According to Aaron Biddar, president of Control Scan, 40% of e-commerce sites comply with MasterCard's standards for data protection -- and he considers that number optimistic. (http://www.ecommercetimes.com/story/51756.html)
Most store owners aren't aware that there are established standards for protecting customers, but they all know it's important. Getting hacked or inadvertently leaking customer data is almost always the end of an online shop -- not only do customers loose trust, but the business risks having their ability to process credit cards revoked.
With the risks so high, why is compliance so low? Three big reasons:
- Lack of awareness. The standards are typically not emphasized or included in merchant account contracts, compliance audits are practically unheard of, and standards generally aren't brought to the attention of business owners until after something has gone wrong.
- Too many standards. Visa has a standard. MasterCard has a standard. American Express and Discover have standards. There are government privacy and accounting standards (HIPAA, Sarbanes-Oxley). There are even standards that are combinations of different standards.
- High learning curve. Data security is a highly technical issue. The typical business owner doesn't understand firewalls, encryption standards, or application security, and neither do their customers. It's simply not possible to educate everyone about every aspect of security.
The best first step to securing an e-commerce shop is to put someone in charge of security, preferably someone on staff who has some technical knowledge of how your site works and how it's hosted. The person should also have a good rapport with staff who interact with your website and customers. It's important to make this an official role in your business, rather than an afterthought looked after by whomever has a spare moment.
Download, print, and keep handy a copy of the Payment Card Industry Data Security Standard (PCI-DSS) -- the closest thing there is to an industry standard, and the most likely to be enforced by Visa and MasterCard. Although the PCI-DSS is fairly technical, it's important for your security person to understand the essential components and concepts. If they don't, it's worth while to contract a third party to help them through the learning curve, and assist with issues specific to your web site. Finding the right person is worth writing another article about -- in the meantime, feel free to ask me questions.
Talk with your vendors. The PCI-DSS has requirements that may not be possible to meet -- limitations imposed by your e-commerce platform, hosting company, or other third party vendors may make it impossible to know whether or not you can actually meet the criteria of the PCI-DSS. Savvy vendors should be able to offer solutions and advice to help you gain compliance, and those who know nothing about PCI-DSS should become aware of the issues it raises.
The consortium behind the PCI-DSS is revising the standard in the next few months, based on feedback from vendors. The changes aren't expected to be particularly radical, and the core principals still apply, so the current PCI-DSS is still a very good guide to protecting customer data.
I'll post an update when those changes are published.
Are You Experienced?
I'm interested in hearing from people and vendors who have experience helping e-commerce sites become PCI-DSS compliant -- I work with a lot of e-commerce shops, and I'm always looking for vendors to refer clients to. Thanks!