http://www.foxnews.com/scitech/2010/03/22/cybercrime-small-town-problem/

BOA has raised the rates on one lawyer’s credit card, up to an astounding 28%.

The lawyer is now suing BOA.

http://us.cnn.com/video/?/video/us/2010/01/07/hln.roberts.credit.card.revolt.cnn

While the breech was contained within about an hour, it reflects just how vulnerable even the biggest e-commerce sites really are.

More info about the incident available on CNN: http://www.cnn.com/2009/TECH/12/24/cnet.ddos.attack/index.html

This brings the question: How safe is a mom-and-pop e-commerce site for credit card processing?

The answer can be quite safe, if it is coded properly.

Here are some good rules of thumb to go by…

1) Those sites that are not secure, are the first to go– Allowing other sites to see the breech and improve their defenses.

Many e-commerce websites are not coded with basic security measures– having an .htaccess file that provides an extra login prompt before getting to an admin page, having an admin directory labeled something obscure, having secure passwords, removing “powered by [e-commerce platform name]” from the footer and source code, having an SSL Certificate, and other common measures.

These small sites that are not coded with security measures, are generally the first to go.  They are hacked easily, and are hacked first before the hacker-bots can get through the secondary precautions set up on more properly secured sites.

This lets more secured sites see the breech, and gives them a chance to cure the issue on their own site, before the hack-bots can get through their second line of defenses.  So ecommerce sites that have added a secondary .htaccess login, an obscure admin directory, and a more complex password can generally see the threat in time, and often the fixes to their ecommerce platform has been released in forums and can be installed before the breech can ever get through.

Some cutting-edge e-commerce platforms, such as the Magento online shopping cart software, will alert the Admin that there is a security patch.  (The same is true of Wordpress, the popular Content Management System site owners often use to edit their website’s own content).

The lesson is: Have a professional ecommerce web design firm secure your site!  And monitor your ecommerce site for updates, regularly installing those security patches!

2)Follow PCI Compliance, and Then Some.

PCI Compliance is a great law, although being PCI Compliant does not mean that your credit card processing website is 100% hacker proof.

PCI Compliant simply means following some rules such as adding an SSL.  While that does help encrypt, PCI Compliance still allows for credit card data to be saved to a server.  Generally, it would take a hacker bot about 3 months to break through the encryption of an SSL Certificate… and if the hacker does break through and get into the site, it may therefore have access to all your store’s credit card numbers if they were saved on your site’s own server.

To be safe, the best strategy is to never save credit cards to your own server.  Several ISO’s are compatible with certain Gateways and Shopping Carts that will allow the data to be sent through the site to the Gateway, thereby passing the data through without saving it to the merchant’s own website.

And if a record of a transaction is ever desired to be saved, such as for void/returns or automatic recurring billing, then a token may be saved in place of a credit card number (a token being a line of encrypted data referencing a particular order number, that is then associated with the credit card at the Gateway level).  This means that if someone does hack the site, they have a token that is only useful for re-ordering the same product to the same address/customer, rather than obtaining a full credit card number that can be used elsewhere.

3) Amazon and Walmart were hacked because someone was directly targeting them.

If someone who is a top hacker wants to get into your site, they generally will be able to.

Most mom-and-pop ecommerce sites are not individually selected by a major hacker.  Usually, robots scan for the weak sites, searching for the easiest point of entry, and hack those other sites… so as long as you are secure, and stay current with your platform’s security patches, your site should be in good standing.

4) Be on a reliable ecommerce hosting company.

Some hosting companies are frequently hacked at the server level at the hosting company itself, allowing hackers to have access to hundreds of sites in one fell swoop.

By being with a reliable hosting company (we can recommend a few), you are giving your site an extra layer of protection.

Also, being with a website hosting company that provides management and has ecommerce technicians within their company to help you if a breech should ever arise, is also a great perk to be on the look for when choosing an ecommerce hosting provider.

5) Place your ecommerce website on a secure shopping cart, such as Magento Commerce.

