You are in: ECommerce-Guide > Solutions > Secure Payment Processing

ECommerce-Guide Essentials eBiz FAQ Everything you need to know to start your own successful e-business. Selling on eBay How to make money in the online marketplace. PayPal Payments and More What's new in secure payments for your online store. Shopping Cart Software Solutions to close, process and track your online sales. Related Articles • The Tangled Web of PCI Compliance, Are You Ready? • Open Source Watch: Specialty Hosts for E-tailers • Five PayPal Tools for Web Shops • Payment Method Management Made Easy

Five Easy Steps to PCI Compliance for Small Online Businesses
By Kerry Watson
May 29, 2008

STEP 3. Make a Decision.

If the list of your store's vulnerabilities from your free scan is too long and overwhelming and technical, you may want to consider switching to an off-site, third-party credit card processor.

For example, if like many Web hosts, your host is not yet PCI compliant, your choices are to move your online store to a Web host that is PCI compliant, or to switch to an off-site, third-party credit card processor that meets the standards. If all of the complaints in your scan refer to Apache, OpenSSH, or other unfamiliar server programs, these are Web hosting issues not under your direct control. Contact your Web host to ask if they are working to achieve PCI compliant status.

Likewise, if you must access the Internet via an unsecure wireless network and cannot secure it, switching to the third-party credit card processor will solve your PCI compliance status, but of course your personal network and your personal data will remain vulnerable.

STEP 4. Hire a Techie.

If your list of vulnerabilities is long or you don't have a technical bone in your body, you may want to hire a Qualified Security Assessor or "QSA" to help you address your list of vulnerabilities. These are technical folks who are certified by the PSI Security Standards Council to help merchants like you achieve compliance. When contacting these folks, use all security precautions to be sure you are contacting the real QSA and not a very similar spoofed or phishing Web site.

Your QSA will help you to tighten security on the most critical items, and help you to develop a plan to achieve compliance on the rest.

STEP 5. Continue to Address Security.

Whether you move credit card processing off-site, or you bite the bullet and go for full on-site processing, never stop addressing online security. The PCI Standards organization has developed and made available to you a security protocol that would have cost you thousands of dollars for a private security specialist to custom develop for you. Take advantage of this opportunity to prevent security breaches to your own priceless data, as well as your customers' financial data.

Here is a summary of security areas for you to review regularly:

• Immediately change default passwords when installing any program;
• Have vulnerable portions of programs removed if not needed;
• Do not store unnecessary cardholder data on your site;
• Check security bulletins for SQL Injection warnings before installing a new program;
• Keep software up to date with all patches and upgrades;
• Use activity logging on your online store files;
• Check log files for suspicious activity that you did not authorize;
• Do regular vulnerability scans, even if you are not required;
• Use a firewall and secure encryption;
• Use and keep up to date anti-virus, anti-spyware and anti-adware programs;
• Create an Information Security Policy for employees and contractors; and
• Shred paper documents containing credit card information.

Additional Resources for Small Online Merchants:

KNOW PCI: a portal with many resources for small online merchants including a panel of PCI experts, best practices, a knowledgebase and forums — http://www.knowpci.com/

PCI Questionnaires and Instructions: the PCI organization's forms — https://www.pcisecuritystandards.org/tech/instructions.htm

PCI Qualified Security Assessors: check this list on a regular basis to ensure that its QSA has successfully maintained its status as a Qualified Security Assessor —
https://www.pcisecuritystandards.org/resources/qualified_security_assessors.htm

PCI Approved Scanning Vendors: check this list on a regular basis to ensure that its ASV has successfully maintained its status as an Approved Scanning Vendor — https://www.pcisecuritystandards.org/resources/approved_scanning_vendors.htm

Kerry Watson is a consultant and author of 11 books in the OSC industry, including the new Manual for Magento Users. Her Web site is osCommerceManuals.com.

Tools:

Add ecommerce-guide.com to your favorites Add ecommerce-guide.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.x Receive news via our XML/RSS feed