Home > Commerce Insights Blog > Ecommerce Security: PCI, Risk and Cost

Commerce Insights Blog

Ecommerce Security: PCI, Risk and Cost
By jvm
10/26/2009 8:45:00 AM

PCI standards evolve but they do so often at a more languid pace than does the technology itself. Toss in economic considerations and you've got a real Ecommerce conundrum...

Recent literature published in the PCI Knowledge-base examines security and compliance migrations, cost reductions, and virtualization in recessionary times. Ecommerce solution provider ShopVisible offers up insights into its own PCI assessment process while trying to stay on top of recent Ecommerce security news in order to provide its clients and readers a glimpse into the rapidly blossoming arena of Ecommerce payment protection.

For many online merchants, or at least those wrestling with PCI and security measures to protect the CDE or cardholder data environment, the strident 12 requirements of PCI coupled with serious security budgets and IT infrastructure has created headaches and handicapped wallets...especially now. For many, as evidenced in the PCI Knowledge-base's expert’s blog, the arduous compliance process has become tarnished by a "checklist mentality and ineffective implementation and enforcement." It can be argued as a best practice in Ecommerce, or at least in an effort to pass compliance levels, that reducing risk and documenting to assessors that effective controls are in place exudes risk management policy, and thereby can help cut costs during the implementation.

PCI security experts have been discussing sophisticated elements of online commerce and their relation to development of both policy and technology. For instance, with regards to network segmentation and scope, the PCI Knowledge-base notes that “network segmentation is still not a requirement, for some reason, but it’s the single action that will save you the most money in the assessment.” In the PCI 1.2 version, segmentation is discussed and noted as being adequate along with the appropriate network diagrams if in place. One solution available to many merchants with the right budget is a variation of a network monitoring tool. These can “tell you, continuously, of attempts to access specific network resources.” They can in doing so show the assessor the positive impact of your network segmentation policy and thereby quantify risk and help cut back on PCI compliance costs.

Store sampling is another facet of the compliance process and in PCI 1.2, “the goal of the sampling process is to understand the risks posed by stores, since many security breaches originate there…” one here must show the assessor that store policy is commensurate with Ecommerce provider policy and high levels of consistency are maintained constantly again helping to reduce risk and cut costs. Again, automated tools can benefit providers here in an attempt to cut time and costs resources associated with manual configuration management. The PCI Knowledge-base notes that “the ability to place server configuration under change control is valuable for both PCI requirement 2, as well as requirement 10.” Automated tools will often justify a smaller sample size thus again reducing assessment fees.

The latest post from the PCI Knowledge-base also delves into discussion of compensating controls in the Ecommerce eco-system and states that “while compensating controls are too often used as a PCI cost cutting technique by merchants, they are really the heart and soul of risk management relative to PCI…a weak process for documenting and quantifying risk usually shows up in poorly defined compensating controls, which can cause compliance failure and additional assessment and technology costs.”

Basically, PCI compliance is an arduous process for any company regardless of organizational complexity, IT infrastructure and budget size. Above are just a few methods to try and cut back costs. When selecting an Ecommerce provider, it helps to do your due diligence and “in PCI 1.2, there is specific mention of the need to prove due diligence as to risk ‘prior to engaging’ service provider, and need to prove ongoing ‘monitoring’ of compliance status.” Keep monitoring policies up to date and maintain a vigilant stance with regards to data centers. Just because you’re PCI compliant does not mean that a hardened data center will mandate policy to keep you compliant. Prove to your data center, your assessor and to your clients that you care about risk. Show them PCI is an ongoing process and one dedicated to secure online transactions. The more safely your merchants sell, the more they will appreciate all your hard work!

ShopVisible is an Ecommerce solution provider intent on security, integration and SEO.


Currently rated 0 by 0 people

Tags: ShopVisible, PCI, Ecommerce solution, Ecommerce security, PCI Knowledge-base
Categories: SEO, RSS, User Generated Content, Commerce Insights Blog
Bookmark and Share


No Comments have been submitted.

Include comments
 January (1)
Recent Posts
Epicor Completes Acquisition of ShopVisible
  Comments: 0
  Rating: 0 / 0
ShopVisible Reveals 24%Increase in Order Volume on National Free Shipping Day
  Comments: 0
  Rating: 0 / 0
ShopVisible Reveals 24%Increase in Order Volume on National Free Shipping Day
  Comments: 0
  Rating: 0 / 0
Epicor to Acquire ShopVisible™
  Comments: 0
  Rating: 0 / 0
5 Universal Tactics to help Increase Conversions
  Comments: 0
  Rating: 0 / 0
Major Online Retailer Rebrands and Re-launches Responsive Design Site
  Comments: 0
  Rating: 0 / 0
How To Get To Omnichannel…Fast
  Comments: 0
  Rating: 0 / 0
ShopVisible Meets Growing Demands of Mid-Market B2B Sellers
  Comments: 0
  Rating: 0 / 0
Direct Marketing News: [Infographic] B2Bs and B2Cs Are Breaking Bad eCom Habits
  Comments: 0
  Rating: 0 / 0
ShopVisible Expands Omnichannel User Experience
  Comments: 0
  Rating: 0 / 0
Allison Howen (1)
BC (2)
Bharat C (2)
Clint Engel -- Furniture Today (1)
DannieB (32)
e-commerce info (1)
E-Commerce Information (1)
Emma G (1)
Glenn Taylor (1)
Jessica Lee (1)
jvm (19)
Karen Marchione (5)
Kendrick (1)
Kendrick Woolford (2)
Lauren Smith (40)
Marketing (118)
marketing@shopvisible.com (3)
Media Coverage (13)
News (2)
Nithya (1)
PAN Communications (1)
Press Releases (10)
Sean Cook (11)
SEO Information (1)
ShopVisible Marketing (21)
Stacy Shade (7)
The Frog (4)
Webster J Frogg (10)
Will Devlin (11)
Back to top

Contact Us

Tell us a little bit about what you are interested in so we can better serve you

Do you have an RFP you would like us to consider?

Please complete the contact form and indicate that you have an RFP in the message field. When we contact you, we’ll request a copy and respond with a customized solution to meet your needs.

You can get our RFP form here.

Would you like to speak to one of our platform consultants?

Please indicate that you would like to set up a call with one of our team members in the message field of the contact form. We’ll set up a time that’s convenient for you to show you the inner workings of the ShopVisible platform, and answer any technical questions you might have.