Computerworld - With the arrival of the holiday shopping season, online retailers are gearing up for their busiest time of the year. But this season, merchants need to take extra steps to fine-tune their Web sites and secure consumer data if they are going to ensure safe online shopping.
The onslaught of highly publicized online breaches and identity theft scams, including the very public exposure of more than 40 million consumer credit cards earlier this year (see ("Security breach may have exposed 40M credit cards"), have prompted credit card companies to insist on further measures to help ensure the security and privacy of their members' confidential information. With the introduction of new security measures, they are mandating that their retailers meet a certain level of compliance in an attempt to enforce better protection for their customers.
Visa International Inc.'s Cardholder Information Security Program and MasterCard International Inc.'s Site Data Protection program require merchants to meet certain standards for safeguarding account data. Now Visa and MasterCard have begun requiring retailers -- banks, merchants and member service providers -- to comply with the Payment Card Industry (PCI) Data Security Standards, which offer a single approach to safeguarding sensitive data for all card brands. Failure to comply with these security standards may result in fines, restrictions or permanent expulsion from card acceptance programs.
According to PCI documentation, "the most elusive vulnerabilities are those introduced through custom-developed e-commerce applications." These applications are used to conduct online transactions or support holiday marketing initiatives. In fact, Gartner Inc. has estimated that 75% of online attacks target Web applications.
However, many organizations remain focused on network-based vulnerabilities and continue to do very little to protect online applications. Network testing is not enough. Companies need to address the increasing threat of Web application vulnerabilities to secure their customer's information from breaches.
Smart companies will use this PCI standard as the motivation for putting their entire security and privacy compliance programs in order. Complying once and then forgetting about it until the next audit is bad practice. To successfully drive more business through the online channel, organizations cannot ignore Web privacy and application security. Only through a combination of dedication, education, business process improvement and risk management technology will companies be able to take back control of the online channel.
Meeting the PCI 12 basic requirements is a great starting point, but to fully protect consumer data and implement a comprehensive online risk management strategy, organizations must also enforce policies that include ongoing compliance monitoring procedures. Consider these recommendations to encourage
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
