Welcome to the Small Business Ideas Forum! We are a community of over 100,000 small business folks with over 163,000 posts for you to browse. We pride ourselves on being the friendliest forum you will find and we'd love to have you as a member of our community. Please take a moment and register for a free account. If you need any help, please contact Chris Logan.

Small Business Ideas Forum

Small Business Ideas Forum

A friendly place to share small business ideas and knowledge, ask questions, find help and encourage others that are involved in the small business industry. Topics include small business marketing, generating revenue and small business computing.

Go Back   Small Business Ideas Forum > Generating Revenue, Insurance, Taxes, Etc. > Ecommerce
Register Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
Old 7th March 2007, 10:22 AM   #1
jason.bordeaux
Member
 
jason.bordeaux's Avatar
 

Join Date: Jun 2006
Location: Appleton, WI
Posts: 33
Default Ecommerce Fraud Info

Hi everyone - I'm glad to be back!

Does anyone have any examples of sites or resources that detail specific instances or general methods of websites being compromised and consumer info being stolen? I have merchant processing industry info but I am looking for more merchant friendly material.

In a nutshell, I'm having a hard time convincing ecommerce merchants to explore PCI Data Security Standard certification. For some it is a cost consideration and others are confident that they are not at risk. My company does not offer services of this sort, but I feel that merchants should be aware of its importance.

As an aside, do folks out there know what the PCI Data Security Standard is?

jason.bordeaux is offline   Reply With Quote
Register or log in to remove this ad.
Old 7th March 2007, 11:39 AM   #2
Logan
Administrator
 

Join Date: Jun 2004
Location: Colorado
Posts: 8,046
Default

Good to see you back Jason

I'm not familiar with PCI Data Security Standard. What is it and why would my ecommerce sites need something different than what they have? I'm listening, but skeptical as I probably fall on the side of the "don't think i have a problem" fence.

__________________
Search Engine Guide - Small Business Guide to Search Marketing
Small Business Brief - Small Business Ideas Forum, Articles & News
Logan is offline   Reply With Quote
Old 7th March 2007, 11:41 AM   #3
pete
VIP Contributor
 
pete's Avatar
 

Join Date: Jul 2005
Location: Hampton Roads, VA
Posts: 488
Default

I can see why you would be having a hard time, there are few that it really applies to. At least, that's my take on it. I get stuff on it regularly from my card processor, but I collect no data, it goes through a gateway and I never see the actual card numbers. How can I, or millions of others using a gateway, be concerned about protecting numbers we never see?

I have full contact information on my sites. What more do I need to do to be in compliance?

Unless your clients are Wal-Mart or Macy's I don't see where it's a big deal. At least for the first phase, I would say that even the reliable 80/20 rule does not apply. More like 5/95. It simple seems like it is geared to the mega guys.

If not, then VISA and MC need to use a different appraoch.

pete is offline   Reply With Quote
Old 7th March 2007, 02:08 PM   #4
Logan
Administrator
 

Join Date: Jun 2004
Location: Colorado
Posts: 8,046
Default

Quote:
it goes through a gateway and I never see the actual card numbers
Same here .... by design keeping it simple, but not sure there is much more I can do to make it 'more secure' when I don't even have anything of value to others.

__________________
Search Engine Guide - Small Business Guide to Search Marketing
Small Business Brief - Small Business Ideas Forum, Articles & News
Logan is offline   Reply With Quote
Old 7th March 2007, 03:57 PM   #5
jason.bordeaux
Member
 
jason.bordeaux's Avatar
 

Join Date: Jun 2006
Location: Appleton, WI
Posts: 33
Default

You nailed my problem right on the head - merchants don't see where the PCI Standard applies to them. I also agree that Visa and MasterCard need to use a different approach. If your processor hasn't helped you understand the risk then they are dropping the ball, too.

Here are some facts and a chain of events:

In 2002, Visa defined a standard for merchants protecting cardholder data.

In 2004, a more advanced standard, the Payment Card Industry (PCI) Data Security Standard, was introduced by and endorsed by Visa, MC, AMEX, Discover and all other major card associations.

