ISPCON: Cashing in on E-Commerce — continued

PCI/DSS Compliance
There are rules. After several scandals, the credit card companies began to monitor the way that their vendors gather and store personal information.

For vendors, fraudulent chargebacks can be a huge problem. Your customer, a website owner, sells something, ships the product, and then the credit card company tells them the credit card number was stolen.

Bowles had seven tips for avoiding this problem:

1) Verify the address

2) Scrutinize orders from foreign countries

3) Call if you are suspicious about the order for any reason

4) Be wary of orders from people using a free e-mail address

5) Always ask for the security code on the credit card

6) Consider using a carrier that requires signature on delivery, and keep the receipts

7) Consider logging IP addresses, but if you do so, place a warning on the website that you are doing so

"Most chargebacks occur in Card Not Present (CNP) transactions. Most CNP transactions occur on the internet. 99 percent of fraud goes unresolved even if the merchant provides all the relevant data."

Standards like Visa's Cardholder Information Security Program (CISP) are not there to protect you or your vendor. They allocate liability when there's a problem. It dictates a baseline minimum on security issues. If you fail to meet the minimum standard, a problem is deemed to be your fault.

The PCI DSS (Payment Card Industry Data Security Standard) applies to vendors differently depending on their annual revenue. There are three levels:

Level 1 (over $6 million per year): merchants must comply or face fines

Level 2 ($1 million to $6 millin per year) will need to comply next.

Level 3 (between $20,000 and $1 million per year) is for the future.

Level 4 (less than $20,000) is not in the immediate plans

So far, Bowles said, 83 percent of level 1 merchants are compliant. 78 percent of level 2 are compliant, and even 56 percent of level 3 merchants are compliant.

"It's not cheap to do this," Bowles said.

The impetus for PCI DSS, Bowles said, was the TJ Maxx credit card data theft scandal. TJ Maxx had made elementary errors. They had stored more data than they needed to. They had left it unencrypted. They had a wide open wireless network.

"The primary way that thieves enter," Bowles said, "is through unpatched systems." Isn't that a problem you could help solve? It can be as simple as implementing password rotation and making sure that nobody uses default passwords.

Bowles said that data thieves are professionals and are capable of breaking through most security, but that if you have security and another potential target does not, the other target will be attacked. You want to be a less attractive target.

There was plenty more information in this keynote, and the presentation is available online to those who paid for a conference pass, but this brief overview should serve as an introduction to what you need to know about e-commerce in order to begin to cash in on the opportunity it offers.

Please please make sure your customers fix known issues!
Yes, this coda is about TJ MAXX. Last week, The Register (h/t Wired's Threat Level blog) reported that an employee was fired for disclosing continued security issues at TJX. If you host a website whose owner won't fix issues like this, fire that customer.

—End

< Back to page one