Some shopping carts are easier to hack than others.  Being on cutting-edge software has its advantages.

CitiBank has just been hacked, resulting in tens of millions of dollars stolen.

You may read more details at FoxNews: http://www.foxnews.com/politics/2009/12/22/fbi-probes-hacks-citibank-govt-agency/

PCI Compliance laws couldn’t come soon enough, however they do not mean a merchant’s site will have 100% protection from the elements.

We strongly caution merchants with this bit of truth:

If a hacker wants into your site, they will get into your site. Earlier this year hackers were able to tap into the Whitehouse, Pentagon, and even the Dalai Lama’s personal staff office (an office that is secret, constantly mobile to avoid detection, and otherwise very secure).

Our suggestion to merchants…

How To Protect Your E-Commerce Site

1) Change your password regularly to your website shopping cart admin, hosting account, FTP, and credit card processing gateway; do this at least once a month.

2) Use strong characters in your password (contain at least one Capital letter, some random lower case letters, a few numbers, an asterisk*, and an exclamation point !).

3) Ensure your admin login is not in a simple directory like /admin/ or /login/ , rather an obscure directory like /Hg*9jMM4!/

If your admin login is in a simple directory, it reflects the work of amateur e-commerce programmers, which is a sign they may not have taken other security precautions with your site.

Hacker Robots can easily guess your directory, if it is a simple directory, and are therefore already half-way through cracking your site’s walls.

4) Replace your SSL Certificate every 3 months.

Many hosting companies suggest buying a 1 year or 3 year SSL.  In truth, a Hacker Robot can usually crack through an SSL within about 3 months.  You should refresh your SSL regularly with new codes, especially if you are a high-volume or high-ticket site.

5) Do not save credit card numbers to your own hosting database. There is no need to do this in modern times, as Automatic Recurring Billing and Repeat Orders can now be saved much more securely via the ISO Company’s back-end processor.

6) Have a notable e-commerce firm, such as A Creative LLC, install your shopping cart and your gateway.

7) Process with a notable ISO company.  Contact us, we are happy to consult you.

A credit card with an APR of 79.9% has been issued by First Premier Bank.

This has been done as a move to hedge against the new federal laws restricting annual fees; to compensate, this high-risk credit issuer had to raise the APR to 79.9%.  The card has a $300 credit line and is intended for those who have bad credit to start making good credit again.

Card holders used to pay $256 up-front for the card as a fee, which would offset the old credit line of $250 in case the card holder ever defaulted.

More on: http://www.foxnews.com/story/0,2933,580523,00.html

http://creatuity.com/blog/2009/03/02/default-magento-template-not-facta-compliant/

What is FACTA Compliance?
FACTA Compliance is a U.S. law passed in 2003, that says Merchants can not print the expiration date of a credit card on a receipt.  It is a positive effort to help deter credit card fraud.

How is a 2003 Law Having Such Impact Today?
Many e-shopping carts are programmed by Germans (German’s make good engineers!).  The shopping carts are also geared towards Merchants world-wide.  Therefore, even new cutting-edge shopping carts like Magento Commerce (www.MagentoCommerce.com) fall short for their U.S.-based merchants and require programmers to customize the code to make the Merchant’s website FACTA Compliant.

The current drawback to FACTA Compliance?
While it is great in consumer protection, it means there are a lot of old credit card processing systems and online e-commerce shopping carts pre-programmed to print a customer’s credit card expiration date.  This means for Merchants to be FACTA compliant, they may have to revamp their shopping carts.  The above link is a resource for the fix with Magento Shopping Cart.  We have excellent PCI Compliance experience and our sister business is an e-commerce Web Design company– we are happy to help Merchants adjust to PCI Compliance and FACTA Compliance!

http://www.cnn.com/2009/TECH/12/07/identity.theft.costs/index.html

Present times are providing a lot of press for the industry.

With PCI Compliance rules requiring sweeping changes, and Interchange Rates fluctuating, be sure to check back regularly for news and updates!