In 2005, the associations unilaterally deemed it mandatory for ALL merchants to achieve compliance to the PCI Standard.

In 2006, the associations unilaterally deemed it mandatory for ALL merchants to achieve compliance AND verify compliance to the PCI Standard on a quarterly basis.

The penalty for non-compliance in the instance of a breach is commonly recognized as $2K to $500K per occurence, but in fact there are no real guidelines or limitations to the fines. Another potential penalty could be to revoke a merchants ability to accept credit cards. If the event of a breach that occurs to a PCI compliant merchant, that merchant is indemnified and will not be fined or penalized.

All of this information doesn't explain how it impacts merchants like you, though, and that's where it gets a little slippery.

The merchant processor is actually assessed the initial fine and then collects it from the merchant. This is part of the risk that a merchant processor takes on. Chargebacks are very similar in nature - the merchant processor is actually responsible for returning disputed funds and collects the funds from a merchant to do so. Every merchant agrees to allow a merchant processor to do this by virtue of the terms of their merchant agreement. If a merchant goes out of business and has some amount of unfulfilled orders that were paid for by credit card, the merchant processor is responsible for crediting these funds back to the cardholders and then chasing down the merchant to recoup the expense.

Similarly, every merchant agreement states in some manner that the merchant will be responsible for adhering to all Visa and MC regulations and that the merchant will also be responsible for all fines and penalties related to not complying. The regulations are never specifically listed as they are too voluminous so a site or resource is identified for the merchant to review. To be clear, every merchant agrees to some form of these terms and takes personal or corporate responsibility for compliance when they sign their merchant agreement. Being mandatory, the PCI Standard is included in these regulations.

The merchant processor is not required, however, to mandate PCI compliance as a term of service. As stated, this is entirely the responsibility of the merchant. The main factor that a merchant processor considers is whether the merchant will be able to pay the fines and restitution in the instance of a breach. You read it right - as a merchant you must be compliant but your processor doesn't need to enforce compliance. They just calculate the risk of you not being able to fulfill financial obligations.

The big twist is that compliance actually means CERTIFIED compliance. Remember, the merchant account is actually held by the merchant. Even if the merchant doesn't actually see the card information they are responsible for everything that happens to it. Your gateway provider is most likely a CISP Certified Service Provider and your webhost should be PCI certified, too (although this is not a sure thing). This doesn't help you if a breach occurs, though.

Let's say your gateway and webhost were certified PCI compliant, but a breach occurs despite these best efforts. If the merchant account holder is not certified PCI compliant, they will be responsible for all of the fines and restitution described - EVEN IF EVERY ASPECT OF THEIR BUSINESS WOULD HAVE BEEN CERTIFIED PCI COMPLIANT HAD A SCAN BEEN PERFORMED. PCI compliance is not retroactive. If you are a merchant that has a breach and are not certified you are automatically subject to penalty. You are the responsible party and you are responsible for the merchant agreement that you entered. If your vendors are compliant that is great for them but their indemnification won't help you. The risk of this happening obviously grows if you are working with non-compliant vendors.

Again, I don't work for a company that offers PCI certification. I just see merchants everyday who are not aware of the liability that they have taken on. If you think that not actually handling the cards protects you then you're mistaken - it just means you're responsible for your vendors. If you think your vendors are big companies that definitively have this covered you're wrong again - ask TJX.

Most small to mid-size businesses can have a quarterly scan performed for $100-$200 per MID or user annually. There are a couple dozen companies that do this. Your processor should have a preferred partner.

This takes me back to my original question, though, can anyone think of any examples of security breaches, no matter how big or small, that might reinforce my points? Discussing security actually makes my job harder, but I feel compelled to assure that merchants that I work with are well informed.

jason.bordeaux is offline   Reply With Quote
Old 7th March 2007, 05:28 PM   #6
pete
VIP Contributor
 
pete's Avatar
 

Join Date: Jul 2005
Location: Hampton Roads, VA
Posts: 488
Default

I guess I'm dumber than dirt, but I still don't see where this applies to me.

