Have you ever heard of Web application vulnerabilities, California’s 1386 law, or the security requirements of MasterCard’s Site Data Protection Program (SDP)? If you’re like many other online marketers, you haven’t. That’s because most i.merchants leave the planning, implementation, and maintenance of Website security to their hosting provider.
But if you’re selling online, you need to take responsibility for your site’s security, because the law holds you responsible, not your Web host or your outside development firm. You need to protect yourself and the information that customers entrust to you.
It’s the law
“Consumers have every right to expect that a business that says it’s keeping personal information secure is doing exactly that. It’s not just good business, it’s the law.” This statement, by the director of the Federal Trade Commission’s Bureau of Consumer Protection, synthesizes the government’s position on catalogers’ legal obligations.
In recent years, the FTC has pursued high-profile actions against major retailers, accusing them of overpromising and underdelivering on security. For example, Tower Records’ privacy policy claimed that “we use state-of-the-art technology to safeguard your personal information” and that “your TowerRecords.com account information is password-protected. You and only you have access to this information.” An FTC investigation found that TowerRecords.com could easily be hacked and the customer data easily exposed.
In each case against an online marketer, the FTC slapped the offending company with a consent order. When finalized, consent orders carry the force of law with respect to future actions and can produce large civil penalties as well as damage a company’s image. Certainly negative publicity will be the biggest penalty should Tower Records allow its security to once again become shoddy.
What happens in Sacramento affects you
The long hand of government regulation is also active at the state level, particularly if you do business with California residents. California’s initiatives, championed by legislators such as State Sen. Jackie Spier (D), generally affect any companies that do business with state residents, regardless of where the companies are located.
California bill 1386 is a starting point. The law, which went into effect in July 2003, affects any business, government or nonprofit agency, or individual who electronically stores confidential information (such as social security, driver’s license, or credit-card number) about California residents. Should you discover a breach of the system on which this information is stored, you must notify those individuals whose information could have been stolen. Failure to do so could subject you to civil damages and lawsuits.
Finding out you’re SDP compliant: priceless
You may have already received a letter from your acquiring bank (the bank your company uses to accept credit-card transactions) about compliance with the credit-card associations’ mandated security programs. Visa’s Cardholder Information Security Program (CISP) and MasterCard’s SDP program are designed to enforce security standards across your organization and Website.
Visa’s program has three levels of compliancy; levels one and two are the most comprehensive and require onsite audits, whereas level three is intended for smaller marketers. If you are a large company, processing more than 6 million Visa offline and online transactions annually, your CISP compliance deadline has already passed. The next tier, for marketers processing 500,000-6 million transactions a year, must be in compliance by March 31, 2005. If you process fewer than 500,000 transactions annually, your CISP compliance will be at the discretion of your acquiring bank.
MasterCard, however, requires SDP compliance regardless of how many MasterCard transactions a business processes. The program basically consists of a regular vulnerability audit by an approved security assessor and a self-assessment security audit. If your monthly e-commerce gross dollar volume exceeds $50,000 or you process more than 1,000 transactions, you need to conduct a quarterly vulnerability scan; all others can run an annual scan.
Visa and MasterCard are working to coordinate compliance. For small companies, reciprocity already exists; meet the SDP standards and Visa will accept them, and vice versa. American Express and Discover, which have similar programs in development, will accept an SDP report of compliance as well.
Visa and MasterCard have also been busy trying to convince online marketers and consumers to adopt payment authorization programs. Visa’s Verified by Visa (VbV) and MasterCard’s Secure Code launched in 2001 and 2002 respectively. So far Visa has signed up 17,000 marketers to participate in VbV, while MasterCard has enlisted 25,000 marketers in its Secure Code program — rather modest numbers, to be sure.
A primary reason for the slow adoption is that the programs lead to higher shopping-cart abandonment rates because they insert an additional step in the shopping process. Credit-cardholders are given a unique password from their card issuer that they need to input when making a purchase. What’s more, the online marketers have to modify their shopping carts and systems to allow for a separate connection from the shopper to the issuing bank when a shopper inputs his unique password, so that the merchant never touches the PIN in transit.
The lack of adoption is unfortunate, because both programs provide considerable benefits. Visa offers an interchange reduction for all transactions where a VbV connection was opened, as well as chargeback indemnification for all card-not-present transactions. SecureCode merchants benefit from a similar interchange reduction, though only for those transactions that actually go through.
A patch in time saves nine
One can’t emphasize enough that even if a third party hosts your Website, you remain responsible if your server is hacked and the information accessed. If you use a Web-hosting vendor, make sure reliability, availability, and security are not just marketing buzzwords. You can expect to pay at least $100 a month for reliable business-class hosting on a dedicated server.
If you host your site yourself, you no doubt know that applying the most recent patches for all servers and software is a basic tenet of good online security. But even if you keep all your servers and application patched, you still won’t be safe from hackers. The most overlooked and misunderstood vulnerabilities on servers are undoubtedly Web application vulnerabilities. To fix them, your IT staff or consultant may have to outsource this area to a third party.
You can opt not to patch, which many companies do, citing the time and effort to find and close holes. Unfortunately these companies also regularly fall victim to virus and worm outbreaks, in addition to running the risk of Website defacement, database theft, and employee identity theft.
Consider the cost of patching a system part of the expense of running a responsible business. You can buy or license automated tools and services to make the job as quick as possible. Regardless of the cost to patch, the cost to fix, repair, or replace is much higher. In the case of repair, if a server vulnerability left unpatched enables a worm like Sasser to enter your network, the headaches for your employees and IT staff will be considerable.
Fear of hackers
While e-commerce is of course increasingly common, concerns about the security of hackers and ID theft still prevent millions from shopping online. Many studies have proven that trustmarks — third-party certification, complete with a seal of approval to place on your site — can lift conversion rates. Your Website may actually be almost bulletproof, but without a trustmark, your customers may not know that. These types of services, provided by companies such as Los Angeles-based Bizrate, San Francisco-based TRUSTe, Mountain View, CA-based Verasign, and my company, Napa, CA-based ScanAlert, not only increase your security by conducting regular audits, but they also provide a competitive advantage.
Online security is not an event; it is an ongoing process of planning and implementation. In my company’s experience of auditing and certifying the daily security of more than 50,000 Websites, I’ve found that 99% of Websites need to increase their security in order to meet current regulations and keep hackers out.
Ken Leonard is CEO of ScanAlert, an online software security provider in Napa, CA.