This article and information was taken from an article in Website Magazine, the Magazine for Website Success. All credit and information credit is due and given and belongs to them. Thank you, the Revolution Web Studios Team.

The face of e-commerce is about to change in a big way. In the coming months, the Payment Card Industry (PCI) implements DSS - the new standard in security practices for e-commerce companies. Whether you are an online merchant, webmaster or Web host, it is vital to understand the fundamental requirements of the PCI DSS (Payment Card Industry Data Security Standard) to keep your business and your clients from incurring stiff penalties.

The Payment Card Industry Data Security Standard

PCI DSS  was developed by the founding brands of the PCI Security Standards Council, including America Express, JCB, Discover, MasterCard and Visa. The PCI Council has established this standard to protect cardholder information. As a vendor, it is critical that you are not only aware of the new requirements, but also understand the tools and practices available to remain in compliance with the new standard.

The Need to Comply

PCI DSS provides a comprehensive set of requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

The standards outlined within PCI Council can be used to help build the security policies and structure for the enterprise, data centers and your customers. This set of standards should be used as a best practices guide to implement and follow.

Even though the PCI Council manages the underlying security standards, compliance is set independently by the individual brands. Each brand has its own set of penalties that can range from $8 per compromised account to more than $158,000 per incident, with additional penalties ranging from restrictions to outright loss of use.

PCI DSS Requirements

There are twelve major requirements to the PCI standard:

Build and Maintain a Secure Network

• 1. Install and maintain a firewall configuration to protect card holder data.
• 2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

• 3. Protect stored cardholder data
• 4. Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

• 5. Use and regularly update anti-virus software.
• 6. Develop and maintain secure systems and applications.

Implement Strong Access Control Measure

• 7. Restrict access to cardholder data by business need-to-know
• 8. Assign a unique ID to each person with computer access.
• 9. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

• 10. Track and monitor all access to network resources and cardholder data.
• 11. Regularly test security systems and processes.

Maintain an Information Security Policy

• 12. Maintain a policy that addresses information security.

In June 2008, The PCI Council added Appendix A, which is “PCI DSS Applicability for Hosting Providers.” In a nutshell, all service providers with access to cardholder data (including hosting providers) must adhere to the PCI DSS. In additional, Requirement 2.4 states that hosting providers must protect each entity’s hosted environment and data. Therefore, hosting providers must give special consideration to the following.

A.1 -Protect each entity’s (that is merchant, service provider, or other entity) hosted environment and data, as in A.1.1 through A.1.4:

A.1.1 -Ensure that each entity only has access to its own cardholder data environment.

A.1.2 -Restrict each entity’s access and privileges to own cardholder data environment only.

A.1.3 -Ensure logging and audit trails are enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10.

A.1.4 -Enable processes to provide for timely forensic  investigation in the event of a compromise to any hosted merchant or service provider.

A hosting provider must fulfill these requirements as well as all other relevant sections of the PCI DSS. Note: Even though a hosting provider may meet these requirements, the compliance of the entity that uses the hosting provider is not necessarily guaranteed. Each entity must comply with the PCI DSS and validate compliance as applicable.

Besides being good security practice, if followed, a Web hosting company providing procedures, processes and tools to meet the requirements can be a competitive advantage. Specifically, it can be used to differentiate your services from your competitors and entice e-commerce companies to host their sites with you.

Application Security

New for the latest release of PCI DSS is requirement 6.6. It requires that all Web-facing applications be protected against known attacks. Hosting companies over the years have become very good at protecting the networks and the operating systems from attacks, while the applications have been left vulnerable. Hackers are now attacking using SQL Injection and Path Traversal techniques to gain access to applications and vulnerable information.

Application security is an area that hosting companies have little or no control over. Once these hacks occur, and they do, expenses and man-hours mount as web hosts deal with customer complaints. To combat these attacks the PCI DSS recommends installing an application layer firewall in front of Web-facing applications known as a Web Application Firewall (WAF). One example of a WAF is Applicure’s dotDefender^TM, which works well for hosting companies, as it supports dedicated, shared and virtual environments running either Windows IIS or Apache on Linux platforms. Offering a WAF to clients will provide the security they need for PCI compliance, additional revenue for Web hosts, and reduce customer care calls addressing hacking attacks.

The penalties for not following the PCI’s DSS are significant and should not be ignored by any company accepting credit cards online or any company providing supporting services, like Web hosting companies. That being said, gaining compliance is relatively easy and could prove to be a competitive advantage if used creatively.

