The Security of Your Customers
So I know in the past, we have always talked about credit card security, PCI
Compliance, etc. But I would also like to remind you about your customer's
usernames and passwords. How are these being stored? A lot of shopping carts
will store this information in plain text. If the passwords are being stored
in plain text and you have a server compromised, your users' information might
be readily available for the hackers.
Most shopping will store the information in a database like Microsoft Access, mysql,
or MSSQL. You should be able to view the databases somehow, either though
phpMyAdmin, Microsoft Access, or
Microsoft SQL Server 2000 Desktop Engine (something similar). How you
access this information is usually established when you choose a web hosting
provider. Some will allow you to access the information also via
an Open Database Connectivity (ODBC).
When you are viewing these tables and records, look for the table that stores
your user's information, especially the password table. Are the passwords
encrypted? If not, you should consider getting another shopping cart or
contact the vendor for assistance to enable secure passwords.
A lot of consumers use the same password for everything. While this is a
great risk to them, it is the quickest way for consumers to get to their
information. This is the reason you want to protect them as much as
possible.
Your Shopping Cart Password
First and foremost,
your administrator password should be changed immediately when you start to add
your items. Don't wait until you are going live - you have too much on you
mind by then. Your password should contain letters, numbers and maybe
a couple of extra characters like %, !, *, {, etc. The harder it is for
you to remember, the better.
Did you know that by changing your password from the vendor-supplied password,
you have already met one of the requirements for PCI DSS?
Password Strength and Security
When
new customers are signing up, your website should ask them for a unique
password. And explain to them why your company is asking for this
information.
Password checker
is also a great website to have them check their password strength.
And when asking users to create an account, their session should be in a secure. This will help to protect
them when they are entering their username and
password. Even if you use a third party processor or have one of the
electronic payment gateway's web page handle the transaction, if you are
asking for a password, the page should be secure.
Payment Application Best Practices from Visa
High profile breaches of cardholder data have garnered a lot of attention in the
media. Most of us have read or heard about the 40 million cards that were compromised
at CardSystems, or the 100 million cards compromised at TJX. As a result of these
breaches, the payment industry developed the Payment Card Industry (PCI) Data Security
Standard (DSS). However, complying with the PCI DSS can be complicated and expensive,
especially for smaller merchants. Although we may not read about it in the press,
breaches at smaller merchants occur every day because the payment hardware and software
they use is not compliant with PCI DSS.
In an effort to make compliance with the
PCI DSS a little easier for merchants who
use payment application software, Visa developed the Payment Application Best Practices (PABP). The PABP applies to software
applications that store, process, or transmit cardholder data as part of authorization
or settlement. It does not apply to software developed in-house by merchants since
that would be covered under the merchant’s normal PCI DSS compliance.
Software vendors are required to have their payment applications certified as PABP
compliant by a Qualified Application Security Professional that is employed by a
Qualified Payment Application Security Company. Once compliant, Visa will include
the software vendor and product version in a list of validated payment applications
for one year. Software vendors must re-validate their payment applications each
year to remain on the list.
The PABP mandates are designed to eliminate the use of non-secure/vulnerable payment
applications from the Visa system. They require that members ensure that merchants
do not use applications that retain prohibited data elements and use payment applications
that adhere to Visa’s PABP. If you are using a payment application from a software
vendor that is not PABP compliant then you will not be able to comply with the PCI
DSS.
As of January 1, 2008 new merchants are not allowed to establish a merchant account
using a non-compliant payment application. Existing merchants should check with
their agent or ISO to make sure their payment application is on the list of PABP
compliant applications.