If you can offer free shipping, you make it that much more attractive a deal online.

Offer great customer service. Make sure that your customers or potential customers can reach your business when they have questions or concerns. It is important to have easy to find contact information on your website. Email in particular should be responded to quickly. A FAQ section is extremely useful as many people will like to look for answers themselves if they are already at your website.

Part 5: Use and regularly update anti-virus software or programs.

Part 5 of the PCI compliance standards is to use and regularly update an anti-virus package. The main points of this part of the standard is to use an anti-virus program that effectively detects and deals with viruses. Almost all major anti-virus packages will fulfill this portion. However, an anti-virus system is only as effective as it’s “signatures.” Anti-virus signature files are the rules to detect the various threats that these software tools protect against. These are what is downloaded when you update your anti-virus software. Another name for them is detection rules.

It is important to regularly schedule anti-virus updates and run scans. Most anti-virus software will allow you to schedule these tasks so that you don’t have to constantly be watching them. You should however check your anti-virus software from time to time to make sure that it is up to date and that scheduled tasks are completing.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

The next part of PCI compliance involves the transmission of cardholder data. The first portion of this states that a business must use strong encryption such as SSL/TLS or IPSEC. This applies to all transmissions that take place on the internet, wirelessly, using GSM, or using GPRS. Next, wireless data must use industry best practices, mainly IEEE 802.11i when transmitting cardholder data. Finally, never transmit PAN’s by end-user messaging means such as email or instant messaging.

Having an easy way for your customers to reach you from your online presence is important. Whether it is for inquiries about sales, questions about your product, or looking into an existing order, customers want to be able to reach you. Generally speaking they are also expecting a quick response due to the quick transfer of information that makes internet shopping appealing to begin with.

A good contact form is required on your website. This form should be setup to email someone who is getting their email regularly. From my experience I have been most impressed with internet contact responses measured in minutes or hours then in days. I think that holds true of most people using the internet. Keeping your email client open all day and setting aside some small chunks of time each day or responding as you get inquiries is a great habit that will make your customers happy to do business with you.

I have always been impressed by an innovation in advertising I have seen mainly at myspace.com. Myspace sells the entire “template” of their site for a given time period. In other words, they design the look and feel of the site around their advertiser. Often times this will be an upcoming movie that is being released or a new album being released by an artist. It is very hard to miss when a site you regularly frequent changes it’s look and feel!

Many PC users these days block standard advertising, and some browsers even have this feature built in or available via a plugin. However very few people browse the internet as plain text. Changing the look of your site to suit a paying advertiser is a great idea, and I’m sure one that has proven very popular for Myspace.

Magento is an ecommerce software package that greatly assists people looking to have an ecommerce site without the cost of custom programming. Magento is feature rich and easily installed. It’s greatest strengths are in it’s ability to be customized quickly and easily.

Magento offers multiple store fronts, templating options, and skins. Features include many site management tools, marketing tools and optimization, iPhone optimization, search engine optimization, international support, easy checkout options, many shipping options built-in, order management tools, built-in payment methods, customer account and service tools, many catalog management tools and ways to customize items, along with many reporting tools.

More information on Magento can be found at Magento!

A frequent question in the payment card industry is who is responsible for currency conversion differences when there is return or over charge.

According to Visa/MasterCard, the rule of thumb is if the refund is for returned merchandise, or the cardholder changed their mind, the currency conversion differences is the responsbility of the cardholder.  The merchant must process a return.  This is of course assuming that the the merchant can provide proof that the original transaction was valid and there is documentation substantiating the refund, if requested.

If the transaction was processed in error, then the merchant should process a reversal instead of a return.  The reversal process will eliminate possible currency conversion differences.  Reversals can only be submitted by the processor and must be issued within 30 days of the transaction.

A harmless looking posting appeared on a Houston-based technology company’s internal website on a recent Friday afternoon.

A couple of workers saw it, and obeyed instructions to click on a Web link. The posting seemed trustworthy. It was on an employees-only message board. And the link referenced news about a favorite company charity.
By clicking on the link, the workers infected their PCs with a virus that shut down the company’s antivirus defenses, says Don Jackson, director of Threat Intelligence at Atlanta-based SecureWorks, who investigated the break-in.

That Sept. 19 caper underscores an alarming shift in the teeming world of Internet crime.

See the full article in USA Today.