'Net Features : pci compliance

ControlScan Merchants Can Rest Easier on PCI Issues

Michael Garrity — Thu, 10 May 2012 17:00:00 GMT

ControlScan, a provider of Payment Card Industry (PCI) compliance and security services for small and medium-sized online businesses, has announced its purchase of cloud-based secure payments solution CRE Secure.

The acquisition will allow ControlScan to considerably reduce the "scope" of PCI.

CRE Secure was already a level-one PCI Data Security Standard (DSS) certified service provider. It gives users a hosted payment page powered by patent-pending HTML cloning technology for a consistent consumer experience, and a secure e-commerce solution for merchants that is PCI-compliant.

By combining an already PCI-compliant object, such as a credit card form, with a merchant’s site template, merchant’s can simplify the compliance process by outsourcing consumer payment data to CRE Secure, putting their website out of the scope of PCI regulations, since it will not actually store, process or transmit cardholder information. This allows them to host their site wherever they want and save a lot of money on those annual PCI scans.

CRE Secure is based on a unified technology that utilizes a single cloud-based system to support a merchant’s payment channels, which includes everything from online, mobile and even mail/telephone orders. E-commerce sites can even take advantage of plug-ins that allow them to connect with their favorite payment processors and existing solutions, to create a seamless, secure customer experience that is light on the merchant’s wallet, too.

All of this is good news for ControlScan and the merchants who use their services, as CRE Secure technology and existing partnerships will now complement ControlScan solutions, opening up new opportunities in the card-not-present (CNP) space. ControlScan also hopes to build upon the current CRE Secure product.

Firewall Management and PCI Compliance for Small Businesses

Michael Garrity — Fri, 16 Mar 2012 13:30:00 GMT

For online merchants, especially those that run small businesses, the practice of optimizing your site to be Payment Card Industry (PCI) compliant can be headache-inducing.

So, it only adds to the problem with a site owner trys to configure and manage his or her firewall in-house, a practice in which the simplest mistake can result in misconfigured security systems, unnecessary data exposure and increases the risk of your site not meating PCI Data Security Standards (DSS).

But like everything on the Web, there's a solution for that, if you know where to look. In this case, it's ControlScan, the Web's "leading provider of PCI compliance and security solutions designed for small merchants." The company recently added ProTect Network Firewall to its ProTect Managed Security Services suite of solutions.

ProTect Network Firewall will help website owners by managing the installation, administration and monitoring of network firewalls. Best of all, the new offering was built specifically with Level 4 merchants in mind. (For the record, Level 4 merchants are those that have fewer than 20,000 Visa e-commerce transactions a year, all the way up to one million. In other words, the smallest of small businesses.)

Using ProTect Network Firewall from ControlScan will let small business owners rest easily knowing their receiving 24/7 continuous network monitoring and protection from outside threats, and all at an affordable price. The offering will improve a business' overall security posture, ensure that all updates/upgrades are made in a timely manner in accordacne with PCI standards and report on how and by whom a network is used, thus increasing Internet productivity.

Plus, it will help simplify network segmentation, enabling a single network segment to communicate with the payment processor. This act that helps smaller merchants by reducing the scope of PCI compliance and allows merchants to offer customer benefits without potentially exposing cardholder data to theft.

Dydacomp Releases PCI-compliant Cart for SMBs

Linc Wonham — Wed, 07 Mar 2012 17:00:00 GMT

Dydacomp, an e-commerce technology provider for small and mid-sized businesses and multichannel merchants, has released a new shopping cart.

SiteLINK 7 is a PCI DSS-certified solution and hosting platform that makes it easier for customers to leave product reviews, incorporates a persistent cart and presents a recently viewed-items listing.

“One of the business-critical areas that we addressed in SiteLINK 7 is PCI compliance,” says Fred Lizza, CEO of Dydacomp. “The ramifications of a data breach to a small or medium-sized business can be devastating. By combining SiteLINK 7 with our Multichannel Order Manager, we provide the only integrated end-to-end PCI-compliant software solution for small and mid-size merchants and their customers.”

The integration with Multichannel Order Manager provides SMBs with the ability to manage all commerce processes needed to run and scale a successful online or cross-channel business through a single solution. SiteLINK 7 also includes the ability to sell e-gift cards that can be redeemed through point-of-purchase, new HTML templates and integration with buySAFE to provide shoppers with a purchase guarantee.

“Our latest solution also addresses the rapid adoption of new mobile technology,” says Lizza. “SiteLINK 7 now includes mobile-optimized layouts to allow our merchants’ customers to browse and order from smartphones and wireless devices.”

