PCI Standards in Todays World

More than once we’ve talked about PCI compliance standards and PCI guidelines. Basically, PCI standards are one and the same with PCI compliance and PCI guidelines. The Payment Card Industry Security Standards Council has set forth a list of criteria were “standards” to which business owners must adhere in order to continue with e-commerce.

Why has the PCI Council set forth a series of PCI standards? The answer is pretty clear cut — because identity theft has become one of the most rapidly growing and problematic issues to date. In fact, identity theft is a problem crime that’s growing at astronomical rates worldwide. As such, the development of PCI standards seeks only to protect businesses and consumers from would be ID thieves.

PCI standards vary from merchant to merchant based on specific merchant levels. These merchant levels are derived from a series of criteria that were compiled by the PCI Council. Depending upon which merchant level your business carries, you’re PCI standards may vary from that of a different merchant. However, if you plan to continue in e-commerce or you have aspirations of accepting credit card or debit card payments through your website, you will be required to know and adhere to your specific PCI standards.

Read more »

PCI Scanning

PCI stands for payment card industry. As such, there isn’t much call for the average citizen to gain a PCI education. However, if you own your own company or you’re operating an e-commerce website, PCI scanning could be very important to you. In fact, many online business owners are told that they need PCI scanning in order to operate successfully. Unfortunately, far too often, business owners are told they need PCI scanning that are never given a clear indication as to what PCI scanning actually does. If you’re interested in learning more about PCI scanning and what it can mean to you and your online business, read on for a little education.

First of all, the acronym PCI (as aforementioned, payment card industry) often refers to the PCI Council. The PCI Council is more formally called the PCI Security Standards Council. This council originated after having been founded by the five most major credit card companies. These five companies include MasterCard, Visa, American Express, Discover, and finally JCB. The goal of the organization is to maintain a uniform and universal set of security standards that must be followed by any business that processes a credit card or debit card transaction. If you run an online business — this means you.

In a few to operate legally and process online payments, you must comply with the specification set forth by the PCI Council. One of the best ways to accomplish this is through the use of PCI scanning. PCI scanning is also called vulnerability scanning — the two are one and the same. Basically, PCI scanning is the process by which an approved scanning vendor (PCI ASV) scans and reviews each and every IP address to which the public has access that will have anything to do with your company’s webpage or any transaction that you process there from.

In most cases, the IP address included in a PCI scan is your company website’s IP address. However, it is common practice for many online businesses to transfer customers to a “shopping cart”. This shopping cart can be a third-party. If this is the case for you, you would need to include the IP address for your shopping cart as well.

Running an online company can be stressful enough; this is especially true in times of economic crisis and during times when Internet and electronic crime is at an all-time high. Because of this, PCI scanning is becoming increasingly popular and increasingly more efficient. You will find that a few moments researching PCI scanning online will reveal a world of information you may not have known existed. You will also find the PCI scanning, and any quantity of money paid therefore, is a small price to pay in comparison to the benefits one will reap through the use of such a service.

In short, PCI scanning is required in order for you to be in 100% compliance with the PCI Council’s regulations for online transaction. Aside from that, PCI scanning will allow you to protect yourself and your customers establishing you as a reputable retailer.

If you would like to find out more about PCI Scanning and how it can help secure your business then you should take a look at McAfee Secure, Trust Guard, and Control Scan.

Vulnerability Scanning Details

What is Vulnerability Scanning?

Is your company dealing with online transactions and processing of any cardholder data? You need to make sure that you opt for vulnerability scanning and implement the necessary measures to provide yourself and your customers the most intense security provided on your website and servers. There are three different standards mentioned by the PCI council for industries to maintain and this is made mandatory by most payment card processors and acquirers.

The three standards that need to be met include the PCI data security standard, Payment application data security standard and PIN entry device security requirements. The vulnerability scanning that is provided by most ASV’s (Approved Scanning Vendors). These scanning vendors will normally provide you with reports that give you details regarding your vulnerability scan.

There is another step where each card brand (e.g. Visa, MasterCard) can assess you as a merchant by using the SAQ or the self assessment questionnaire. Once you carry out these processes under vulnerability scanning, you need to make sure that you adopt the necessary technology and processes required to maintain the required standards.

The security technology used for vulnerability scanning processes involves the usage software that will scan your servers for any of the 25000 + potential vulnerabilities. The security processes involve the checking of the current activities of the processes that are currently being run on your network.

