Earth Skater Shopping Cart Web Hosting
 

1 (877) 627-2492 Contact Us  •  About Earth Skater  •  Request a Quote   Support            
 
 
       
 
 
Protect Sensitive Data with the Customer Information Manager
26 May 2010






 

Protecting customers' sensitive payment information is one of the
biggest challenges for companies of all sizes. As all merchants are
required to comply with the Payment Card Industry Data Security Standard (PCI DSS), more and
more companies are looking for solutions that can help them with the
often-daunting task of maintaining data security.


The Authorize.Net Customer Information Manager (CIM) is a
perfect solution for any merchant concerned about protecting
sensitive data. CIM stores payment and shipping information on
our secure servers, and generates a profile ID to be submitted in
place of customer information in future transactions. By only
submitting the profile IDs in your transaction requests, you limit
the possibility of unauthorized access to secure information,
simplify PCI DSS compliance and make it easier to process
transactions for repeat customers. Merchants using CIM can access
customer profiles and issue transactions from a website using the
CIM API, or manually from within the Merchant Interface.


CIM is an ideal tool if you:



















+ Are concerned with PCI DSS compliance
+ Do not want the responsibility of storing
sensitive information on your own servers
+ Want to provide repeat customers with the
convenience of not re-entering personal data
+ Process recurring transactions where the
date and/or amount is different each month (e.g. utility
companies), or process charges only when the service is used
(e.g. pay-as-you-go cell phones)
 

Earth Skater is certified by Authorize.net for CIM integration as well as AIM, ARB, and eCheck.


info@earthskater.net @ 19:57 | Permanent link


PCI Compliance for Merchants, Developers, Web Host
30 March 2010


When you are involved with E-Commerce websites that collect credit card payments, part of your responsibility is to establish and maintain the sites' PCI compliance.

If followed properly, the Payment Card Industry Data Security
Standard (PCI DSS) does an effective job of providing a safe shopping
experience for customers. However, achieving compliance is easier said
than done, especially for startups and small online retailers.

Important Steps

  • Become educated about the payment card industry mandates, and keep learning as you go.

  • Identify which portions of the PCI DSS you directly control and
    which items will be outsourced to third parties. A Qualified Security
    Assessor can help with this step.

  • Select service partners that have expertise in protecting personally identifiable information.

  • Review each service partner's "report on compliance" to make
    sure there are no unfulfilled requirements or pending remediation for
    critical items.

Merchants Are Responsible

The ecommerce retailer is the first and most pivotal piece of the
PCI compliance pie because the company is legally liable for breaches.

In fact, PCI DSS requirement 12.8 states that if cardholder data is
shared with service providers, the retailer must maintain and implement
policies and procedures to manage service providers. This includes:

  • 12.8.1 Maintain a list of service providers.

  • 12.8.2 Maintain a written agreement that includes an
    acknowledgement that the service providers are responsible for the
    security of cardholder data the service providers possess.

  • 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.

  • 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status.

Remember that a merchant's security foundation is only as strong as

the weakest link in its PCI compliance checklist, regardless of whether
the link resides within its control or in the hands of a service
provider it has chosen.

Limit System Access: Who Is Responsible for What

Requirement 7.1 states there should be limited access to system

components and cardholder data. Only those individuals whose job
requires such access should have it. Access limitations must include
the following:

  • 7.1.1 Restriction of access rights to privileged user IDs to the least privileges necessary to perform job responsibilities

  • 7.1.2 Assignment of privileges is based on individual personnel’s job classification and function

  • 7.1.3 Requirement for an authorization form signed by management that specifies required privileges

  • 7.1.4 Implementation of an automated access control system

Implementing Requirement 7.1

Requirement 7.1 has several implications. They are:

  1. The ecommerce retailer should oversee:

    • Granting privileges for acceptance (and procedures for disposal) of credit card information received via phone, fax, or email.

    • Granting permission for service reps to retrieve and input
      payment card information into the point of sale system if/when a
      “glitch” with the web application occurs.

  2. Ecommerce application developers are responsible for
    developing and maintaining the web–to–database “tunnel” through which
    credit card information flows. Therefore, the web developer’s piece of
    the pie includes:

    • Granting privileges for developers to create, test, and
      troubleshoot data provider connections that feed credit card
      information from the web application to the database (and potentially
      API connections that feed credit card information into a payment
      processing gateway).

    • Granting privileges for managing encryption keys, and encryption key creation and retirement.

    • Assigning emergency response chain of command and establishing
      who should and can access the systems if and when a malfunction occurs.

    • Assigning encryption key holder responsibilities.

  3. The hosting provider definitely has access to the
    cardholder data. Therefore, requirement 7.1 applies to hosting
    providers as well. In this case, the hosting provider owns:

    • Granting privileges for physical access to data storage devices
      containing cardholder data, but also restricting specific access points
      to be only accessible to the tenant.

    • Assigning an emergency response chain of command that is an
      extension of both other parties’ emergency response chains to
      authenticate and respond to requests originating from other parties’
      policies and procedures.

    • Restricting all access to key containers, repositories or other
      encryption key storage devices to the tenant to whom the keys belong.

Summary

Once you become familiar with the standard, it will be easier to
define which of the PCI compliance standards fall within your area of
responsibility and which should be shared among the various parties
responsible for providing the safest online shopping experience.

Reference:
http://www.ecommercedeveloper.com/articles/1764-Understanding-the-PCI-Compliance-Pie-and-the-Developer-s-Slice-of-It


info@earthskater.net @ 11:23 | Permanent link



<< July 2010 >>
Sun Mon Tue Wed Thu Fri Sat
  1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
 

archives

May - 2010
March - 2010
November - 2009
August - 2009
March - 2009
February - 2009
December - 2008
November - 2008
October - 2008
September - 2008
July - 2008

Are you currently Advertising your website?
 
Yes
No
Not really
 

view results



rss feed

 		  

Shopping Cart Web Hosting | Shopping Cart & Affiliate Program | Shopping Cart & Analytics | Merchant Accounts | Merchant Account Integration

Internet Marketing | Marketing Articles | Developer Articles | E-Commerce Blog | E-Commerce Forums | Earth Skater Mall

Home | About Earth Skater | Contact Us | Request a Quote | Support | Policies | Site Map | Earth Skater Affiliates

© 2010

 Earth

Skater