ShopVisible Ecommerce Security team has been
undergoing its PCI level one assessment we have become quite familiar with the
late David Taylor via his prodigiously informative PCI Knowledge Base. The
Payment Card Industry and the online security community in general lost a true
scholar recently with the unexpected passing of fifty seven year old David
Taylor, formerly of Protegrity and Gartner.
Those familiar with online Ecommerce security and PCI
compliance have likely read posts from Taylor and heard him warmly and
simplistically address the often misunderstood and esoteric realm of online security
in his webinars. For online security laymen, Taylor provided a perspective that
was grounded in data security standards and payment protection. Companies without
large IT infrastructures and the human resources to undertake such projects as PCI
compliance looked to Taylor for instruction on proceeding with security compliance
and for definition of technical elements like File Integrity Monitoring,
Application Firewalls and Penetration Tests.
David Taylor was indeed an expert in a field incomprehensible
to many. In of his most recent posts from the
PCI Knowledge Base, Taylor delved
deep into Ecommerce security and organizational management as he addressed how
PCI compliance can coalesce with risk management policy to better protect
Ecommerce firms. His erudite approach to safeguarding online business was
transparent and honest and will be well received for years in the fields of security
compliance and online fraud prevention.
evolve but they do so often at a more languid pace than does the technology
itself. Toss in economic considerations and you've got a real Ecommerce conundrum...
Recent literature published in the PCI Knowledge-base examines security and
compliance migrations, cost reductions, and virtualization in recessionary
times. Ecommerce solution provider ShopVisible offers up
insights into its own PCI assessment process while trying to stay on top of
recent Ecommerce security news in order to provide its clients and readers a
glimpse into the rapidly blossoming arena of Ecommerce payment protection.
For many online merchants, or at least those wrestling with PCI and security
measures to protect the CDE or cardholder data environment, the strident 12
requirements of PCI coupled with serious security budgets and IT infrastructure
has created headaches and handicapped wallets...especially now. For many, as
evidenced in the PCI Knowledge-base's expert’s blog, the arduous compliance
process has become tarnished by a "checklist mentality and ineffective
implementation and enforcement." It can be argued as a best practice in
Ecommerce, or at least in an effort to pass compliance levels, that reducing
risk and documenting to assessors that effective controls are in place exudes
risk management policy, and thereby can help cut costs during the
PCI security experts have been discussing sophisticated elements
of online commerce and their relation to development of both policy and technology.
For instance, with regards to network segmentation and scope, the PCI
Knowledge-base notes that “network segmentation is still not a requirement, for
some reason, but it’s the single action that will save you the most money in
the assessment.” In the PCI 1.2 version, segmentation is discussed and noted as
being adequate along with the appropriate network diagrams if in place. One solution
available to many merchants with the right budget is a variation of a network
monitoring tool. These can “tell you, continuously, of attempts to access specific
network resources.” They can in doing so show the assessor the positive impact
of your network segmentation policy and thereby quantify risk and help cut back
on PCI compliance costs.
Store sampling is another facet of the compliance process
and in PCI 1.2, “the goal of the sampling process is to understand the risks
posed by stores, since many security breaches originate there…” one here must
show the assessor that store policy is commensurate with Ecommerce provider
policy and high levels of consistency are maintained constantly again helping to
reduce risk and cut costs. Again, automated tools can benefit providers here in
an attempt to cut time and costs resources associated with manual configuration
management. The PCI Knowledge-base notes that “the ability to place server configuration
under change control is valuable for both PCI requirement 2, as well as requirement
10.” Automated tools will often justify a smaller sample size thus again reducing
The latest post from the PCI Knowledge-base also delves into
discussion of compensating controls in the Ecommerce eco-system and states that
“while compensating controls are too often used as a PCI cost cutting technique
by merchants, they are really the heart and soul of risk management relative to
PCI…a weak process for documenting and quantifying risk usually shows up in poorly
defined compensating controls, which can cause compliance failure and additional
assessment and technology costs.”
