• Posted by Melanie
• 18 May 2012
• Small Business

Securing your website, no matter what kind of website, can be a big job. Most of things you need to do are common sense and awareness. We don't expect you to know how to sanitize database queries, but rather that you know and realize that there are resources and standards to to use and follow. This most, designed to be very simple will help you get on board with PCI DSS compliance. Remember, June 30th 2012 is D-Day, all merchants accepting credit cards will be required to to PCI compliant.

I suggest that you first start with our first post in this series, PCI, Passwords & Aggravation.

Welcome back. Now lets get on with securing your website.

If you accept credit cards on your website (people enter a credit card number on your website) you are required to be PCI/DSS compliant as of June, 30th 2012. There are no excuses, exclusions, nor, get out of jail free cards. Man up and get to work.

• The very first thing you need to do is limit and control access to your website and web hosting. Whenever possible limit access to a task level access. So don't give the order processor access to your whole admin & don't give the guy uploading images in FTP access to the root. Each person must have their own individual and unique access, so all 10 employees cannot use the same login credentials.
• Use strong 8 characters or more passwords with upper & lower case, number and symbols when possible. Do not use names or real words in them. Do not use the same password for more than one application. Do not store them unsecured or send them electronically.
• Change ALL passwords associated with your website every 60-90 days. Log the changes with a date, per person.... But NOT the passwords. This means PayPal, gateways, admin, hosting, email etc.
• Contact your merchant bank and find out what they wish you to do to provide your compliance credentials. They may have a specific PCI scanner they want you to use (which is really BS, you should be allowed to use whomever you want as long as they are an Approved PCI Compliance Scanning Vendor). Fill out your SAQ (help with SAQ), get your scans done at least quarterly and submit them to your merchant bank. We use Trust Guard because we like the seals, they use a approved scanning vendor and the price is very reasonable (not the cheapest, but excellent service and less than average price).
• Keep server software, website software and computer software of any kind up to date. For example, if you use Zen Cart, when you click on version in the top right of your admin it should say 1.5.0... if not you are required to upgrade now.
• ALL login forms and checkout must be secured with SSL. So, that sidebox login you may have on your main page has to go!
• Make sure you stay up to date with software upgrades and patches. Most software platforms have a RSS or newsletter you can sign up for or follow to be informed of software updates and patches. Here is Zen Cart's update forum is here, either check it frequently or subscribe to the thread. WordPress can be checked from your dashboard or check here, and here.
• Check Secunia for advisories about the software you run.... Below is a shortlist.

CKEditor / FCKeditor ~ Security Advisories
Coppermine Photo Gallery ~ Security Advisories
CubeCart ~ Security Advisories
Drupal ~ Security Advisories
Joomla (all versions) ~Security Advisories & Joomla Vulnerable Extensions List (VEL)
Mambo ~ Security Advisories
osCommerce ~ Security Advisories
phpBB ~ Security Advisories
TinyMCE ~ Security Advisories
WordPress ~ Security Advisories
Zen Cart ~ Security Advisories

• Have your web host or other trusted company deep scan your website for malware and infected files quarterly. Securi has an excellent malware scanning service that we recommend. They will even remove it for you if found.
• Implement and enforce a company Information Security Policy. Believe it or not, you actually have to tell employees not to share customer's information.... common sense is NOT so common any more. Here is an example of one of our data policies (https://pro-webs.biz/data/).
• Restrict physical access to company systems and records with cardholder data to only those employees with a business "need-to-know."
• DO NOT store cardholder data... Just don't, it's not smart for them or for you.
• Develop and maintain a vulnerability management program. This sounds worse than it is. Basically, set forth a policy of the things you are doing, need to do and want to to to reduce vulnerabilities within your company.
• If you accept credit cards on the phone and enter them in a gateway or terminal you must also have your office IP(s) scanned.
• NEVER allow access to your website using WiFi or an employee working from home.
• Your web hosting CANNOT have ANY plain text logins. This means all hosting control panel functions, e,ail access (even through software such as Outlook) and FTP must be secured with a SSL3 or TLS connection.
• Use your head.... if it seems unsafe or dumb, IT IS!

While PCI compliance is not a law (yet), there are state laws that are already in effect to force portions of the PCI Data Security Standard (PCI/DSS) into law. In addition, there has been a big push by legislatures and industry trade association to enact a federal law around data security and breach notification.

Many businesses only implement the rigid letter of the PCI DSS standards, "kinda like "state minimum car insurance". They have technology and processes in place that satisfy the exact letter of PCI standards, but do nothing else to provide real security for their business. It is crucial you YOU and all of your company's assets embrace the spirit of the standards. Call it a hyper vigilance, or awakening, but the days of "I did what I had to so we're cool are over". Just like any other set of standards or rules PCI can only account for most, or many potentially vulnerable situations, they do not work for you.... know your routines etc. You and the people you work with must develop a sense of urgency and awareness to catch potential vulnerabilities with your own organization.

