Tuesday, January 19, 2010
I Believe that It Is Cheaper To Be PCI Compliant Than To Not Be PCI Compliant
In James Barrow’s book on achieving PCI compliance, he states that the research study showed that “not becoming compliant with the standard (Data Security Standard – or DSS) could lead to additional costs posed by a data breach.”
For one, the SSC (Security Standards Counsel) can elevate your business to Level 1 status following a breach or compromise. That means that you will have to do everything a Level 1 has to do despite the lower level of transactions that you process. Of course, the biggest expense with this option is the previously unnecessary need to hire a Qualified Security Assessor or or pay someone inside your organization to conduct an Internal Audit if it is signed by an officer of the company.
Also, Barrow continues, “a breach may require further expenditures related to customer notifications and providing credit monitoring services. Finally, there are the expenses that may result from litigation, as well as the unknown variable of the cost to the company in loss of customer confidence.”
So, you decide, you can scan your site for vulnerabilities against hackers and increase customer confidence by displaying trust seals. Or you can leave your site open to hackers and outside attacks and potentially face the swollen and costly revised requirements of the Payment Card Industry.
To put it in monetary terms, you can pay almost $10,000 a year to repair the damage caused by security breaches from hackers and outside attacks. Or, you can pay a reliable scanning company about $500 a year for daily vulnerability scanning and PCI Compliant Reports.
Included in the yearly price you will receive a Security Scanned trust seal which will grow your business significantly. In fact, the best trust seal companies offer a “Double Your Money Back Guarantee” if your sales/conversion rates do not increase simply by displaying their seals.
With that knowledge, getting a daily scan and a seal to show online consumers that your site is safe seems like a no-brainer. Don't believe me or the research study? Ask the thousands of website owners who have been hacked! It is cheaper to be PCI Compliant than to not be PCI Compliant.
Author: Aaron Brandley is an independent website specialist. To learn more about PCI Compliance, go to www.pci-compliance.us. To purchase PCI Compliant website security scanning and trust seals, visit www.go.Trust-Guard.com.
Tuesday, December 29, 2009
Security Scans Lead to Trust Seals Which Lead to Increased Revenue!
After Trust Guard has scanned our site for over 30,000 vulnerabilities, we need to take full advantage of our now safe site by displaying Security Scanned Verification Seals.
It makes sense for us as website owners to remove all the fear, doubt, and suspicion that accompanies making a buying decision online. When there is no hesitation to do what we want our online visitors to do, our conversion rates will increase.
Online consumers worry about the security of our websites. They ask: Is this website safe? Will I get a virus? Do they scan daily for vulnerabilities so that hackers won't get in and steal my personal information?
They worry about the privacy of the our websites. They ask: If I give them my email address, will I wake up tomorrow with 50 emails from companies I've never heard of?
They worry about our integrity as business owners. They ask: Is this a trustworthy business? If there is an issue with my purchase, will I be able to contact someone?
There are several ways that trust seals give consumers the peace of mind they need to trust us as website owners. They can see on the seals the date of the last time that our websites were verified. Also included on the trust seals are the names of our websites - customized exclusively for each particular company.
They can click on the seals and view the certificates that the trust seal company provides that show when our websites have been verified. The certificates will also show that the websites have passed the daily vulnerability scans – which everyone knows is the first line of defense in keeping our websites safe from hackers and outside attacks.
Online consumers can also view our phone, email, and physical address on the certificates, so that they know that they will be able to get a hold of us should the need arise. The trust seal company also provides their information, so that if for some reason we as website owners do not resolve a disagreement with a customer in a timely fashion, they can help.
It's really pretty simple. When we as website owners increase the amount of traffic that trusts us, more people will do what we want them to do. One of the most productive ways to achieve high levels of trust with online consumers is to display trust seals on our websites.
All Websites Should Follow the PCI Data Security Standard
Build and Maintain a Secure Network
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain a Information Security Policy
All e-commerce businesses that accept payment cards are required to do two things: Quarterly PCI Scanning on all external-facing IP addresses, and a Report on Compliance or Self-Assessment Questionaire concerning PCI SSC Compliance and the PCI DSS.
