Consumers may not know the term SSL certificate, but they do increasingly recognize “secured by”, “protected by” and “verified by” badges on the eCommerce websites they visit.

Unfortunately, each web browser has the ability to determine where and how SSL certificates display, and some of the most popular web browsers suppress SSL badge visibility by decreasing the opacity or moving them to an inconspicuous location on the web page.

Extended Validation (EV) certificates (aka “The Green Bar” to consumers) combat browser suppression because they’re displayed front and center on every page where the SSL certificate has been installed correctly.

Compared to basic SSL certificates, EV certificates take longer to obtain because they include physical and legal validation of your business. EV certs provide the same level of encryption as regular SSL methods, and they tend to be a little more expensive to maintain, but they are the most trusted and recognizable way to reassure shoppers.

SSL badges offer more than just “feel good” reassurance to shoppers. The encryption provides real protection for PII transmitted thru an eCommerce site, and SSL certificates purchased from a reputable and accredited, business-grade provider come with insurance ($250,000 for a single site EV for example) that provides financial backing for your business and consumers should the encryption fail.

With all the risks facing eCommerce websites, SSL certificates are an affordable “must-have” costing approximately $40/month for entry level protection.

SSL encryption and validation is a wonderful and necessary technology, however it comes with a few “special considerations” that could have negative repercussions if they’re not handled in a professional way. For example, SSL products are useless if they’re installed incorrectly, and the encryption / decryption process can slow down your application’s server.

For eCommerce websites requiring high availability, we provide expert installation and a process called SSL Acceleration to prevent these caveats from negating the SSL product’s wonderful benefits.

Expert SSL Installation involves knowing where to install an SSL certificate, not just how to technically enter the code on the page. Every page with user input should be accompanied by https:// protection. “My Profile”, “Your Account”, “Checkout Here” and “Login” pages accurately described by those handles should always be protected by SSL encryption.

It’s not as simple as that however. eCommerce websites in particular have a unique set of SSL certificate installation requirements. For example, the shopping cart should be protected, but not necessarily product pages. An SSL certificate must be installed in such a way that it’s encryption resides within the page not the user’s session. If these intricacies are left unattended, your SSL has a higher chance to fail and/or make your site load improperly and with errors.

SSL Acceleration is a Cadillac solution for high traffic eCommerce websites that want to maximize SSL capabilities. In simple terms, acceleration means offloading SSL validation to a load balancer instead of using the web application server’s valuable resources to deliver the SSL encryption/decryption process.

For eCommerce websites, SSL acceleration helps ensure optimal load times during peak traffic days (and weeks), but acceleration should not be considered a seasonal “nice to have”. On calmer shopping days, SSL acceleration allows eCommerce site administrators to protect more page content (perhaps even proprietary non-public facing page content) and use SSL technology in the way it was intended – to protect all (or as much of) the content located online from being intercepted and misused by malicious cyber criminals.

After reviewing the 200-plus sub-policies, procedures, activities, and technical nuances that make up the PCI Data Security Standard, most small and startup E-commerce companies will choose to outsource portions of their website operation to third party service providers. In this scenario, each party is independently responsible for maintaining control over compliance for their respective organization. You shouldn’t fall into the trap of assuming that someone else is handling your compliance needs. Everyone involved in your online store is responsible for a piece of the security compliance pie.

Anyone that touches or has access to credit card data in any capacity is responsible for PCI compliance, regardless of their role.  This includes the online retailer, the Web application developer, and the hosting provider.

The most important steps every E-Commerce developer should complete as they establish a PCI compliant business:

• Step 1 – Become educated about the payment card industry mandates. Taking the time to become knowledgeable here can go a very long way.
• Step 2 – Identify which portions of the PCI DSS you directly control and which items will be outsourced to third parties (A QSA – Qualified Security Assessor – can help with this step)
• Step 3 – Select service partners that have expertise in protecting personally identifiable information (PII).
• Step 4 – Thoroughly review each service partner’s ROC (report on compliance) to make sure there are no unfulfilled requirements or pending remediations for critical items

Achieving and maintaining PCI compliance for your entire online operation starts with the online retailer, since it’s the retailer’s name on the “front door,” not the hosting provider or developer’s company. The E-commerce retailer is the first and most pivotal piece of the pie because they are legally liable for breaches.

In fact, PCI DSS requirement 12.8 states that if cardholder data is shared with service providers, the retailer must maintain and implement policies and procedures to manage service providers. For example, the PCI DSS requires you to:

• 12.8.1 Maintain a list of service providers.
• 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
• 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
• 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status.

Being PCI compliant requires that your service providers to be PCI compliant. Your organization’s security foundation is only as strong as the weakest link in your PCI compliance checklist, regardless of whether the link resides within your control or in the hands of a service provider you’ve chosen.

