Archive for the ‘pci compliance’ Category
Posted by websiteverification on November 11, 2010
When you have created your own website, you need to be aware of the risks of website vulnerabilities. You spend a lot of time producing your website and maintaining it. You don’t want an attack against your site because most likely, you would have to start all over. Be sure that your site is not vulnerable to malicious attacks. Below are listed some of the most prevalent website attacks that you should be aware of.
Cross Site Scripting
Cross site scripting (also known as XSS) has been proven to be the most prevalent threats to websites. XSS happens when one of your web applications gathers malicious data because of an attacker setting it up. Malicious attackers insert client side script into web pages that are viewed by other users. When the user clicks on a link to your site from another website, instant message, or email message, it attacks your site. The attacker is then able to gather data from your site, and it can cause major problems. The best way to avoid this is as a user, only open links from web pages that are trusted. Cross site scripting is one of the most common threats to websites.
SQL injection attacks are another common website threat. SQL stands for “structured query language”. An SQL injection attack is when a person places malicious code into the SQL strings of your website. The producer of the website may accept the code while they are creating their website, not realizing that it is malicious. It will then cause major problems to the website because the attacker will now have access to website data. They may change or steal data from your website.
Another threat to be sure your website is not vulnerable of is session hijacking. This is when a valid computer session is exploited. The attacker is able to take over a web user’s computer session by obtaining the session id and then pretending to be the authorized user. They can then steal important information from the victim. Session hijacking may or may not be detectable to the website owner. But if your website is not responding in the normal or expected way, session hijacking could be a possible cause, so be aware.
So if you are an owner of a website, you need to watch out for these website vulnerabilities. One of the best ways to get rid of any website vulnerabilities is to have quarterly scans of your website by an approved scanning vendor.
Posted in pci compliance, website verification | Tagged: pci scanning, vulnerability scanning, website security, website threats, website verification, website vulnerabilities | Leave a Comment »
Posted by websiteverification on June 29, 2010
The topic of the PCI Vulnerability Standards has been all over the web over the last few years. By now we all pretty much know that PCI compliance is an obligation for all merchants that accept credit cards. But all the talk about PCI has brought up numerous questions as well. I put together a list of some frequently asked questions to help everyone with some answers.
What exactly are the PCI Vulnerability Standards? The PCI vulnerability standards, usually referred to as PCI DSS (PCI data security standards), consist of 12 detailed requirements produced by the PCI council. The PCI council consists of the five major credit card companies. The standards were created for the purpose of bringing forth a unified way for businesses to keep their customer’s private information safe and secure. It was put into place September of 2006.
Do the PCI standards apply to all businesses? Any business that accepts transmits or stores credit card information must meet the specifications of PCI compliance, no matter their size. To put it more simply, if you accept credit cards at your place of business, then the PCI requirements must be followed.
What if we don’t accept credit cards, but we accept debit cards? PCI compliance still applies here. The PCI standards must be followed by any organization accepting credit or debit cards, or pre paid cards. Essentially, if you are accepting any kind of cards branded with a logo from one of the five major credit card companies – American Express, Discover, JCB, MasterCard, or Visa – you must be in compliance.
Where is a complete list of the PCI Vulnerability Standards? Check out the website https://www.pcisecuritystandards.org.
How is PCI scanning related to PCI compliance? According to the PCI council, in order to sustain proper PCI compliance, your business should undergo daily or quarterly PCI scans of your system. An ASV, approved scanning vendor, should scan your system including things like your website, office internet connections, and more. Basically anything that is connected to a public IP address.
What happens if I am not in compliance? Outrageous fines as high as $100,000 a month may be charged for violating PCI. This can becatastrophic, especially to small businesses, so do not take this lightly.
This article may or may not have answered all your PCI related questions. Above all just remember that the PCI vulnerability standards must be followed and if you still have questions, don’t hesitate to ask. There is a lot of information available and PCI compliance is very important.
Posted in pci compliance, website verification | Tagged: pci compliance, pci compliant, pci data security standard, pci dss, pci security standard, pci vulnerability standards, vulnerability scanning, website security, website verification | Leave a Comment »
Posted by websiteverification on February 13, 2010
Vulnerability scanners are one step further than what you already have to keep your website safe. It is a very important part of website security. A vulnerability scanner is used by an ASV (authorized scanning vendor) to look for and recognize threats to your computer system. It scans for many different common vulnerabilities on your system and then sends the results to you in a report so you will have the info you need to get it fixed.