PCI Scanning (also known as PCI Security Scanning or Vulnerability Scanning) involves having a PCI Approved Scanning Vendor (ASV) scan each public e-commerce IP address. However, if customers are transferred to a third-party shopping cart hosted by your shopping cart provider during the checkout process, then those IP addresses should be scanned as well.
What Is All This Talk About Becoming PCI Compliant?
Among other things, the council created the Data Security Standard (DSS) to reduce credit card fraud. If someone steals our customer’s credit card information while we are not compliant with the DSS regulations, the Payment Card Industry will hold us financially responsible for the theft.
For the security of our websites, as well as the safety of our online visitors, it is critical that we run daily vulnerability scans as outlined by the Council in the DSS. These security scans, offered by Trust Guard, can protect our sites and servers from hackers and outside attacks, while SSLs, although they serve their purpose, only encrypt data during the credit card transaction.
This website includes tons of valuable content about all twelve requirements for PCI compliance, organized into six related categories, called “control objectives.” When we satisfy all of the Council’s requirements, we will become PCI Compliant.
Friday, December 4, 2009
The Critical Nature of Website Security
How long have we worked to get our websites up and running? How much money have we spent to get our websites to work the way they do right now? When we consider the relatively low cost of protecting our sites from hackers and outside attacks, it's easy to see why more and more level-headed website owners are getting their sites scanned daily to keep safe and to be compliant with the Payment Card Industry and their Data Security Standard.
Having said that, today, online security isn't only about protecting our websites. Now it's also about staying in business! That's because more and more often, our potential customers will not buy from us if we do not show them that our sites are clean and have passed daily vulnerability scans. Online Consumers are more savvy than ever when it comes to website security, privacy, and business identity.
If our sites aren't protected with an SSL, and there is no visible evidence that we run daily vulnerability scan, the majority of shoppers won't do business with us. The same goes for our sites that don't provide evidence of a privacy policy compliant with local and national regulations. Online visitors also consistently shy away from our websites if we don't show them how easy it is to contact us by phone, email, chat, or a physical address.
If you want to learn more about Trust Guard, the leader in website security and verification, and how their products can protect your site while growing your business, Click Here.
Thursday, October 29, 2009
PCI Guy Receives Honor!
Monday, October 12, 2009
SSL Certificates Don't Protect Your Site From Hackers!
SSL Certificates only verify that the website is protecting transactions as they travel from the consumer to the appropriate financial institution. Any of the consumer’s personal information saved on the website’s computer (server) is still at risk of being stolen. The website itself is still at risk of being compromised. To make an analogy for you visual thinkers, think of a train station as your website and then think of a train and train tracks as credit card transactions. An active SSL protects the train and the train tracks, but the train station is still vulnerable to attacks.
PCI approved website security scans check for vulnerabilities on websites that could allow attacks from hackers. These vulnerabilities allow hackers to steal online consumer information. They also allow hackers the opportunity to damage or steal website files and even shut the site down.
Another incorrect belief is that non e-commerce websites are not in danger of outside attacks. Even sites seemingly nothing of monetary value have been compromised when hackers redirect traffic, damage files, or even close down the sites. These websites do not need an SSL certificate, but they do need PCI approved vulnerability scanning.
Trust Guard, the leader in website security and verification, performs PCI approved website security scans. According to current statistics, 73% of websites that are scanned by Trust Guard fail their initial scan, according to its president David Brandley. This includes sites that had been previously scanned by other scanning companies. The difference is that Trust Guard scans for twice as many vulnerabilities as their closest competitor.
“Honestly, I was surprised when I found out that almost three out of four websites aren’t safe from outside attacks!” confesses Brandley. “I knew that there were issues with website security, but the problem is worse than I thought it was.”
Once website owners understand that their SSL Certificate does not protect their site from hackers, and therefore purchase scanning services, the next step is to let online consumers visiting their site to know that their site is scanned for vulnerabilities against hackers.
