a few basics to minimize your chances of a data breach
If you need help with any one of the above items, please contact us.
Skimming in the U.S.
So far, the U.S. in 2010 has seen skimming and POS fraud incidents reported from 23 states. The types of incidents include:
ATM Skimming: This crime strikes at a financial institution’s automated teller machine or even at free standing ATMs in retail locations. There are numerous ways the criminals steal the card data, the most common being the card skimmer being placed over the existing card slot.
Hand-Held Skimming: These skimming devices are often used to steal card data at retail establishments such as at a restaurant. A rogue employee needs only to swipe a customer’s card through a skimmer, which captures all of the magnetic stripe data about the card account. Some skimmers are as small as a cigarette lighter and are easy to hide.
Self-Service Skimming: This crime occurs at self-service terminals, including gasoline pumps, where consumers swipe or insert their credit or debit cards to pay for goods or services. Similar to ATM skimming, the criminals place either a card reader over the existing card slot, or open the machine and plug into the card reader device to copy card data from every transaction. Some are sophisticated enough to relay the stolen card data via wireless technology including “bluetooth” to the criminal’s computer in a nearby location.
POS Device Tampering: This attack happens when fraudsters tamper with point-of-sale devices and PIN entry devices. Most criminals steal the POS or PED device from a specific retail location, manipulate it and then return to the retailer to swap out the functioning POS or PED device with the one that has been manipulated. Often, small skimming devices are placed inside the terminals, or the terminal’s software is infected with malware. Either way, these devices then copy card data from each transaction swipe, and the fraudster returns after a period of time to replace the device, collecting the stolen card data.
Insider: This is either an employee or trusted third party that has access to the point of sale terminal, ATM or network where the card data is. Insiders also can include staff who may overhear card account numbers from a customer, such as a call center employee or salesperson.
Unknown: This description means that the investigators were unable to determine the exact method that the card data was stolen.
An online store – the basics
You want to set up your first online store / shopping cart system to sell products online but do not know the first thing about setting up a store or what all is involved. You have found the right article to read.
First I will start with the basics that have to happen even before you setup the storefront. In order to have a website you need three basic components – a domain name, a website host, and the actual content or pages.
DOMAIN NAME – You can get a domain name at many places and the prices vary greatly by place, but should be no more than $15.00 per year. A domain name is something like www.onlinepcicompliance.com.
WEBSITE HOST (SERVER) – A website host or the server where your website content will be hosted and served to the general public can very in price and what they offer as well. If you are doing a basic site there is not to much to worry about with hosts other than reliability (uptime) and support. If you are going to be doing an E-Commerce website then the host can make a huge difference because not all hosts can pass PCI Compliance.
WEBSITE CONTENT (regular websites) - Your website content is the actual pages of your website. This can be done by you but is often provided by a website developer or website designer. Credentials and abilities of developers and designers also vary greatly, as well as what they charge for their services. For a basic site there is not too much to worry about except for how your site looks, because there is usually not any functionality to a basic site other than plain navigation of the site.
WEBSITE CONTENT (E-Commerce) – E-Commerce sites are a completely different project than basic websites (or at least they should be!). I have encountered way too many clients that have started an E-Commerce website with someone just to find out that their site does not function the way they want it to or even worse, it is not secure or cannot pass PCI Compliance scans. It is the best practice to do your homework up front and ask the question, “Have you successfully put a storefront online that consistantly passes and keeps up with PCI Compliance?” Most website developers/designers are not really sure what all is involved in PCI Compliance. E-Commerce websites are always more expensive than regular content sites because of the time involved in configuring the storefront software and the product pages and content. A basic website store that is PCI Compliant should run you anywhere from $1,000 and up for the content and design. There are less expensive solutions out there and those may work for you, but without a specific consultation as to what you are selling and how, it is difficult to make that analysis.
ADDITIONAL E-COMMERCE COMPONENTS - There are some other components to having an online store. You will need an SSL Certificate (Secure Socket Layer Certificate), a Merchant Account, a Secure Internet Gateway, and a PCI-DSS Compliance component. (more discussion on these coming in a separate blog post)
WHERE TO START – My suggestion is obvious. Please visit www.onlinepcicompliance.com and contact me for a consultation on your E-Commerce project BEFORE you start anything beyond purchasing your domain name. It is always a great idea to purchase your domain name as soon as you know what it will be. If you wait someone else may get it before you do and you will have to be creative to select a new one.
I hope you have enjoyed this summary of what it takes to get a basic store online. Not as simple as you thought huh?
T. Davis – E-Commerce Specialist, Trustwave SSL and PCI Compliance Consultant
Online PCI Compliance
Welcome to the Online PCI Compliance Blog! We specialize in making sure your online shopping solution is PCI Compliant. This starts with a PCI Compliance consultation to discuss the various aspects of PCI-DSS Compliance. There are many parts to becoming and maintaining PCI Compliant, but the basic parts are an SSL Certificate, a secure shopping cart solution, PCI deep scans on the web host server, PCI scans on local office computers used to access the online store, a secure internet gateway, and a bank merchant account.
Online PCI Compliance is here to help your online business succeed by answering all of your PCI Compliance questions and providing all of these items, thus getting your business online and PCI Compliant much faster. Please visit our SSL Certificate page and our Secure Internet Gateway page here – www.onlinepcicompliance.com