The PCI data security standards require certain goals to be maintained. These goals include building and maintaining a network that is secure, maintaining a vulnerability management program by making use the scanning programs. There is also a necessity to make sure that the networks involved are tested and under controlled monitoring to avoid any possible hacker attacks. There is a necessity that you restrict any access to the physical data on any card.

It is always much better to have an encrypted standard for transmission of data. This will make sure that the data flow that occurs happens in a secure manner. This reduces the possibility of intercepting the data while it travels over your network.

You need to collect enough information on the facilities provided by vendors who help you in the vulnerability scanning procedure. In every transaction that happens there are three stages that you have to go through called the authorization, clearing and settlement. These different phases provide the vendor with several points where there is a need for security.

You need to conduct scans as frequently as possible to make sure that your customers are safe and secure when shopping with you. There are quarterly and daily scans available from most scanning vendors, it is much better to opt for daily scans as this provides a better system of security where you will be granted all the security measures that are required to keep your system away from all hackers.

If you would like to learn more about Vulnerability Scanning then we suggest you check out a PCI Scanning vendor that will meet the top requirements for the PCI standards.

PCI Compliance Explained by Ward Spangenberg

So I figured Ward Spangenberg could say it just as good as anyone on exactly what PCI Compliance is and how it can help your company. So either read below the transcript of his YouTube video or watch the video below. PCI Compliance is so important that you don’t want to miss this.

“Hi, my name is Ward Spangenberg. I’m a Delivery Director with IOActive, in Seattle, Washington. Today, I’m going to talk about PCI and what it means to Europe and how it’s affecting operations in Europe. The first question you might ask is “What is PCI?” PCI stands for Payment Card Industry. That doesn’t mean much. What we’re really talking about are the Data Security Standards, so PCI DSS.

These are twelve standards requirements that are required by companies that process credit cards. We have three different types of companies that do this. We have Level 1, Level 2, and Level 3 merchants.
The merchant is based upon the number of credit card transactions that occur during a year’s span. You have anywhere from anything less than a million cards would be considered a Level 3 merchant. Anything from one million to five million is going to be a Level 2 merchant. Anything beyond five million is going to be a Level 1 merchant.

With Level 1 merchants, those are required to have a third party come in and perform an audit. That’s what I do. I’m the auditor. What happens is I have to understand all twelve of those requirements and sub-points underneath those requirements. We have things like understanding firewalls and the firewall rule sets, to actual compliance regulations. Do you have HR? Are you doing things like background checks on your employees? It’s a comprehensive baseline. This is really important to understand with PCI. It’s not the end-all/be-all of security. It’s the start of a good security program.

Why is this important to you? The big thing is a merchant, a retailer, or anybody who takes credit cards, this is important to you because it allows you to have the baseline, the beginning of a security program. As I said, it’s the requirements. We can talk about the requirements.

Requirement number one is having network diagrams. It’s amazing, today, how many companies don’t know what their networks look like. One of the first requirements is sitting down and documenting, and understanding what your network is all about, understanding what your firewalls are doing, understanding what your rules sets involved in this firewall. Are we protecting credit card data that is coming in and out through our Web applications? Are we segregating databases properly between what’s exposed on the Internet from what’s protected in the background?

Read more »

Trust Guard Launches PCI Scanning

The world is changing and hopefully we are changing as well as online business owners. PCI Scanning in the online world is changing and becoming more and more important for any internet business and Trust Guard is here to the rescue. Trust Guard has just announced the launch of its new PCI Scanning services for online merchants around the globe. This new service gives Trust Guard the unique ability to combine the power of PCI Scanning with their industry leading 3rd party security, privacy, and business verification services, further solidifying Trust Guard as one of the leading brands in online trust seals.

Now if you don’t know what PCI Scanning is then I suggest you read this great article by Trust Guard CEO Scott Brandley called PCI Scanning Simplified and Explained.

“What is the difference between Trust Guard and McAfee Secure (formerly Hacker Safe)?”

As far as PCI Scanning goes, both companies comply with PCI security standards to perform all vulnerability scans, and both companies generate Executive Reports with Approved Scanning Vendor numbers, which is necessary in order for the scans to be properly accepted by your bank (or acquirer). However, that’s where the similarities end and where Trust Guard really pulls ahead from the competition.

Trust Guard PCI Scanning is unique to all other scanning services on the market, including McAfee Secure, because we combine world class PCI Scanning with our leading 3rd party website verification services to provide the ultimate security, privacy and business verification seals online. Trust Guard’s services are very affordable for small business owners, while providing more credibility and value than our competitors, because we actually resolve three customer concerns (Security, Privacy, and Business Identity) whereas our competitors only resolve one.

