Just like you wouldn't leave your physical store, home or workplace without any kind of security, you can't afford to leave your online presence unprotected. Today, there are potential threats in every direction, and the internet is certainly no different. For those websites and eCommerce platforms which aren't PCI Compliant, these threats can be a lot more dangerous. Without the highest levels of protection, it's only a matter of time before a hacker or other form of criminal manages to obtain valuable information, such as customer details or, in the worst circumstances, credit card or PayPal details.
There are potential threats to your website all around you, but you might be surprised that not all of them come from over the internet. There are some serious threats which come from much closer to home than you might think, in the form of mistakes made, or deliberate criminal behaviour, by employees.
First Of All, What Is PCI Compliancy?
The Payment Card Industry Data Security Standard (PCI DSS) is a set o security measures and requirements that all businesses and organisations which are involved in online retail must adhere to. If your company processes, stores or transmits any kind of debit or credit card information, then you need tomake sure that you provide a safe and secure online environment. If your business has a Merchant ID (MID) then you need to make sure that you are PCI compliant.
The Payment Card Industry Security Standards Council (PCI SSC) was originally launched on September 7th, 2006, to manage the evolution of the Payment Card Industry (PCI) with a focus on improving security standards against potential threats. As the online transaction process became more common, more and more criminals decided to try and take advantage of the process – to great and damaging success. The PCI DSS is controlled by the PCI SSC, which was created by the main card payment groups, including Visa, MasterCard, American Express, JCB and Discover.
Although the PCI SSC controls the DSS, it is extremely important to note that this organisation is not responsible for enforcing compliance with the security protocol. This duty lies with payment brands, businesses and acquirers.
Protecting Your Website From Hackers And External Threats
Today, digital criminals are fast and, in many cases, invisible. They can only really be detected after they have attacked, and by then it is too late to stop them. Making absolutely certain that your website is PCI compliant is one of the most effective ways of preventing any kind of dangerous invasion from an external source.
1. Be Aware Of Their Motivations – Most of us, when we think of digital hacking and intrusion, immediately associate it with attempted theft. This is a major motivator, and certainly the most common reason that someone might try to access your website illegally.
However, there are hackers who conduct criminal activity for the excitement and joy of it. These are some of the most dangerous kinds, particularly if they succeed in gaining control over any aspect of your website or eCommerce procedure. For example, hackers may want to simply destroy all of your records and personal information, infect your customers' computers or replace all of your content with another message. Destroying reputation online is well within the abilities of someone who has gain access to your site, so there's more than your customers' money and personal information at stake.
Whilst you can never truly undo the damage done by a hacker, you can take steps to prevent it. Even the most basic protection, so long as it adheres to PCI compliancy, can deter a large percentage of thieves. After all, thieves are likely to steal from people who leave their doors unlocked; digital thieves are exactly the same.
2. Keep Yourself Updated – You need to make sure that you and your team don't fall behind when it comes to recognising and understanding modern hacking threats. Even if you onlyhave basic knowledge over what is possible, then you can take steps to prevent it. By following updates on dedicated websites and blogs, such as The Hacker News, you can make sure that you understand when you need to put fresh protection and security systems in place.
Updating your security software is also extremely important. Most companies will only update their security when they are forced to, usually after there has been a data breach. If you fail to update your software regularly, then you are extremely vulnerable to the most recent hacker techniques and malware. Hackers are fairly communal creatures, and if one detects a security weakness in a website, then the chances are they'll spread it amongst themselves.
3. Tighten Up Control To Access – The administration levels of your website offer the most potential for damage. If a hacker or unauthorised person accesses the admin levels, then they can do a lot of damage and even change passwords to prevent legitimate access.
Great ways to prevent access is to limit the number of login attempts within a certain time, set up alerts to notify you in the event of someone trying to access your admin levels and never send login details via email or other 'hackable' formats.
4. Install A Web Application Firewall – A web application firewall (WAF) can be based in either software or hardware and it sits between your website server and the data connection itself. A WAF will read every single piece of information which passes through it.
Modern WAFs are usually based in the cloud and are often operated for a monthly subscription fee. This cloud service is deployed in front of your servers and all incoming traffic needs to pass through a gateway. Once it's been installed, the WAF then blocks all hacking attempts and filters out a range of unwanted traffic.