Let’s review another PCI DSS requirement to show an example of how each party (retailer, developer, and hosting provider) plays a role in providing secure, PCI compliant E-commerce experience:

Requirement 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include the following:

• 7.1.1 Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities
• 7.1.2 Assignment of privileges is based on individual personnel’s job classification and function
• 7.1.3 Requirement for an authorization form signed by management that specifies required privileges
• 7.1.4 Implementation of an automated access control system

This requirement has several implications:

1) Certain business activities performed by the retailer could fall into requirement 7.1. The retailer should oversee:

• Granting privileges for acceptance (and procedures for disposal) of credit card information received via phone, fax, or email.
• Granting permission for service reps to retrieve and input payment card information into the point of sale system if/when a “glitch” with the web application occurs.

2) E-commerce application developers are responsible for developing and maintaining the Web–to–database “tunnel” through which credit card information flows. Therefore, the Web developer’s piece of the pie includes:

• Granting privileges for developers to create, test, and troubleshoot data provider connections that feed CC information from the web application to the DB (and potentially API connections that feed CC information into a payment processing gateway)
• Granting privileges for managing encryption keys, and encryption key creation and retirement.
• Assigning emergency response chain of command and establishing who should and can access the systems if/when a malfunction occurs
• Assigning encryption key holder responsibilities

3) The hosting provider definitely has physical access to the cardholder data, and in some instances virtual access as well. Therefore, requirement 7.1 applies to hosting providers as well. In this case, the hosting provider owns:

• Granting privileges for physical access to data storage devices containing cardholder data, but also restricting specific access points to be only accessible to the tenant.
• Assigning an emergency response chain of command that is an extension of both other parties’ emergency response chains to authenticate and respond to requests originating from other parties’ policies and procedures.
• Restricting all access to key containers, repositories or other encryption key storage devices to the tenant to whom the keys belong.

Fortunately, you are not alone in deciphering the PCI compliance code. Understanding which party owns what piece of this big PCI compliance pie is a something that takes time and know-how to get your arms around. Once you become familiar with the standard, it will be easier to define which of the PCI compliance standards fall within your area of responsibility and which should be is shared among the various parties responsible for providing the safest online shopping experience.

A version of this article appeared in eCommerce Developer on March 30, 2010.

When feasible, outsourcing the storage and handling of credit cards to a trusted, capable, and PCI compliant payment processing provider is the most secure and most budget-friendly course of action. Even when you outsource payment processing (the riskiest piece of running an E-commerce business), you still must ensure your hosting environment can deliver speed and scalability that meets user expectation and includes security measures that protect your shoppers from a damaging hacker encounter.

Here are the tools and services that you should be looking for:

Web Hosting Security Basics – the minimum requirements you need to transact business securely online

Redundant firewall protection — Firewalls help stop cyber attacks before they can penetrate the network perimeter. Having firewalls tuned and working in tandem helps ensure protection for your E-commerce environment.

Web application protection – In addition to traditional firewalls, you’ll need a Web application firewall (we call them WAFs). This technology helps protect E-commerce organizations from application-level attacks like SQL injections and Cross Site Scripting (XSS) attacks. Application-level attacks is where the hacker is attacking the website itself; your contact forms, login boxes, etc. Traditional firewalls are helpless to these kinds of attacks and WAFs are required.

DoS/DDoS mitigation — (Distributed) Denial of Service attacks hit your Web site with a flood of robot-directed, fake visitors that consume all available resources, lockup your server, and take your Web site offline. DoS/DDoS mitigation devices help ward off such events by providing a barrier between your server and the IP flood.

SSL VPN (Secure Sockets Layer virtual private network) – It’s a mouthful, but it’s important to take note. SSL VPNs create a secure connection for remote users that will be administering the Web applications and hosting environment.

Vulnerability Monitoring – Vulnerability monitoring services scan your Web application code around the clock looking for unexpected changes and malicious code that matches known “diseases” in the threat database. When a potential problem is uncovered, you’ll be notified so you can resolve the problem.

Antivirus protection – Antivirus software works much the same way as vulnerability monitoring, however the target for AV scans is different. Rather than reviewing Web application code, Antivirus software reviews files and services stored on the physical server.

Two factor authentication – 2FA requires website administrators to go thru two layers of security before obtaining access to the hosting environment. Two factor authentication helps prevent the most common cause of data theft – password leaks. Two factor is unique because it challenges you with something you know and something you have.

Encrypted backup, service monitoring and response – While these protective measures are available from most Web hosting companies, they’re not ALWAYS included. Make sure you know what you’re getting.

Performance wish list – Cadillac hosting solutions that provide speed and scalability for for SMBs on a Camry budget:

High Availability – The Web is the front door for your E-commerce site. When your Web site is offline, it is like bolting the door shut and surrounding your office building with caution tape. Really, it’s that serious.  This is very discouraging to online shoppers. High availability hosting helps ensure your Web site is NEVER offline, even for necessities like patching, hardware upgrades, and other required maintenance.

CDN (Content Delivery Network) – CDN performs several important functions for online retailers. First, content delivery networks make Web site content available to users around the world. The service also helps ensure multi-media components (product photos, videos, demonstrations) load quickly for every user, regardless of where he/she is located. Finally, CDN provides additional throughput when your Web site receives an unexpected spike in traffic. Oprah, bring it on!