I am sure you have all heard about the many threats that are lurking out there on the internet. Things like malware (spyware, adware), viruses and worms, and internet phishing can cause horrible problems to your computer system and website. Here is a quick explanation of some of these well known dangers.
Malware (short for “malicious software”) is designed to take over a computer system without the permission of the user. Malware includes things like spyware and adware. Spyware can infect computers without their knowledge and steal private information about the user. Occasionally spyware is concealed within types of adware. Adware is short for “advertising supported software” and isn’t illegal – which makes people believe it is safe, but that’s not always the case. Computer users should protect themselves against malware by using firewalls and vulnerability scanners.
Computer viruses, as you know, are spread from computer to computer just like a human virus spreads from person to person. Computer viruses can range in severity; some may cause only somewhat bothersome problems while others can damage your hardware, software or files. Another threat, worms, is similar to viruses because they spread from computer to computer, but unlike a virus, they can travel without any human action. Worms use files or data transport on your computer system so they can travel without help. Always have anti-virus software on your computer and vulnerability scanners to help you avoid these issues.
Internet phishing is the criminal practice of trying to acquire private information such as usernames, passwords, and credit card information from unknowing users. This happens because those doing the phishing disguise themselves as trustworthy businesses or people. It is normally carried out by email and frequently directs users to phony websites that look identical to real ones the user has visited before.
Now that we have reviewed some of the major threats of the internet, be sure to put in place a vulnerability scanner.
Posted in pci compliance, website verification | Tagged: pci compliance, pci scanning, vulnerability assessment, vulnerability scanner, website security | Leave a Comment »
Posted by websiteverification on January 14, 2010
If you want your site to have the best security possible, SSL is something you need. And while SSL is super important, you should know that SSL alone is not enough for site security. Secure Sockets Layer technology secures your online business and your customers will know that they can trust your site.
The way that SSL works is by encrypting the data that is transmitted during a transaction in order to protect the sensitive information from being hacked or stolen. Encryption means that it scrambles the data and then unscrambles it once it is transmitted. Each SSL certificate includes unique information regarding that particular certificate owner and then a certificate authority verifies the identity of the certificate owner once it is issued.
If you run a business online and you accept credit cards on your account, you must have SSL. Another reason you need SSL is if you require a login to your site or if you process personal info like addresses, id numbers, etc.
As an online shopper, you might wonder how to be sure the site you are shopping on uses SSL. They way that you can tell if your info is secure, is that you will notice that “http” is replaced with “https” in the address line. Also, you will see a small padlock in the status bar at the bottom of the browser window.
SSL is a very critical part of site security if you plan on having a successful online business. Remember that while it is important to your website it is not enough. The SSL certificate only protects data transfers, not your whole website. Think about other types of site security for the ultimate online business. Things such as third party business verification, privacy policies, and being PCI compliant with pci scanning are also a must!
Posted in pci compliance, website verification | Tagged: pci scanning, secure sockets layer, site security, ssl, ssl certificate, website security | Leave a Comment »
Posted by websiteverification on July 22, 2009
We all know by now that PCI compliance is necessary, but that doesn’t mean it’s the easiest thing in the world to accomplish. Many businesses claim that complying with the PCI Data Security Standard is too hard and too expensive.
Understanding and executing the 12 PCI DSS requirements can seem intimidating, especially for small to medium sized businesses. However, these requirements were developed to help protect businesses from being victims of cardholder theft. Even if there was no requirement for PCI compliance, the practices for security found in these standards are steps that every business would want to take anyways to protect sensitive information. Most aspects of the PCI DSS are already a common practice for businesses who want their sites secure. There are many products and services available to help meet the requirements for security and PCI compliance.
When people say PCI is too hard, sometimes what they may really mean is that complying is expensive. But you should know that the business risks and ultimate costs of non-compliance can greatly exceed the cost of implementing PCI DSS.