5. Hide Your Admin Pages – If you don't want your admin pages to be indexed by search engines, then you should use your robots_txt file. That will ensure they aren't listed in search engines, which can make them much, much harder for hackers to find in the first place. Remember; hackers can't attempt to gain entry to something if they can't find it.
6. Limit File Uploads Whenever Possible – No matter how thoroughly your system checks them out, file uploads can still be a major concern for all businesses. Bugs can still get through and allow a hacker to gain unlimited access to your site's information. The best way to prevent this, in our experience, is to prevent direct access to any uploaded files.
7. Remove Form Auto-Fill – When you leave auto-fill enabled for forms on your website, you can leave it extremely vulnerable to attack from any user's computer or phone that might have been stolen, or illegally accessed. Although this can be extremely useful for some users, you should never allow your website to suffer attacks as a result of user laziness.
Protecting Your Website And Business From Internal Threats
A growing number of businesses have suffered from internal leaks or threats in recent years. This could be the result of ineptitude, laziness or genuine malicious activity. In order to be PCI compliant, it's essential that you take steps to protect your online presence and your customers' data from internal threats as well.
A recent survey of 251 IT decision makers at a range of smaller companies (companies with less than 250 employees) revealed that:
- 38% of these businesses have experienced internal IT security issues within the last year.
- 32% of those same businesses have suffered external IT security incidents within the same time period.
- 55% of small businesses are more concerned with internal security than external security.
- 71% of mid-sized businesses are more concerned with internal threats.
Internal IT security is not always related to malicious employees, but is just as commonly the result of well-meaning employees accidentally deleting important files, failing to update security and otherwise leaving the entire system open to attack.
1. Train Employees On Digital Hygiene – By training your employees to avoid spam and 'phishing' emails, you can hugely increase the day-to-day security of your online presence. Advise all employees not to interact with suspicious emails, and never to open an email attachment unless they know what it contains and where it has come from.
2. Test Employees With Real-Life Scenarios – One of the most effective ways of ensuring employee digital awareness is to ensure that they are regularly tested with real-life scenarios. There are many IT security firms which will allow you simulate the latest phishing tactics and test how your employees respond to them. Not only can this give you insight into the tactics that digital criminals are likely to use, but it will also alert you as to areas where your employees might need further education.
3. Tighten Overall Network Security – Computer users within your business are often the source of easy access routes from potential threats. Through your employees' workstations, a hacker would be able to gain access to your website's servers, which can really cause lasting damage.
For the best results and highest levels of security, make sure that your employees follow these essential protocols.
- All logins needs to expire after a period of inactivity.
- Passwords need to be changed on a regular basis.
- Ensure that all passwords are strong and are never written down. That means nowhere on the computer and nowhere in the office itself.
4. Limit Your Employee's Privileges – An effective way to guard against malicious insiders is to offer them as little access as possible. That means that employees should only have access to the data, systems and services that they need in order to do their jobs effectively.
Of course, this attitude of limited access needs to be reviewed on a regular basis. As roles evolve and new staff is brought in or employees leave, the access requirements are likely to change.
5. Be Cautious About Social Media Usage – Although social media is an extremely popular tool for many businesses, and even more popular for employees, you should make you employees aware that it does have its dangers. If a hacker is looking for a way to access your business, they will often attempt to do so with employee information obtained via social media.
Anything from birth dates, addresses, likes and dislikes, roles within the company and much more can all be obtained from your employees' social profiles on Facebook, Twitter, LinkedIn and the rest. Companies should enact clear policies on the subject and make sure that they understand what kind of information is inappropriate to share on social sites.
Protect Your Website And Your Business, With A PCI Compliant eCommerce And Website Design Company
Here at Advansys, we specialise in developing comprehensive eCommerce solutions for all kinds of businesses. We are fully PCI compliant and can ensure that your online presence is protected against a full range of malware, and other malicious activities which could otherwise prove hugely damaging to your company.
For more information on the fully-secure solutions that we can provide, get in touch with the PCI compliant specialists at Advansys today. We can help you to reap the full benefits of the digital marketplace, without risking the dangers of hackers and damaging software. You can reach our team today on 0845 838 2700.