Article written by Josh Ewin who is VP of Sales and Marketing for Dedicated and Andy Mahler who is Director, Business Development for Applicure.

Article copied and presented by Jeremy Thompson (jeremy@revolutionwebstudios.com) who is CEO of Revolution Web Studios LLC.

Customers and MoneyCustomer Experience Management (CEM) software company Tealeaf recently conducted a survey regarding online customer experiences. The biggest stat to come from this survey is: 41% of online adults click away when they encounter a problem. Many of them go to a competitor. Tealeaf estimates that this represents a $57 billion potential impact to revenue on shopping sites.

Is that incentive enough for you to make sure your web site is working to maximum performance? The survey also found that 87% of users conducting transactions on the Web have experienced problems. Of course any problems a customer has with a web site can quickly turn into reputation problems for the site owner or business as a whole. Tealeaf drops some more stats on that:

More than four in five (84%) online adults who experience problems conducting online transactions share their experiences with others, amplifying the impact of any single experience. Among those who share their experiences with others, 82% do so using non-online modes of communication such as in-person (74%) and phone conversations (50%) with friends and family, while 58% use online channels to share complaints or reviews, such as on the company’s website (39%), in an email to friends and family (23%), on a ratings and reviews website (16%), on an online message board (8%), or on a blog or social network (7%). These Internet postings and comments are often widely disseminated and long lived.

“The Web has changed business; companies both large and small compete for the same customers. Now, competition is just a click away and customer expectations continue to grow,” said Rebecca Ward, CEO of Tealeaf.

“Businesses must take definitive steps to differentiate themselves by understanding and improving their customers’ site experiences, and equipping their contact centers to truly meet the needs of online customers,” added Ward.

Ward sounds right on to me.

__________________________________________________________________

About the author:
Chris is a content coordinator and staff writer for SmallBusinessNewz and the iEntry Network.

Any dope on the street can make a mistake without exerting any effort. To really wreck an e-commerce site requires effort. Here’s how to do it.

(Coverage of the ACCM conference continues at WebProNews Videos. Keep an eye on WebProNews for more notes and videos from the event this week.)

Sure, the session at ACCM 2008 was titled “Maximize Your Web Catalog: Search Optimization, Content & Analytics,” but the real value comes from knowing how to completely make your site irrelevant to the engines, and thus to potential customers.

Matt Bailey, founder of SiteLogic, covered several topics where unary webmasters caused themselves and their sites unnecessary grief. Accessibility, for example, became a big deal for retail chain Target’s website.

Target made its site in a way that left it less than useful for sight-impaired visitors using screen reader software. Images and image maps lacked any alternative text a screen reader could use. That earned Target an embarrassing lawsuit from the National Federation of the Blind.

Failing to use redirects for changed URLs provides an easy way to send search crawlers into oblivion, taking your site’s presence with it. The 301 redirect says this URL doesn’t exist any more, Mr. Spider, you want this URL instead, forever afterwards. Temporary URL changes use a 302 redirect.

Then there’s inconsistent linking. Optimize those title bars to help avoid the perception that you’re presenting duplicate content. If you can hit the same page in different ways, search engines might decide to exclude all of its instances as duplicates.

URLs filled with useless unreadable characters present people with an unmemorable page. Fall out of love with icky URLs and make them something that a regular user recognizes right away, and sees its value. Don’t forget a nice favicon, either.

You may have tons of data available for a product or service you sell. Balance is the key. Too much information, like too many different products on one page, dilutes the presentation to the visitor.

If you really want to turn visitors into one-time arrivals, make calls to action obscure and unclear. Navigation that states what it does and does what it states keeps people makes it more likely that online shoppers, who frequently research products over and over before making a buy, will come back to reinforce their wants before making a purchase.

Bailey cited one task e-commerce site publishers need to succeed, and that’s analytics. “Number one thing you can do to increase your sales is use analytics,” he said, claiming over 70 percent of retailers do not use analytics. “If you are not doing analytics, you are losing money,” said Bailey. You don’t really want to leave money on the table. Do you?

With a wonderful pool of talent and Revolution Web Studios‘ top-notch management, our custom website design company is providing some of the best turn-around times for any website project.  We will hold your goals and objectives as our very own.  Combine Revolution Web Studios’ high standards with our high quality service and affordable pricing and your search is over.  Let Revolution Web Studios bring your idea to life.  We can and will make it happen.

By David A. Utter

About the author:
David Utter is a staff writer for WebProNews covering technology and business. Follow me on Twitter, and you can reach me via email at dutter @ webpronews dot com.