Why So Complicated? A Beginner's Guide to PCI Compliance

Michael Garrity — Thu, 17 Nov 2011 17:00:00 GMT

Most people start businesses because they want to do something they’re passionate about, but often they don’t account for all of the necessary red tape. So, it’s likely that when someone creates a website to sell hand-knitted scarves for Labrador retrievers, he or she probably didn’t put a lot of thought into ensuring the site was Payment Card Industry (PCI) compliant.

For starters, many people aren’t entirely familiar with the PCI compliance, and even when they are made aware of it, actually making sense of it all and implementing PCI security standards on one’s website seems like a lot of work that may not be worth the hassle. At its most basic level, however, PCI compliance isn’t that hard to understand; it’s just a matter of organizing and simplifying all of the information and jargon you’re being bombarded with.

Defining the Issue
Let’s take a step back; where does all of this PCI stuff come from? The PCI Security Standards Council was formed in 2006 as a joint effort between five global payment brands – American Express, JCB International, MasterCard Worldwide, Discover Financial Services and Visa Inc. This group then developed the Data Security Standard (DSS), a collection of rigid requirements put in place to “ensure that all companies that process, store or transmit credit card information maintain a secure environment.”

Essentially, any organization or merchant that handles credit, debit or prepaid cards branded by one of the founding companies (and if they’re operating an e-commerce site in 2011 without accepting major cards, they have other issues) is subject to the PCI DSS.

PCI compliant businesses are split into four groups, or “levels,” based on their transaction volume, which is determined by their aggregate number of Visa transactions. Level 1 merchants are those that process over $6 million in Visa transactions a year; Level 2 merchants process between $1 million and $6 million; Level 3 merchants process between $20,000 and $1 million; and Level 4 merchants, which make up most small and medium-sized businesses, process less than $20,000 in Visa transactions year. This last group also includes all non-e-commerce merchants, regardless of acceptance channel, who process up to $1 million transactions a year.

Is it Worth it?
Because PCI compliance isn’t an actual federal law, and it is the payment brands and acquiring banks that are responsible for enforcing it, it can be a little difficult, not to mention intimidating, for a business to become compliant. In fact, to less Web or financially savvy owners, it may seem easiest to just skip this part of the process. Bad idea.

At the very least, complying with PCI Standards is important because it shows consumers that your website is trustworthy. Websites that aren’t willing to go through the process of having their security systems verified by the PCI are suspect, at best, and there is no better way to drive customers away from your business than giving them a reason not to trust you. That being said, it’s important to know that while displaying trust signals from companies like VeriSign or TRUSTe on your site is another great way to inspire confidence in consumers about the security of your site, having these SSL certificates is not the same thing as being PCI compliant, but rather they are complimentary steps that show potential customers that you've taken the precautions necessary to protect their data.

As far as business partnerships go, PCI compliance is also the best way to create a positive reputation with acquirers and payment brands that you’ll need contact with to conduct business.

Perhaps most importantly, however, is that PCI compliance allows you to keep your website secure as tactics for compromising data evolve and become more sophisticated. The PCI Security Standards Council “is constantly working to monitor threats and improve the industry’s means of dealing with them,” meaning the security and integrity of your website will always be protected by the ever-adapting technology of the Council. This not only protects user data, but it also keeps your business safe from potential lawsuits, insurance claims, cancelled accounts, payment card issuer fines and government fines.

Becoming Compliant
The most complicated part of PCI compliance is getting started. Fortunately, the act of being PCI compliant can be boiled down to three steps.

The first thing a business needs to do is assess, which means to inventory its IT assets and business processes for payment card reprocessing then analyzing it for information that could expose cardholder data. This step is in place to spot any possible vulnerabilities in a system. Options for assessing a business include a Self-Assessment Questionnaire (SAQ), which allows merchants and/or service providers to evaluate themselves for PCI compliance, or independent qualified assessors provided by the Council. There are two types of independent assessors: Qualified Security Assessors that follow a strict procedure to determine whether or not a business is PCI compliant, and Approved Scanning Vendors that provide “commercial software tools” that perform vulnerability scans on a business’ systems.

Once any potential vulnerabilities are assessed, the next step is to remediate, which means fixing the technical flaws or unsafe practices that may expose customer data. This includes taking action like “applying patches, fixes, workarounds and changes to unsafe processes and workflow.” After remediating your site for PCI compliance, you should always reassess to make sure that the work you do during the remediation step is in place and operating properly.

Finally, merchants must regularly report to the acquirers and global payment brands that they’re doing business with; these reports are usually quarterly. The types of reports that need to be completed vary depending on the size of a merchant (their “level”) and the requirements of their partners, so each business should discuss with their acquirers to figure out the exact details of what needs to be included in these reports and how they should submit them.