Non-compliance can be very expensive if not catastrophic. Non-compliance doesn’t just result in costs associated with fines, credit card replacement and audit fees, but also from loss of business reputation and revenue. In fact a recent study stated that 70 percent of the cost of non-compliance was loss of revenue. This is not only a big deal for big companies that are criticized by the media, but may be truly disastrous for small businesses and the result is putting them out of business.
So, if you are one of those people that have ignored PCI compliance, know that it is not worth it. Complying with the PCI Data Security Standard is a must!
Posted in pci compliance, website verification | Tagged: pci compliance, pci data security standard, pci dss, pci scanning, pci security standard, website verification | 1 Comment »
Posted by websiteverification on June 26, 2009
It has been said that identity theft is the largest white collar crime ever in the United States. As a website owner, you may wonder what you can do to protect your clients. I am here to recommend that you should definitely have vulnerability assessments done on your website. A vulnerability assessment is defined as the process of identifying, quantifying and prioritizing the vulnerabilities in a system. You may have also heard of vulnerability scanning or pci scanning, it is really all basically the same thing. And it is one of the best ways that you, as an online business owner, can protect the information of your customers.
Criminal identity theft occurs when a thieve gives another person’s name and personal information such as a drivers’ license, date of birth, or Social Security number (SSN) to obtain a job, housing, money, goods, or other services. It’s been reported by the Federal Trade Commission that in the last twelve months 9.93 million people have had some type of identity theft crime committed against them. Victims spend on average $1,200 in out-of-pocket expenses and an average of 175 hours in time and effort to resolve the many problems caused by identity thieves. The scary thing is that it takes a victim on average 12 months before they even realize they have been victimized!
So how can vulnerability assessments help? Having vulnerability scanning conducted by an approved scanning vendor yearly or even quarterly can protect your site and help keep you compliant with the PCI DSS (Payment Card Industry Data Security Standards). Merchants that accept, process or store credit card information on their site, must have the scanning conducted. Once passing the scan they will receive the official certification that they need to submit to their acquiring bank. You can be sure that you will avoid penalties and heavy fines, if you are conducting these scans and staying compliant.
It has been proven that merchants who are pci compliant see online orders increase. Why? Because shoppers are more confident in using their credit cards online when they know that the sites they are shopping on are more protected from the risk of identity theft.
Some areas that are tested during a vulnerability assessment are firewalls, server vulnerabilities, virtual private networking (VPN), email configuration, remote access services, web site analysis, modems, and more.
So if you own an online business, don’t take any risks. Keep your site compliant and safe from identity thieves for the protection of your business and your customers. Start vulnerability assessments now.
Posted in pci compliance, website verification | Tagged: identity theft, pci compliance, pci scanning, vulnerability assesment, vulnerability assessments, vulnerability scanning, website security, website verification | 1 Comment »
Posted by websiteverification on June 1, 2009
While doing my research into the PCI standards I have come across a term quite often; SAQ. The acronym stands for Self Assessment Questionnaire. The PCI standards Self Assessment Questionnaire is a tool used to assist merchants and service providers in self-evaluating their PCI compliance.
There are five different versions of the PCI standards SAQ in order to meet various scenarios. The version that your organization will need to complete depends on how your company handles credit card data. For some businesses, the appropriate questionnaire is short and simple, while for others it is long and technical. But each questionnaire is divided into six sections that focus on a specific are of security. These are:
- Maintain a secure network.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain and information security policy.
While completing the SAQ, merchants have to pass each question in order to be considered compliant with the PCI standards. Failing any question means the merchant or service provider is not compliant. The risk(s) identified by the questionnaire must be remedied and the questionnaire retaken.
The SAQ may seem somewhat complicated, but there are many businesses and websites out there that can help you complete it. Also, depending on your merchant level, the SAQ may not be enough. You may need to have an onsite audit completed to certify your PCI compliance. The best thing to do if you are unsure is to check with your acquirer.
Posted in pci compliance, website verification | Tagged: PCI certified, pci compliance, pci scanning, pci security standard, pci standards, saq | Leave a Comment »
Posted by websiteverification on May 14, 2009
There has been a lot of criticism regarding companies following the PCI DSS as there only form of security. While it is important to have other options for security, following the PCI DSS does work!