Trust Guard ASV Certified PCI Scanning Features

Main Features:

• Daily or Quarterly scans with seals to protect your server against 30,000 vulnerabilities
• ASV certified PCI Scanning combined with Trust Guard’s Website Verification adds more credibility
• No software or programs to download or install
• Automated scanning with email notifications so you’re always up-to-date
• Professional PCI support available to help you with your compliance needs

Besides being the only company to offer PCI security, privacy, and business identity seal options, Trust Guard plans to further differentiate itself by being the only company to offer Quarterly PCI seals in addition to Daily seals.  Furthermore, Trust Guard’s pricing structure is targeted primarily to businesses processing less than 20,000 transactions per year, with prices equivalent to about half the price of their competitors such as McAfee Secure and Control Scan.

Because PCI scanning services and requirements can be very confusing, Trust Guard has gone to great lengths to help simplify the process while making it easier to understand. Laws are continually changing and most online business owners don’t understand the importance of PCI scanning and therefore miss out on the power of giving consumers the protection and confidence they’re looking for.

Privacy Seal Upgrade

What is a “privacy seal”? It is a special seal or emblem that a company allows you to put on your website that will let the public know that you are protected from that company. Some companies that offer the privacy seal are the BBB (Better Business Bureau), Trust Guard, TrustE, etc. Privacy seals are important for a website because of the security that they offer the public. Just seeing these seals will inspire peace of mind for the consumer.

BBBOnLine is no longer accepting new applications for its Privacy seal program or its related Kids or JIPDEC seal programs. If your company is interested in building trust with visitors to your web site, consider the Trust Guard privacy seal program. It incorporates privacy notice requirements with other general good business practices to show site visitors that you have met high standards for the web.

Trust Guard also offers individual seals or a multi-seal package. This ensures that you are getting the perfect seal or seals for your business needs. Trust Guard is a service that helps online merchants increase visitor confidence on their web site. When a merchant is approved and purchase the Trust Guard seals such as the Security Seal, Privacy Seal, Business Verified Seal, and Certified Seal they are given access to post the Trust Guard seals on their website. Visitors can click on the Seals to view the verification certificate, giving confidence and helping convince the customer to buy. Increasing the merchant’s conversion rates by sometimes up to as much as 15-60% and most of the time even higher.

Here is a testimonial from a Trust Guard customer, “Your Privacy Verified seal gave me a 4x bump in my tests, and your Security Verified seal is converting the same as Hacker Safe! You’ve saved me about $1,300 per year, plus I’ll get more sales due to the additional seals!”
~ Richard Mouser
Mr. Water Filter

Another company that offers a privacy seal is TrustE. This is from their website, “Build trust and drive revenue with the TRUSTe privacy seal. Displaying the TRUSTe seal demonstrates that your site complies with our best practices. Sign up and let consumers know they can trust you more than other businesses when it comes to online privacy.”

Once again, isn’t peace of mind the best commodity you can offer a consumer! Seeing a privacy seal will not only offer this peace of mind, but it will also create a loyal customer for life!

BBBOnline Privacy Seals

Have you ever wondered what the Better Business Bureau does with online companies? Well you are in luck cause I did some research and found out about the BBBOnline. With more and more trust problems online the BBB comes to the rescue. BBBOnline is a wholly owned subsidiary of the Council of the Better Business Bureau and is targeted towards promoting trust and confidence in online business transactions.

The BBBOnline works with the Federal Trade Commission to expose fraudulent businesses and scams that might be committed against general consumers by online businesses. How is that for protection? Pretty good I would say!

BBBOnline provides three seals that certify that a website exercises responsible privacy policies and has met the strict guidelines set by the council of Better Business Bureaus for conducting ethical business practices online.

The three seals provided by BBBOnline are:

1. Reliability Seal – This certifies that the company holding the seal is a member of the local Better Business Bureau and has met the guidelines set for ethical advertising and reliability.

2. Privacy Seal – This seal certifies that the company holding the seal conforms to the set guidelines for information privacy standards.

3. Kid’s Privacy Seal – The BBBOnline Kid’s Privacy Seal is targeted towards protecting privacy of information collected from children. The Kid’s Privacy seal is granted to only those websites that comply strictly with the guidelines set for safeguarding information collected from young children on the web.

The BBBOnline Privacy program offers the following:

1. A BBBOnline seal to online business that posts privacy policies on their websites which adheres to the required “core” principles such as security, choice and disclosure.