Q: What are the penalties for noncompliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees.  Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business.

It is important to be familiar with your merchant account agreement, which should outline your exposure.

• Posted by Melanie
• 17 May 2012
• Small Business

With June 30th creeping up on us we are rushing to upgrade websites, upgrade servers, secure mail, block port access, require password strength and rotation and of course block hackers from websites. PCI/DSS compliance is a daunting thing, it looms over our heads as a potential to be heavily fined for not obeying its standards. Some shop owners, like ourselves, have been obeying these standards for many years already. Others are just getting started or are still in denial.

Interestingly, not all of our clients are thrilled that we are and will continue to be delivering the safest, PCI compliant hosting that we can. We update clients as we continue down the road to maintain our server's PCI/DSS compliance. In response to these updates about new password strength requirements, requiring clients keep their software up to date, etc we have received a mixed bag of mostly aggravated feedback. We have been yelled at, complained about publicly and some clients have even moved their websites to avoid PCI.

I do wonder what these folks will think when June 30th passes and their merchant bank fines them, suspends their account or many other of the power plays the merchant banks will posses to force PCI/DSS compliance among their account holders. I also wholeheartedly hope that this will create an opportunity for the PCI ready and already compliant merchants in the marketplace. Historically speaking, it will create financial opportunities for the PCI compliant vendors who will be still able to process credit card transactions..... while the "non believers" use PayPal while they scramble to attain compliance so they can again accept credit cards.

So starting today with this post, we are going to cover the PCI/DSS basics in detail for shop owners to make better choices and start/continue down the road to compliance. Today's topic is your own computer's security.

Why does it matter that I have secured my PC, it's not hosting my website you know?

Ahhh, this one is such a fun question! I could point to over 50 cases in the last 2 years where a client's failure to maintain their own personal security has allowed their websites to be hacked, but I would prefer to cover some basic security techniques to prevent it instead. By the way, if you use a MAC and think you are exempt, you are dead wrong, no matter what the "Apple Guy" tells you. In checking the numbers, about 20% of the hacks originating from the website owner we using a MAC. Given that only a small percentage of people use MACs, this is really quite high! I think that Apple has gone out of their way to create a false sense of security among its users... But, in the end, it is you.... who owns the computer who is at fault, not Apple.

There are several areas you need to observe to manage your own personal security. I will break these down in a simple format and hope to help you be more secure and protect your shoppers better.

PASSWORDS

I am still in complete AWE when clients, whom we don't even know, shoot us access information in an email! Worse yet, we get the email from a Hotmail or other free account and the username is admin and the password is password01..... Really scary! This post How I’d Hack Your Weak Passwords is a MUST read.... it will scare the crap out of you... as it should.

Really Simple Password Rules to Live By:

• Never use real words, use made up ones if you must use a word. Using names and known words makes hacking your password a piece of cake!
• Always use numbers, letters (mixed case) and punctuation when possible.
• Always make your passwords a bare minimum of 8 characters... 12 is much better.
• Change all passwords every 60-90 days.
• Never create mass account login with the same passwords for users.... All users need their own unique login.
• Passwords must not be transmitted over the Internet by e-mail or any other form of communication, without being encrypted.
• Passwords should never be written down or shared with anyone.
• Use different passwords for each website or application.... at the very least DO NOT use your hosting access passwords ANYWHERE else, ever.
• You must log the dates of password changes and who has access to anything coming in contact with your website.

I had to post this chart to demonstrate how quickly simple password are cracked, it is rather eye opening.

SECURING YOUR COMPUTER

This one can be quite challenging, there are so many things to do. The list I am about to provide you is really a short list of the things you really must do.

• Keep ALL software on your computer up to date, especially Adobe products. The Secunia Online Software Inspector (OSI) will check them for you, for free.
• Use a great virus scanner, I highly recommend McAfee. Trend Micro has a decent product, but there have been countless times when we are cleaning up a hacked website and scanned the local files with Trend Micro on the intake computer and then McAfee found viruses in them after.
• Virus scanning isn't enough, you need a firewall... again, McAfee's firewall and real time scanning is really superb.
• Some infections are not viruses and will not be caught by a virus scanner. Malware, BHOs and other dangerous scripts can infect your computer just from browsing the Internet. We suggest Malwarebytes to scan for these dangerous items. It's also free.
• Change your network passwords including router, modem, login etc every 60 to 90 days and make them also strong passwords.
• Turn OFF WiFi on your work computers... at the very least secure your wireless network. PC World has a simple post to step you through securing your WiFi here.
• Remove unnecessary software from your computer, especially ones that reach out to the Internet.
• Clear your browsing history, cache, cookies etc everyday. We use CCleaner to do so, it's also free. If someone accessed to your machine, some of your juiciest information is stored in your Web browsers cache. There is enough in almost every browser on earth to engineer a social breach. In other words a hacker could gain access to your personal data and then use it to pose as you.

Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?

It is your duty to secure your devices, restrict access and manage your own personal security to protect your customers.