There’s nothing wrong with PCI DSS that cannot be cured by following it
|I continue to hear comments that PCI DSS doesn’t work and that it should be modified or even eliminated.
| find it interesting that so much fault can be leveled at PCI DSS in light of the facts that Verizon Business puts forth in their 2009 Data Breach Investigations Report. Here are some of their findings after investigating data breaches that compromised 285 million records in 2008 alone:
| 81% of the victims were not PCI compliant
|The last point—81% of the victims were not PCI compliant—speaks volumes about the spirit, intent and effectiveness of PCI DSS …. if it is treated as security best practice and followed on a daily basis rather than treating it as a checklist that must be passed annually. Until each of the above percentages changes dramatically, I think PCI DSS should be seen as a good security best practice to follow continuously.
Posted in pci compliance, website verification | Tagged: pci, pci compliance, pci compliant, pci dss, pci scanning, pci security standard | 1 Comment »
Posted by websiteverification on April 28, 2009
Ok, so we all know about the PCI DSS (Payment Card Industry Data Security Standards) by now. But some of you may be wondering what the PCI DSS fines are if you do not become compliant. The fines can be pretty steep as I will explain below, but not only will you risk huge fines if you aren’t compliant, you are putting your security system and customer information at risk.
All businesses who store, transmit or process credit card data are required to follow the PCI DSS, and should have become PCI compliant by the end of 2007. If you are one of these businesses and are not yet compliant, you are constantly at risk of losing sensitive cardholder data, which will most likely result in PCI DSS fines, legal action and bad publicity. Organizations that fail to comply face fines of up to $500,000 if the data is lost or stolen and risk not being allowed to handle cardholder data.
High-status cases concerning big corporations have hit the headlines in the last couple of years. The Payment Card Industry has threatened huge fines against some larger merchants of up to $25,000 per month until compliance is obtained. In the high-profile case of TJX (owner of T.J. Maxx, Marshalls, Home Goods and A.J. Wright retail chains), the company reported spending $202 million because of the PCI violation that compromised the cardholder account information of as many as 40 million customers. The money is being spent to handle more 20 lawsuits brought against it by banks and consumers in the U.S. and Canada and to pay settlements with credit-card associations.
So don’t risk it. If you are not yet PCI compliant get there now. It is not as hard as it may seem, and well worth the time and money you put into it. If you don’t want to risk those pesky PCI DSS fines, you know what to do!
Posted in pci compliance, website verification | Tagged: pci, pci compliance, pci compliant, pci dss, pci dss fines, pci security standards, trust guard, website security, website verification | 4 Comments »
Posted by websiteverification on March 31, 2009
You may have heard a lot about PCI compliance, and maybe you have taken all the steps you need to ensure that your business is PCI certified. But, I have a question for you? Are the websites you are shopping on PCI certified? This is something that is important to you as an online shopper, because you want to make sure that your personal information, such as account numbers, etc. is safe and secure. One way that you can be sure, is if the website you are shopping on is PCI certified.
Just to review, what it means to PCI certified is that the website is complying with all the requirements of the PCI DSS (which stands for Payment Card Industry Data Security Standards). These requirements include things such as building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, regularly monitoring and testing networks, and maintaining an information security policy. Also, the website should be carrying out quarterly or daily PCI vulnerability scans. These scans will scan the website on a quarterly or daily basis in order to make sure that there are no threats or vulnerabilities on the website that would cause customer information to become stolen by hackers and online thieves.
You may be wondering how you can tell if a website that you shop on is PCI certified. The easiest way to tell is by looking for trust seals posted on the website. Trust seals are small images, that when clicked on, will confirm that the website has been verified and has conducted PCI scans. It is important to look for trust seals when shopping online, so that you aren’t putting your personal information in on a site that is not safe from online theft.
So when you shop online, be careful. Do your homework and look for those trust seals that are up to date. You want to be sure that the site you are shopping on is verified by a third party, and is following PCI compliance. Don’t let your personal information fall into the hands of the wrong person. Make sure that you are shopping on websites that are PCI certified.
Posted in pci compliance, website verification | Tagged: PCI certified, pci compliance, pci dss, pci scanning, pci security standard, website security, website verification | Leave a Comment »