Home > Commerce Insights Blog Ecommerce security

Commerce Insights Blog

Subscribe
Ecommerce Security: PCI, Risk and Cost
By jvm
10/26/2009 8:45:00 AM  

PCI standards evolve but they do so often at a more languid pace than does the technology itself. Toss in economic considerations and you've got a real Ecommerce conundrum...

Recent literature published in the PCI Knowledge-base examines security and compliance migrations, cost reductions, and virtualization in recessionary times. Ecommerce solution provider ShopVisible offers up insights into its own PCI assessment process while trying to stay on top of recent Ecommerce security news in order to provide its clients and readers a glimpse into the rapidly blossoming arena of Ecommerce payment protection.

For many online merchants, or at least those wrestling with PCI and security measures to protect the CDE or cardholder data environment, the strident 12 requirements of PCI coupled with serious security budgets and IT infrastructure has created headaches and handicapped wallets...especially now. For many, as evidenced in the PCI Knowledge-base's expert’s blog, the arduous compliance process has become tarnished by a "checklist mentality and ineffective implementation and enforcement." It can be argued as a best practice in Ecommerce, or at least in an effort to pass compliance levels, that reducing risk and documenting to assessors that effective controls are in place exudes risk management policy, and thereby can help cut costs during the implementation.

PCI security experts have been discussing sophisticated elements of online commerce and their relation to development of both policy and technology. For instance, with regards to network segmentation and scope, the PCI Knowledge-base notes that “network segmentation is still not a requirement, for some reason, but it’s the single action that will save you the most money in the assessment.” In the PCI 1.2 version, segmentation is discussed and noted as being adequate along with the appropriate network diagrams if in place. One solution available to many merchants with the right budget is a variation of a network monitoring tool. These can “tell you, continuously, of attempts to access specific network resources.” They can in doing so show the assessor the positive impact of your network segmentation policy and thereby quantify risk and help cut back on PCI compliance costs.

Store sampling is another facet of the compliance process and in PCI 1.2, “the goal of the sampling process is to understand the risks posed by stores, since many security breaches originate there…” one here must show the assessor that store policy is commensurate with Ecommerce provider policy and high levels of consistency are maintained constantly again helping to reduce risk and cut costs. Again, automated tools can benefit providers here in an attempt to cut time and costs resources associated with manual configuration management. The PCI Knowledge-base notes that “the ability to place server configuration under change control is valuable for both PCI requirement 2, as well as requirement 10.” Automated tools will often justify a smaller sample size thus again reducing assessment fees.

The latest post from the PCI Knowledge-base also delves into discussion of compensating controls in the Ecommerce eco-system and states that “while compensating controls are too often used as a PCI cost cutting technique by merchants, they are really the heart and soul of risk management relative to PCI…a weak process for documenting and quantifying risk usually shows up in poorly defined compensating controls, which can cause compliance failure and additional assessment and technology costs.”

Basically, PCI compliance is an arduous process for any company regardless of organizational complexity, IT infrastructure and budget size. Above are just a few methods to try and cut back costs. When selecting an Ecommerce provider, it helps to do your due diligence and “in PCI 1.2, there is specific mention of the need to prove due diligence as to risk ‘prior to engaging’ service provider, and need to prove ongoing ‘monitoring’ of compliance status.” Keep monitoring policies up to date and maintain a vigilant stance with regards to data centers. Just because you’re PCI compliant does not mean that a hardened data center will mandate policy to keep you compliant. Prove to your data center, your assessor and to your clients that you care about risk. Show them PCI is an ongoing process and one dedicated to secure online transactions. The more safely your merchants sell, the more they will appreciate all your hard work!

ShopVisible is an Ecommerce solution provider intent on security, integration and SEO.

 


Currently rated 0 by 0 people

Tags: ShopVisible, PCI, Ecommerce solution, Ecommerce security, PCI Knowledge-base
Categories: SEO, RSS, User Generated Content, Commerce Insights Blog
Bookmark and Share
PCI 2010 and Beyond: Ecommerce Security News
By JVM
9/9/2009 11:42:00 AM  
For many Ecommerce merchants processing orders and maintaining a website is an immense time-consuming step to growing a business. Grappling with PCI compliance and delving deeper into its origins, existence and proliferation are another daunting task to say the least.

