That plays on two levels... 'security equals sales!' Security as in trust. Security as in protection. Brilliant!
It's about building trust online.
It's no secret. IBM published a white paper. Numbers and everything.
Website visitors look for a security seal and other evidence
of legitimacy before they spend their money.
That's what it takes to increase your sales. Be trusted by showing a security seal. 70% of survey respondents said so.
At stake is your business reputation, customer trust and on-line revenue.
Mr. Site Guy is a provider of security services.
Here's the security landscape for an e-commerce website. There are multiple aspects of this - some even overlap a bit. I know that sounds like I just made it complicated. It's OK. Mr. Site Guy is on the job. Here we go:
- SSL certificates
- creates a security envelope for the payment process
- purchased / renewed yearly
- no on-going maintenance
- Expert site lock-down
- do the things it takes to create a fortress out of your website
- meet the mandates of the PCI DSS *
- this is on-going, done quarterly, reviewed as often as changes are made (other than content)
- Malware and vulnerability scans
- purchased / renewed yearly
- Mr. Site Guy offers a low price annual resolution services agreement
- daily site scans are performed
SSL Certificates. There are different grades of SSL certificates: a) good b) better c) best.
Here's the goofy part - you knew there was going to be one, and you knew I'd give you the inside scoop. There are at least 5 major providers of SSL certificates, and there is no distinguishable difference in their products since they each meet the standards. What is different is the consumer recognition and trust level - oh, and price. Buy a 'best' grade cert from Godaddy and it costs a fraction of what it costs from VeriSign. But consumer recognition belongs to VeriSign. Well, and the logo from VeriSign is more cool, and that really is all that matters. That, and their claim that 93% of Internet shoppers preferred the VeriSign brand. Now you know.
Expert Lock-down. Absolutely! They are out there and they are tenacious and predatory. They're after your payment data, your reputation, and the fun of defacing and vandalizing your business. And they dare you to stop them! You thought your competition was ruthless.
This security section applies to everyone who takes electronic payments, not just e-commerce websites. Your neighborhood grocery store, restaurants and Amazon.com are equally affected. If you're an Internet e-commerce merchant then you're affected, too. This section is mandatory - says Visa, Mastercard and Discover.
The worst part of all: if you get hacked you are liable!!! So yes, we're in the age of PCI and the credit card security council standards. What I'm about to tell you I know first hand. You can be minding your own business... running your day-to-day thing, and if you get hacked into and they get credit card data, and you haven't done the things to protect your operation per the PCI DSS you are liable. This isn't a $50 fine. This is lawyers, the US Secret Service, your bank, and significant fines. Oh, and your transaction fees are going up. No, this isn't limited to the top tier merchants. They're going after the little guys.
What to do? Click this link to the PCI security council website and you'll find the PCI DSS (specifications document) consists of these principles and accompanying requirements, around which the specific elements of the DSS are organized:
- Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software
- Requirement 6: Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data
- Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
- Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security
Malware and vulnerability website scans. Start safeguarding your e-commerce website, protect your online revenues, and keep your customers' information secure from hackers, viruses and identity theft with Trend Micro SecureSite.
A thorough malware and vulnerability scan tests:
- links to sites that have viruses
- website hijacks
- SQL injection vulnerability and the resulting theft of data
- cross site scripting
- bots
- unauthorized access to the host server operating system
- infected scripts that carry malware payloads such as viruses
The numbers prove websites need ongoing protection:
- Trend Micro Labs in 2008 claimed that 40% of web threats involved legitimate sites unknowingly distributing malware
- more than 28,000 known xss vulnerabilities at named websites with only 5% fixed - www.vssed.com Aug 2008
Other factors and demonstrations of security and legitimacy are less dramatic:
- a Better Business Bureau logo
- publishing a privacy policy on your website
- industry membership logos
- responding to published email addresses and 'contact us' forms
* Mr. Site Guy does not claim its services solely and wholly make any merchant totally PCI compliant. Being PCI compliant is a complex, multi-phase process in which Mr. Site Guy services contribute portions toward the larger solution. Merchants must fill out and submit self-assessment questionnaires for which the merchant is judged PCI compliant by the PCI Security Standards Council.