I sell something online. My customer pays throught my processor's gateway, or through PayPal. I NEVER SEE THE CARDHOLDER INFORMATION. It never reaches my PC, nor is it stored on my server.

At the close of the sale the actual purchase is handled on the processor's secure server, not on my site or my server.

How can I be responsible for a "breech"?

I assume "breech" means a theft of information. I have no information to steal. None, zip, nada. I have the last 4 or 5 and an approval code. Period.

Now, don't quote from something. Simply tell me in the most basic terms possible, how I can be held responsible for someone getting card data which I have never had access to?

As I mentioned, I have my company name, address, phone numbers, etc. at the bottom of every page. I have full contact info, including an email link on at least one page of any site.

What am I missing here? How am I not in compliance?

pete is offline   Reply With Quote
Old 7th March 2007, 06:17 PM   #7
jason.bordeaux
Member
 
jason.bordeaux's Avatar
 

Join Date: Jun 2006
Location: Appleton, WI
Posts: 33
Default

Something tells me "dumber than dirt" doesn't apply to you

Impractically speaking, you need to be certified because it is mandated by Visa and MasterCard. Their regulations state that it is required of every merchant account holder.

Practically speaking, you are actually fully responsible for cardholder information because it is your merchant account. Even if you are not physically responsible for the breach, you are still liable for any damages, fines and restitution because you fully accepted this responsibility when you signed your merchant agreement.

If an intern at your webhost, gateway provider or other service provider steals a card number(s) that was processed through your merchant account then you will be considered a responsible party.

If your webhost is compromised and a hacker steals a card number(s) that was processed through your merchant account or redirects your shopping cart then you will be considered a responsible party.

If anything at all happens to a cardholder's information because they purchased someting from your website then you will be considered a responsible party - even if you never touched the information.

Remember, we are talking about MasterCard and Visa, here. All that they have to care about is who is responsible for the actual merchant account. If you signed on the dotted line then that is you. What happens with your vendors is your problem. If you have a merchant account then you have agreed to this liability. Guaranteed. No exceptions.

Example: You are building a house and hire a general contractor. The general contractor sub-contracts a mason to build your fireplace and the mason does a shoddy job. Who do you go after? The mason or the general contractor?

The general contractor, right?

As a merchant account holder, you are the general contractor in Visa and MasterCard's eyes. They don't have to deal with the mason - only you.

jason.bordeaux is offline   Reply With Quote
Old 7th March 2007, 09:22 PM   #8
pete
VIP Contributor
 
pete's Avatar
 

Join Date: Jul 2005
Location: Hampton Roads, VA
Posts: 488
Default

Well, I will contact my processor, but in reality, even my web host never sees the data. With most shopping carts I'm aware of the entire order is passed over to the gateway without the customer entering anything (or in some cases their name and address, but not card info). It is only when the entry page comes up on the gateway's server that the information is even requested.

Anyhow, understanding how things flow downhill, I will contact my gateway folks tomorrow.

Thanks for the headsup.

pete is offline   Reply With Quote
Reply   

Bookmarks




Thread Tools

Get Updates
RSS Feeds:
RSS Feed for Ecommerce RSS for this Category Only: Ecommerce

RSS Feed for Small Business Ideas Forum RSS for Entire Forum
Forum Rules


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


Small Business Ideas Forum


 
At Your Business - Small Business Directory
Free Business Forms - Prewritten Documents
 
Search Engine Guide
Small business guide to search marketing

 
Small Business Brief
Fetching the Best Small Business Info


Free Links - Free Advertising
Free Guide - Online Directory



Advertise your business here
Contact us for more details!


Semantic Juice
Register now to access free Quick SEO service!


Rocket Lawyer
Sign up for free 7 day trial. Boost your biz!


Buy UPC Codes
Get your products listed online!




All times are GMT -5. The time now is 02:56 AM.


Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Copyright 2004 - 2018 - Privacy