Recently the NRF or National Retail Federation issued a merchant survey investigating PCI compliance and small online retailers. Out the polled group, 19% of non-compliant merchants said they had little to no understanding of this payment security process that is becoming increasingly imperative today in Ecommerce. Another 26% stated they lacked “the financial or technical resources to meet the standard, which covers a dozen broad areas from physical and network security to protecting” the CDE or cardholder data environment and maintaining commensurately structured security policies. Interestingly however, 86% of those polled claimed to feel somewhat familiar with PCI and its Ecommerce requirements.

A burgeoning problem for many merchants is that PCI standards evolve as do online threats and the emergence of security standards for making online transactions. New requirements are forced upon retailers in an effort to better protect cardholder spending money online. Analogously, PCI is implementing regulatory changes that will also affect payment processors and software providers. In summer 2010, new changes will occur that will dramatically affect both small online merchants and enterprise-size larger retailers alike.

-Pending PCI reqs.: any payment software handling cardholder data must comply with the PCI subset, Payment Application Data Security Standard…
-Pending PCI reqs.2: imposed by MasterCard, all merchants accepting credit cards online and in particular, those larger companies (level II merchants) must use 3rd party auditors to assess their PCI compliance

What does this mean? For starters, smaller merchants will be taking on increased spending in order to remain compliant. Further, larger merchants will have to be assessed by outside parties and done so in a more stringent manner than previous iterations of PCI compliance mandated.

So how can merchants, small or large, reduce the heightened cost of Ecommerce and PCI compliance? Internet Retailer and PCI KnowledgeBase advise not to store cardholder information if at all possible. Currently, under the PCI mandates, only “retailer systems, networks, servers, databases and software-that hold cardholder data fall under PCI.” Maintaining a strict and structured distance from the CDE will encourage PCI audit exclusion for Ecommerce merchants, small or large.


***Chart created from Internet Retailer, “Don’t Look Now.” Don Davis, Sept. 2009, p. 21***



PCI Level
Annual Transaction Volume
IR's no. of Merchants
Compliance Cost

1
6 million cc
362
$450,000-4,400,000

2
1-6 million cc
702
$77,500-470,000

3
20,000-1 million cc/Ecommerce payment
2634
$19,250-72,000

4
under 20,000 Ecommerce; under 1 million total
6 million
under $5000

Rates of Compliance:
1-93%
2-88%
3-57%
4-NA

ShopVisible is an Ecommerce solution based in Atlanta, GA.

Currently rated 0 by 0 people

Tags: ShopVisible, PCI compliance, Ecommerce solution, Ecommerce security, CDE, Internet Retailer, Atlanta SEO
Categories: SEO, RSS, User Generated Content, Commerce Insights Blog
Bookmark and Share
Elements of Ecommerce Data Encryption
By JVM
8/13/2009 7:24:00 AM  
Securing Ecommerce database information is crucial for service providers and storefront hosts in an effort at preventing hacking and ensuring transparent data transfer. For Ecommerce provider ShopVisible, it is both optimal and advantageous to utilize TDE or Transparent Data Encryption. While processes such as these are blossoming continuously, it seems noteworthy to briefly hit upon past versions of the SQL server as well to better illustrate how Ecommerce protection functions have emerged and where the gaps still exist for things like PCI compliance.

SQL 2000: This version carries with it little to no encryption capability; code developers must create unique code for client applications to ensure data encryption.

SQL 2005: Here Microsoft procured a new encryption feature at the column level (or cell level) for sensitive data. In this case development applications encrypt the data at the database level, however, some degree of architectural tweaking is still needed internally to modify the process and to work with the 2005 version.

SQL 2008: This is where TDE comes into play and for companies like ShopVisible, if client database files were to become corrupted or stolen, Microsoft now has implemented new heightened levels of encryption protection in the Enterprise edition.

While the protective features of Transparent Data Encryption can become quite granular, there are several main features to highlight with regards to the ShopVisible Ecommerce platform.