Virtualization – Virtualized servers are quickly scalable, but you need to make sure they are secure. Deploying upgrades, installing patches, and migrating hardware can happen in minutes if not seconds of scheduled downtime rather than the lengthy outages synonymous with traditional dedicated hosting of the past.

Successful E-commerce companies will require all of these performance features at some point. Migrating your Web application is always a risky and time-consuming proposition. While you’re small and agile you should align with vendors that can:

1) Provide security and protection for E-commerce retailers on a budget

2) Provide content acceleration for E-commerce startups with rich multi-media components and/or global distribution, and

3) Provide scalable server resources on demand with built-in business continuity planning

For E-commerce startups, developing a reliable Web application and backing it with a hosting environment to ensure maximum uptime, infinite scalability, and protection from hackers can feel the like the most daunting task. Considering your long-term needs from the start can save you a world of pain, time, and money later when everything comes together, and your online business soars.

A version of this article appeared in eCommerce Times on March 19, 2010.

For many ecommerce developers

For good reason. Determined hackers can compromise the most sophisticated network by combining simple, free tools with a little effort. In fact, the cyber-criminals behind the famed TJ Max and Heartland Payment Systems breaches used novice techniques like War Driving and SQL Injections to access the retailers’ networks.

If hackers can penetrate the network of a global enterprise, imagine what they can do to your clients’ small businesses. It’s a scary proposition, no doubt, but it shouldn’t keep you from going down that path when a project requires it.

Managing Credit Card Data

The first (and perhaps most important challenge) you’ll face with such an ecommerce development project is credit card collection, storage, and handling. One of the easiest and least risky options is to offload, via an API, the storage and handling of credit card numbers to a payment gateway that “hides” credit card data – Authorize.net, PayPal, BluePay or the like. If the credit card data is passed directly from the client (browser) to the gateway, without passing through your client’s web server, you’ll reduce your liability as the developer and help keep your client’s ecommerce site protected.

However, this solution many not work in all situations or for all clients for, at least, a few reasons.

1. Complicated recurring billing. If your client has a complicated recurring billing structure wherein payments vary in time, frequency, amount, or purpose; or if your client’s customers use purchase orders, your client may need to keep the raw credit card numbers available for the flexibility. Your client can still use tokens and offload the recurring billing to some credit-card-obscuring payment gateways as mentioned above, but again the need to process or manage customer data can be project specific.
2. Save on Interchange fees. All credit-card merchant-account providers charge an Interchange fee, and these fees can and do vary from provider to provider. So for some potential clients managing customer credit card data can be well worth the risk if doing so allows them to get a significantly better fee structure.
3. Offloading credit-card-storage is not enough. If credit card data passes through your client’s web server, whether the business stores that data or not, the system you develop needs to be PCI compliant. In short, whenever possible, choose a solution that never exposes your web server and your client’s ecommerce business to customer data. But when a project does call for credit data transfer or storage, you’ll need to build a Payment Card Industry compliant system that hackers cannot easily overcome.

Understanding the Requirement for PCI compliance

The Payment Card Industry (PCI) Security Standards Council has established twelve mandatory practices and precautions that must be taken when handling, processing, storing, and transmitting credit card data. The effort necessary to achieve PCI compliance will vary depending on the state of your development and hosting environment in which the ecommerce application will reside. While the specific details of becoming PCI compliant would merit a separate article, it is important to remember that when a project calls for “touching” credit card information, PCI compliance is a must. Your ecommerce client cannot do business without being compliant.

Cutting the Cost of PCI Compliance

PCI compliance can be expensive. For example, building a PCI compliant system from the ground up may require enlisting the help of a Qualified Security Assessor (QSA) to shape the scope of your PCI compliance undertaking; a number of audits; and monthly scans. All of this may cost a Level 3 merchant—those that process between 20,000–and–1,000,000 transactions each year—up to $155,000, according to the PCI DSS Compliance Blog .

The cost for smaller, Level 4 merchants, processing less than 20,000 transactions each year, varies greatly, but could cost $2,500 or more according to a payment gateway provider.

As a savvy developer, you may be able to help your client defray some of these costs.

1. Find a compliant host. Choose a web hosting environment that is already PCI compliant. If your client doesn’t need to own servers, consider a qualified, PCI compliant host.
2. Encourage processing in the client. The points above notwithstanding, choosing a solution that captures credit card data in the client, passing a token to your client’s web server, may be the best option.
3. Small merchants can do it themselves. Consider taking the “self assessment.” Level 2 and smaller merchants can self-assess rather than hiring a third-party to do the assessment, which can be a money saver.

PCI Compliance: You Need to Do It

Achieving PCI compliance is not only mandatory for all ecommerce merchants, it also assures that you and your client have taken all the steps necessary to provide a safe shopping experience for your client’s website users. Taking the steps to secure your client’s environment before a security breach may go a long way with Visa, Mastercard, the PCI Council, and forensic auditors who will be performing due diligence should disaster strike.

In fact, mitigating a security breach may be more challenging and expensive for non-compliant companies. Forrester Research estimates that mitigation will cost an average of $200 for each person/credit card account that is compromised.

This article was featured in eCommerce Developer on December 8, 2009.