2. Monitors regulation compliance by member businesses by requiring participating companies to undertake at least an annual assessment of their online privacy policies.

3. Provide solutions for the settlement of online business disputes.

4. On non-compliance, specific consequences are imposed on the company that includes seal withdrawal, referral to government enforcement agencies and negative publicity.

You can always find out more at www.bbb.org/online where some of this information was extracted from.

The Better Business Bureau has been operational for more than 80 years and has been committed ever since to provide business reliability reports, online consumer dispute resolutions and raising general awareness for ethical and unethical businesses for the general buying consumers. The main objective of BBB is to help both consumers to build trust in businesses as well as to online businesses to grow and maintain a healthy relationship with their customers.

Placing the BBBOnline seals on a website not only marks an online business to be ethical in nature, but it also helps the business to win trust of existing and potential customers and generate greater sales.

The internet today is flooded with scams and fraudulent business practices which makes it difficult for general buying customers to differentiate between a legitimate and illegitimate business unless they see a reliability seal certified by a trusted and reputed organization such as the BBBOnline. Once a customer sees the seal on a website, they can rest assured that the sensitive information passed on to the website is safeguarded and the website conducts ethical business practices.

How to know if a website is BBBOnline certified

There are two ways to verify that a website is accredited by the BBBOnline privacy program.

1. A BBBOnline privacy seal will be placed on the website’s home page or the privacy policy page. A valid seal will always be linked to their website.

2. There is also a directory maintained by BBBOnline on their website where they list all the participating websites and even provide a search function for quick verification of a company or website.

We hope this article has helped you find out more about building trust and confidence with your online customers.

Mcafee Secure Explained

Network perimeter and web site infringement are increasing day by day, which can result in a critical damage to your business. McAfee Secure for Web Sites provides a number of services like web applications and daily network perimeter scanning (PCI Scanning), so that the website owners have the latest information on their vulnerability risk profile. This also helps to establish consumer trust if you let them know that their personal and private information is safe. It also includes all the benefits of the McAfee PCI Certification Service.

McAfee Secure has the following features:

• Network security management tool:

McAfee Secure provides a complete and handy range of network security management tools. It also helps to retrieve vulnerability data and other information to recognize a quick remedy for the issues. McAfee Secure for websites also provides tools which inspect single websites or even complex networks.

• Entire network discovery:

McAfee Secure reduces the complex process of managing the public IP network security. The advanced technology is intelligent enough to help you rapidly discover, recognize and observe network devices. It also helps to find identify unauthorized services from any IP sub-net range.

• Network security review:

The scanning process includes three steps, which are: i) dynamic port scanning, ii) port-level network services vulnerability testing and iii) web application vulnerability testing. You can launch scans whenever it is required.

• Technical support when needed:

The certified security specialists are there to provide online technical assistance or via telephone or email. With McAfee Technical Assist support you can obtain vulnerability remediation. In addition, you can also get recommendations regarding address security issues which are uncovered by daily reviewing.

McAfee Secure will provide you the following benefits:

• Ensures that the website does not have critical vulnerabilities:

Recognizes threats from the potential issues before any damage is caused to your organization. An extra measure of security is provided through daily vulnerability scanning and active monitoring.

• Keeps your website free from malwares using the best practices:

Prevents the system as well as its visitors from the security threats which include virus infections, Trojans, phising, spyware, etc. Thus it provides security against identity theft and other kinds of fraud and scams.

• McAfee Secure certification displays industry-standard security:

You can certify your real-time security status to a third party standard, which is formed by the world’s largest dedicated security company. Also, you can promote the certified security publicly by displaying the McAfee Secure trustmark in your site.

• Flawless software-as-a-service provisioning

The online application is fast and user friendly and you don’t have to install any software or hardware.

• Protects your infrastructure and network perimeter using configurable scanning

You can protect the entire network perimeter by enrolling the company domain and its IP addresses. You can also scan the shopping carts, ports, internet services, servers etc. on a regular basis to keep away the known vulnerabilities. Daily security status of the network perimeter can also be known.

• Continuous coverage

You can achieve flawless protection through continuous comparisons between the scans of your current system configuration and threats. There is continuous upgradation of the vulnerability database from hundreds of sources worldwide.

• Provides the resources that are needed to certify the PCI DSS compliance

With the help of Visa International, McAfee Secure has developed a system that needs to be successfully completed for validating the Payment Card Industry Data Security Standard or PCI DSS compliance.

* Some of this information was found at Mcafeesecure.com