Basically, PCI compliance is an arduous process for any
company regardless of organizational complexity, IT infrastructure and budget
size. Above are just a few methods to try and cut back costs. When selecting an
Ecommerce provider, it helps to do your due diligence and “in PCI 1.2, there is
specific mention of the need to prove due diligence as to risk ‘prior to
engaging’ service provider, and need to prove ongoing ‘monitoring’ of compliance
status.” Keep monitoring policies up to date and maintain a vigilant stance
with regards to data centers. Just because you’re PCI compliant does not mean
that a hardened data center will mandate policy to keep you compliant. Prove to
your data center, your assessor and to your clients that you care about risk. Show
them PCI is an ongoing process and one dedicated to secure online transactions.
The more safely your merchants sell, the more they will appreciate all your
ShopVisible is an Ecommerce solution provider intent on security, integration and SEO.
Ecommerce firms and online retailers of varying tiers have a lot to manage these days, especially with regards to things like online security, consumer privacy and PCI compliance. Security deployments vary greatly for Ecommerce agents and their online selling customers. ShopVisible will below present three options for Ecommerce providers in their attempts at becoming PCI compliant on a high level and more imperative for many e-tailers, establishing strident security protocols and procedures either developed in house or from a 3rd party. Concerns for choosing a security solution can vary dramatically depending on the organizational elements of the company such as size, revenue and client base, staffing, security expertise, solution deployment alacrity and ease/comfort with outsourcing items versus internally configuring them. With cloud based security solutions reaching their decade anniversary; many Ecommerce and security experts are going with Software as a Service tools while others opt for on-site solutions and hybrid models. SaaS Ecommerce providers can equip eMerchants with a nearly hands-free approach to online security. Often meant for companies seeking out a "low initial purchase price, a reduced investment in IT, simpler deployments, and quicker upgrades...[SaaS based deployments are] ideal for companies with limited IT staffing and a less technical business focus, including retail services and health care," notes McAfee in its solution brief. Organizations searching for a software as a service solution may have fewer IT resources or time to manage large scale security projects. Support and management are often critical undertakings here and can be indeed a vast challenge for small teams with diverse foci. The initial start-up cost are often lower than other avenues for security as annual subscriptions are typically licensed and no on-site hardware is managed. This permits for off-site vulnerability scanning and penetration testing to remain compliant with processes like PCI DSS... On-site security solution controls can be more malleable and offer more hands-on direction for an company. These often are associated with higher upfront costs and will require a bit more time to maintain and manage. They do however provide greater levels of security customization depending on the organizational needs. If a complex business and security infrastructure exists, one oin which data servers and mail servers are stored on the premises, a robust IT team is employed etc..., then on-site controls may be useful. This model can be more adaptable to changing and growing business needs for eample, in July 2010, when PCI will demand of its compliant supporters, a higher degree of payment card data protection. Hybrid security models in Ecommerce can be best utilized to achieve "maximum flexibility, cost management, and compliance..." notes McAfee. A confluence of on-site measures and off-site data storage can be manipulated here to better support growing companies with expanding data needs. For example, in the case of ShopVisible, whose data centers are present in production, development and backup realms, coexists simultaneously in 2 countries and in 3 regions. Targeted PCI practices like intrusion protection (IPS) and intrusion detection (IDS) are coupled with the off-site penetration test via a hardware box installed in the data center. Blending data storage protection and internally wrought security protocols makes for a seamless and manageable Ecommerce solution. ShopVisible is an Atlana, GA based Ecommerce solution provider located @ 1095 Zonolite Road, 30306.
