We renew our drivers license when required, drive sober, and exercise care while on the road.
We don't say "when do I have to start driving safely?" or "what will happen if I don't drive safely?"
We should behave the same way when taking credit cards online.


Being a safe driver.

  • Understand traffic laws
  • Keep your license current
  • Don’t drive while impaired
  • Check your blind spots
  • Leave adequate space between yourself and others
  • Perform regular vehicle maintenance
  • Practice defensive driving
  • Carry motor vehicle insurance
  •  
  •  
  •  
  •  

Running a safe store.

  • Establish and manage firewalls securely
  • Never leave any default passwords around
  • If credit card details are stored, keep them masked & encrypted
  • Use latest, safest transmission protocols
  • Use anti-virus software properly
  • Use latest, safest versions of your payment application
  • Don't let anyone get access to your data
  • Manage access using safe password controls
  • Lock the doors to the physical space
  • Everything, but everything, must be logged and monitored
  • Set up critical checks and filters (IDS/FIM/WAF/Pen Testing)
  • Put Incident Response & Disaster Recovery plans in place.

If security is mainly about firewalls, and server access - should a hosting provider take responsibility?

We looked around to see the different offerings on the market. (For many hosts, eCommerce is just a small part of their business. It's little wonder that they don't offer 'payment security' as a norm.)

Key

We cover this
You cover this

'Regular' hosting

  • Doesn't necessarily put database on its own server.
  • Doesn't necessarily put database behind a firewall.
  • Will allow visitors direct access to your servers.
  • Doesn't use the AspDotNetStorefront implementation guide.

These are heavyweight security problems.
Why not email your host with these questions?

Great eCommerce hosting

  • Gives CDE segmentation to database (away from the web server)
  • Restricts access to database servers to cut malicious traffic
  • 'Hardens' the environment using NIST/OWASP techniques
  • Manages firewalls to route pre-determined traffic away from CDE

Hosting of this kind offers a good foundation.
That leaves you free to outsource security services

Hosting with Security Services

  • Total segmentation of cardholder data environment (CDE)
  • Locks down access - only programmatic database access
  • Penetration testing. Change detection. Vulnerability scans
  • Complete audits with tracking, monitoring and alerting

By fully understanding online payment security ...
... we have put together a full range of services

We talk about 'being a safe driver', not being 'DMV compliant'. Let's stop saying 'PCI compliant' & just focus on selling safely online.