PCI compliance is such an important part of Internet security, for both consumers and website owners, that it cannot just be ignored. However, it’s also understandable that many new business owners and merchants may be tempted to just disregard it because it can seem like a scary task to tackle and the benefits aren’t always obvious. But when you strip away the jargon and look at it from a very basic level, it becomes much more manageable.

ControlScan Offering PCI Compliance Services

Linc Wonham — Mon, 30 May 2011 19:00:00 GMT

ControlScan, a leading provider of PCI compliance solutions specifically designed for small to mid-sized merchants, is now offering security consulting services to make planning, achieving and maintaining PCI compliance simple and straightforward.

“Our expanded security consulting services bring added confidence that each business we work with is correctly interpreting the PCI DSS and taking the proper actions to achieve and maintain compliance, whether they are service providers, ISOs and acquirers serving Level 4 merchants or merchants themselves,” says ControlScan CEO Joan Herbig. “These services reduce overall risk associated with payment card processing within a merchant portfolio or business.”

ControlScan’s security consulting services are divided into two focus areas. The security assessment services ensure solutions are in place and policies and procedures exist in order to satisfy the PCI DSS. The company’s security engineering services provide technical testing and guidance to clients.

ControlScan’s security consulting services are supported by a team of qualified security assessors (QSAs) and security consultants with more than 20 years experience delivering PCI advisory and remediation services.

Visit ControlScan for more information on the company’s security consulting services.

Comodo Offers HackerGuardian for SSL Certificate Purchase

Pete Prestipino — Wed, 15 Sep 2010 15:41:00 GMT

As Website Magazine gets closer to its upcoming Web hosting edition (distributed in October 2010), our interest is piqued by pretty much anything and everything related to the topic - and today's no different.

Internet security company Comodo is offering a free annual subscription to HackerGuardian with every purchase of an SSL certificate. If you're concerned about the online security of your customers, this at least deserves a serious look.

HackerGuardian is PCI scanning tool that scans externally facing IPs and generates reports detailing found vulnerabitlities and supplies the merchant with the information needed to fix any issues. HackerGuardian even proviees all the necessary documentation that a merchant is required to send to their acquiring bank to validate quarterly PCI compliance is included with the HackerGuardian solution.

“We are delighted to be able to offer our customers this free HackerGuardian service for one year,” said Melih Abdulhayoglu, Comodo CEO and chief security architect. “This powerful combination of SSL and HackerGuardian helps businesses to address the mandatory nature of PCI compliance and to meet those requirements.

nCircle Updates Scanning Service for PCI DSS Deadline

Linc Wonham — Wed, 01 Sep 2010 00:35:00 GMT

Web security and compliance auditing firm nCircle has updated its Certified PCI Scan Service for the September 1 deadline to be compliant with the latest PCI DSS requirements for vulnerability scanning. The new requirements improve the processes and procedures that approved scanning vendors must follow when conducting scans of merchant networks, and the updated service includes the following features to make it fully compliant:

Enhanced Asset Discovery
The nCircle Certified PCI Scan Service adds enhanced automated asset discovery, eliminating manual scoping efforts and greatly improving the accuracy of those efforts.

New Report Formats
The service now generates reports in the standardized format now required by scanning vendors, including pass/fail status and a prioritized list of any vulnerabilities discovered.

Partner Report Branding
The service now provides the ability for a partner to upload their logo and have it included on each report generated by nCircle.

The new version of the scan service is available today, and customers using the service for the first time are eligible to receive a free trial subscription.

Encore, ControlScan Protect Data

MaureenA — Tue, 31 Mar 2009 21:45:00 GMT

Encore Payment Systems has partnered with ControlScan to ensure merchants are meeting the new PCI Data Security Standards (PCI DSS). The standards, established by the PCI Security Standards Council, must be met by all organizations that deal with cardholder information and was established to protect sensitive data. The partnership will provide training and certification for merchants using the Encore platform.

Jethro Felton, executive vice president of sales and business development, ControlScan, sees the partnership as a huge plus for Encore and its merchants. "By utilizing ControlScan's PCI compliance solutions as part of their overall offering, Encore Payments will help their merchant community become secure, thereby ensuring that they meet all private and public regulatory requirements by protecting all cardholder data," Felton was quoted in the release.

In October, Website Magazine reported that each lead generated to Encore provides a $20 commission, and utilizes credit/debit processing. So, protecting all data is a good idea.

__________

Ready to Start Really Competing In Web Business?
Request a professional-level membership from Website Magazine.