We renew our drivers license when required, drive sober, and exercise care while on the road.
We don't say "when do I have to start driving safely?" or "what will happen if I don't drive safely?"
We should behave the same way when taking credit cards online.
Being a safe driver.
- Understand traffic laws
- Keep your license current
- Don’t drive while impaired
- Check your blind spots
- Leave adequate space between yourself and others
- Perform regular vehicle maintenance
- Practice defensive driving
- Carry motor vehicle insurance
Running a safe store.
- Establish and manage firewalls securely
- Never leave any default passwords around
- If credit card details are stored, keep them masked & encrypted
- Use latest, safest transmission protocols
- Use anti-virus software properly
- Use latest, safest versions of your payment application
- Don't let anyone get access to your data
- Manage access using safe password controls
- Lock the doors to the physical space
- Everything, but everything, must be logged and monitored
- Set up critical checks and filters (IDS/FIM/WAF/Pen Testing)
- Put Incident Response & Disaster Recovery plans in place.
If security is mainly about firewalls, and server access - should a hosting provider take responsibility?
We looked around to see the different offerings on the market. (For many hosts, eCommerce is just a small part of their business. It's little wonder that they don't offer 'payment security' as a norm.)
- Doesn't necessarily put database on its own server.
- Doesn't necessarily put database behind a firewall.
- Will allow visitors direct access to your servers.
- Doesn't use the AspDotNetStorefront implementation guide.
These are heavyweight security problems.
Why not email your host with these questions?
Great eCommerce hosting
- Gives CDE segmentation to database (away from the web server)
- Restricts access to database servers to cut malicious traffic
- 'Hardens' the environment using NIST/OWASP techniques
- Manages firewalls to route pre-determined traffic away from CDE
Hosting of this kind offers a good foundation.
That leaves you free to outsource security services
Hosting with Security Services
- Total segmentation of cardholder data environment (CDE)
- Locks down access - only programmatic database access
- Penetration testing. Change detection. Vulnerability scans
- Complete audits with tracking, monitoring and alerting
By fully understanding online payment security ...
... we have put together a full range of services
We talk about 'being a safe driver', not being 'DMV compliant'. Let's stop saying 'PCI compliant' & just focus on selling safely online.