    -merchant files and related data stored in the database are encrypted with real time IO encryption tools thereby ensuring that in order to restore the database, the user must possess the original encryption certificate and the master key

    -database level encryption occurs so the users utilize minimal resources for data retention and protection whereas in the past this was an arduously layered process
   
    -when working with the SQL 2008 version, there is no need for recoding or reconfiguring encryption applications

    -ease of implementation…

    -if in your Ecommerce ecosystem, processes such as database mirroring or log shipping occur naturally, the mutual correspondence between the two databases will be encrypted each and every time log transactions are sent

Upon the enabling (or disabling) of TDE, databases are marked as being encrypted and the server will commence a background thread often deemed an “encryption scan” which will then scan and encrypt all database files. Upon completion, all database files on disk become encrypted as will log files written to disk. At the page level database encryption of files is performed then encrypting the pages before they are ever written to disk and decrypted for memory storage. Utilizing TDE will not increase the database encryption size however.

Microsoft openly states that when enabling TDE, it is imperative for the user to back up both the certificate and private key related to it. If either of these are lost and not backed up in an appropriate manner database entry will not be possible.  Even in the case that TDE is no longer being used in the Ecommerce data transfer process, the encrypting certificate should be held by the developer or technical lead so that other related process can be turned on and off…



ShopVisible is an Atlanta, GA based Ecommerce solution provider intent on security, scalability and reliability.


Currently rated 0 by 0 people

Tags: ShopVisible, Ecommerce solution, Ecommerce security, PCI, TDE
Categories: SEO, RSS, User Generated Content, Commerce Insights Blog
Bookmark and Share
Include comments
Archive
2014
 August (3)
 July (3)
 June (4)
 May (2)
 April (4)
 March (5)
 February (1)
 January (8)
 
2013
 December (13)
 November (12)
 October (3)
 September (2)
 August (3)
 July (6)
 June (3)
 May (2)
 April (1)
 March (11)
 February (3)
 January (5)
 
 
Recent Posts
MultiChannel Merchant: 38% of all eCommerce Site Visits Came From Mobile
  Comments: 0
  Rating: 0 / 0
Retail Online Integration: Site Improvement Tips to Increase Conversions
  Comments: 0
  Rating: 0 / 0
ShopVisible Releases Mid-year Influence & Impact Report
  Comments: 0
  Rating: 0 / 0
Website Magazine: Reducing Cart Abandonment by Building Trust
  Comments: 0
  Rating: 0 / 0
Internet Retailer: Retail Chain Offers B2B Sales on its First eCommerce Site
  Comments: 0
  Rating: 0 / 0
ATWOODS Ranch and Home Stores Launches eCommerce Site, Powered by ShopVisible
  Comments: 0
  Rating: 0 / 0
APICS Magazine: Gearing Up for Omnichannel Commerce
  Comments: 0
  Rating: 0 / 0
Internet Retailer: Customer Reviews Pump Up Online Conversion Rates for 3M
  Comments: 0
  Rating: 0 / 0
Pymnts.com: Why Disruption Could be the Key for B2B Success
  Comments: 0
  Rating: 0 / 0
ShopVisible Presents B2B Omnichannel eCommerce Strategies to IRCE Attendees
  Comments: 0
  Rating: 0 / 0
 
Authors
Allison Howen (1)
BC (2)
Bharat C (2)
Clint Engel -- Furniture Today (1)
DannieB (32)
e-commerce info (1)
E-Commerce Information (1)
Emma G (1)
Glenn Taylor (1)
Jessica Lee (1)
jvm (19)
Karen Marchione (5)
Kendrick (1)
Kendrick Woolford (2)
Lauren Smith (40)
Marketing (118)
marketing@shopvisible.com (3)
Media Coverage (13)
News (2)
Nithya (1)
PAN Communications (1)
Press Releases (10)
Sean Cook (11)
SEO Information (1)
ShopVisible Marketing (11)
Stacy Shade (7)
The Frog (4)
Webster J Frogg (10)
Will Devlin (11)
 
Back to top
 
Close

Contact Us

Tell us a little bit about what you are interested in so we can better serve you

Do you have an RFP you would like us to consider?

Please complete the contact form and indicate that you have an RFP in the message field. When we contact you, we’ll request a copy and respond with a customized solution to meet your needs.

You can get our RFP form here.

Would you like to speak to one of our platform consultants?

Please indicate that you would like to set up a call with one of our team members in the message field of the contact form. We’ll set up a time that’s convenient for you to show you the inner workings of the ShopVisible platform, and answer any technical questions you might have.