Ecommerce merchants processing orders and maintaining a website is an immense time-consuming step to growing a business. Grappling with PCI compliance and delving deeper into its origins, existence and proliferation are another daunting task to say the least. Recently the NRF or National Retail Federation issued a merchant survey investigating PCI compliance and small online retailers. Out the polled group, 19% of non-compliant merchants said they had little to no understanding of this payment security process that is becoming increasingly imperative today in Ecommerce. Another 26% stated they lacked “the financial or technical resources to meet the standard, which covers a dozen broad areas from physical and network security to protecting” the CDE or cardholder data environment and maintaining commensurately structured security policies. Interestingly however, 86% of those polled claimed to feel somewhat familiar with PCI and its Ecommerce requirements. A burgeoning problem for many merchants is that PCI standards evolve as do online threats and the emergence of security standards for making online transactions. New requirements are forced upon retailers in an effort to better protect cardholder spending money online. Analogously, PCI is implementing regulatory changes that will also affect payment processors and software providers. In summer 2010, new changes will occur that will dramatically affect both small online merchants and enterprise-size larger retailers alike. -Pending PCI reqs.: any payment software handling cardholder data must comply with the PCI subset, Payment Application Data Security Standard… -Pending PCI reqs.2: imposed by MasterCard, all merchants accepting credit cards online and in particular, those larger companies (level II merchants) must use 3rd party auditors to assess their PCI compliance What does this mean? For starters, smaller merchants will be taking on increased spending in order to remain compliant. Further, larger merchants will have to be assessed by outside parties and done so in a more stringent manner than previous iterations of PCI compliance mandated. So how can merchants, small or large, reduce the heightened cost of Ecommerce and PCI compliance? Internet Retailer and PCI KnowledgeBase advise not to store cardholder information if at all possible. Currently, under the PCI mandates, only “retailer systems, networks, servers, databases and software-that hold cardholder data fall under PCI.” Maintaining a strict and structured distance from the CDE will encourage PCI audit exclusion for Ecommerce merchants, small or large.
***Chart created from
Internet Retailer, “Don’t Look Now.” Don
Davis, Sept. 2009, p. 21***
Annual Transaction Volume
IR's no. of Merchants
6 million cc
1-6 million cc
20,000-1 million cc/Ecommerce payment
under 20,000 Ecommerce; under 1 million total
Rates of Compliance: 1-93% 2-88% 3-57% 4-NA ShopVisible is an Ecommerce solution based in Atlanta, GA.
Securing Ecommerce database information is crucial for service providers and storefront hosts in an effort at preventing hacking and ensuring transparent data transfer. For Ecommerce provider ShopVisible, it is both optimal and advantageous to utilize TDE or Transparent Data Encryption. While processes such as these are blossoming continuously, it seems noteworthy to briefly hit upon past versions of the SQL server as well to better illustrate how Ecommerce protection functions have emerged and where the gaps still exist for things like PCI compliance. SQL 2000: This version carries with it little to no encryption capability; code developers must create unique code for client applications to ensure data encryption. SQL 2005: Here Microsoft procured a new encryption feature at the column level (or cell level) for sensitive data. In this case development applications encrypt the data at the database level, however, some degree of architectural tweaking is still needed internally to modify the process and to work with the 2005 version. SQL 2008: This is where TDE comes into play and for companies like ShopVisible, if client database files were to become corrupted or stolen, Microsoft now has implemented new heightened levels of encryption protection in the Enterprise edition. While the protective features of Transparent Data Encryption can become quite granular, there are several main features to highlight with regards to the ShopVisible Ecommerce platform. -merchant files and related data stored in the database are encrypted with real time IO encryption tools thereby ensuring that in order to restore the database, the user must possess the original encryption certificate and the master key -database level encryption occurs so the users utilize minimal resources for data retention and protection whereas in the past this was an arduously layered process -when working with the SQL 2008 version, there is no need for recoding or reconfiguring encryption applications -ease of implementation… -if in your Ecommerce ecosystem, processes such as database mirroring or log shipping occur naturally, the mutual correspondence between the two databases will be encrypted each and every time log transactions are sent Upon the enabling (or disabling) of TDE, databases are marked as being encrypted and the server will commence a background thread often deemed an “encryption scan” which will then scan and encrypt all database files. Upon completion, all database files on disk become encrypted as will log files written to disk. At the page level database encryption of files is performed then encrypting the pages before they are ever written to disk and decrypted for memory storage. Utilizing TDE will not increase the database encryption size however. Microsoft openly states that when enabling TDE, it is imperative for the user to back up both the certificate and private key related to it. If either of these are lost and not backed up in an appropriate manner database entry will not be possible. Even in the case that TDE is no longer being used in the Ecommerce data transfer process, the encrypting certificate should be held by the developer or technical lead so that other related process can be turned on and off…
ShopVisible is an Atlanta, GA based Ecommerce solution provider intent on security, scalability and reliability.