Trust-Guard.com is a division of Global Marketing Strategies. As well as PCI website security scanning, Trust Guard currently provides website Security Scanned Seals. The seal provides peace of mind for online consumers, who know that the website safely transfers their private information, that the site is consistently scanned for vulnerabilities, and that the business will be accessible to them should problems arise.
Tests show that online consumers are more prone to purchase products and services more often from websites that display Trust Guard seals. This is because the shopper feels safe, secure, and confident in the company. To learn more about how website owners can turn more of their online visitors into valued customers with trust seals, please visit www.go.Trust.Guard.com.
Thursday, October 8, 2009
Hey, Mr. Gullible, Stop Sharing Your Password!
In our never-ending attempt to keep our offline businesses and online websites free of inside and outside attacks, we must never lose sight of the benefits associated with effective passwords.
Sure, anti-viruses protect computers before they go online, and once online, SSL certificates serve their purpose. Security scanning and verification services such as Trust Guard not only keep hackers away, but also let online know sites are safe by displaying trust seals. However, effective passwords will protect most areas that online hackers and office troublemakers want to infiltrate.
Much of the “hacking” that is going on in the business world today is from people that work in the same office! The all-too-common statement: “Hey buddy, I need that file, what’s your password?” is penetrating the once-protected personal and professional documents of the gullible and trusting.
The Payment Card Industry (PCI) requires that website owners assign a unique ID to each person with computer access, then requests that they set a private password. As with any computer action, knowing who is accountable is critical when it comes to handling credit card transactions. And how can you know who is responsible if you’re sharing passwords? For more on PCI compliance requirements and the PCI’s Data Security Standard (DSS), visit www.pci-compliance.us.
The act of sharing passwords has gotten more people in more legal and financial problems than any other business issue. If an important file or folder is taken, using your password, how will you show that you didn’t take it? If something is done wrong by someone else, like compromising a document, or transferring accounts comprised of financial or monetary data, and it is done with your password, it is extremely difficult to prove that you were not involved.
Keep your password safe. Whether it is locked up in a physical or online safe, in a personal binder that never leaves you, or in your head, you should keep your password in an environment where others won’t be able to locate it.
In addition to making an individualized password and keeping it private, you should make it at least seven characters long. Shorter passwords are easy to steal from passersby. It should contain upper and lower case letters, numerals, and special characters. The more you mix up the password’s numbers, letters, and special characters, the better. One of the numbers or special characters should be in the second through sixth position (not first or last).
Change your password often – no matter how safe you think it is, and make it significantly different from prior passwords. I had a boss once who told me that he had the same password every month, but only changed the last numbers of it to reflect which month it was. I think “tootrusting11” was the password he used for November! I do not recommend using his system.
Do not use a common name or a common word as a password, and refrain from using your own name or username. Spouse, children, and pet names are also ineffective. Thousands of documents have been stolen or compromised by passwords like “password”, “business”, and “Ultimate Frisbee”. Wrongdoers have guessed passwords including the company’s name or industry – and surprisingly, their guess was right.
Monday, October 5, 2009
Harold the Hacked is Becoming a Rock Star!
To read the article on Google about Harold the Hacked, go HERE.
Currently Trust Guard scans for over 30,000 vulnerabilities - more than double the vulnerabilities scanned by their closest competitor! The Payment Card Industry (PCI) requires that websites perform vulnerability scanning on a routine basis.
To read the entire article about Harold's first adventure - when his website was hacked into, click here.
Thursday, October 1, 2009
Keeping Effective Passwords is an Essential Business Practice
How many of you had passwords at the time you were hacked into that included your birth date, name, or favorite football team?
I know, we've all been there. We think it really doesn't matter until - BOOM! A break in! Why would they do that? I am just one of the little guys! Not a big company like Network Solutions who had over 500,000 credit card numbers compromised.
Well, if you want all the tips for protecting your website with effective passwords, visit the following link: EFFECTIVE PASSWORDS.