Posts

Webshops responsible for security payments

Last November, the PCI Security Council introduced the third version of the Payment Card Industry Data Security Standard (PCI DSS 3.0). For the first time, the edition offers clarity about the responsibility of companies processing, storing, or transmitting data of credit card holders.

Last November, the PCI Security Council introduced the third version of the Payment Card Industry Data Security Standard (PCI DSS 3.0). For the first time, the edition offers clarity about the responsibility of companies processing, storing, or transmitting data of credit card holders. Especially for webshops that ‘redirect’ this can have a big impact.

The PCI Security Council was established by Visa, MasterCard, American Express, Discover, and JCB in 2006 to increase the security of internet payments and to prevent fraud. The fact that this topic is still important, became painfully obvious recently. The Irish marketing company Loyaltybuild was victim of a cyber-attack in which the credit card data of at least 376,000 customers were stolen. Besides the fact that this damaged the reputation of Loyaltybuild significantly and created massive turmoil among cardholders, this could also mean considerable financial loss to the credit card companies. After all, they are held responsible for payments made with stolen data.

It is, therefore, understandable that the credit card companies are increasingly stringent towards everyone that has access to areas where cardholder data is processed, stored or transmitted. These days, there are more and more access points to this data, such as via e-commerce, mobile platforms and cloud computing. With PCI DSS the credit card companies set the conditions – including mandatory certification and annual audits – to organizations that come into contact with data. PCI DSS can be summarized in six objectives, which again can be divided into twelve specific requirements.

Build and manage a secure network

  • Install and maintain a firewall to protect cardholders’ data
  • Don’t use default passwords and other security perimeters

Protect cardholders’ data

  • Protect stored cardholders’ data
  • Encrypt the transfer of cardholders’ data over open public networks

Take care of a vulnerability management program

  • Use up-to-date antivirus software on all systems that are exposed to malware
  • Develop and maintain secure systems and applications

Implement good access control

  • Limit access to cardholders’ data to ‘need to know’
  • Appoint an unique ID to everyone who has access to a computer
  • Limit physical access to cardholders’ data

Frequently monitor and test networks

  • Follow and monitor all access to network sources and cardholders’ data
  • Frequently test security systems and processes

Take care of information security policy

  • Take care of an information security policy

PCI DSS 3.0

After three years of preparation version 3.0 of PCI DSS was introduced in November 2013. Unlike previous times, the changes in PCI DSS 3.0 were first presented to experts in the industry and are thus fortunately more applicable in practice. As Participating Organization in the PCI Security Council, Basefarm also participated in this exercise.

The main objective of PCI DSS 3.0 is to help organizations take a proactive attitude towards protecting card data. Working with PCI DSS must become ‘business as usual’. Organizations should not just be motivated by the need to achieve their certification every year, but must act based upon their responsibility for security. The 98 amendments that version 3.0 entails contain many updates and increased rules to protect against the latest online threats, such as malware, viruses, and WiFi access.

But more important than rules and updates is the fact that PCI DSS version 3.0 finally provides clarity about the interpretation of PCI DSS. Especially for merchants, it creates long awaited clarity about the scope of their responsibilities, which may have major consequences. Online stores that send their customers to the vicinity of a third party to make the payment (redirect), now have to explicitly express that they meet the requirements of PCI DSS through a Self-Assessment. Securing cardholders’ data will become a shared responsibility between the merchant, payment processor and hosting company.

Although PCI DSS 3.0 will be applied as of January 1, 2014, companies involved will have the opportunity to adjust their systems accordingly until December 31, 2014. Now that the scope of the responsibility is clear for the first time, the major credit card companies that are united in the PCI Security Council will enforce it more strictly. The days when companies could hide behind the ambiguous guidelines are definitely over. We also anticipate that many online stores that still perceive security as ‘add-on’ will have a lot of catching up to do. Their primary questions will often be dictated by the fear of fines and possible loss of revenue. But we hope they continue to look one step further and create a safe handling of cardholder data as part of their operation. No one wants to be in a similar situation as loyaltybuild.

Year 2011

Now it’s just some few days left of this year and if we look back, it’s really been an eventful year. Here are some highlights from 2011:

  • 2011 was the year of expansion

Today we are approximately 260 employees and we’re still recruiting. Want to work with us?

  • 2011 was the year of acquisitions

This year we acquired Webdeal in Norway and Bluedome in Holland. This will strengthen our position in Northern Europe and has increased our Basefarm family with almost 40 new employees (only the acquisitions included).

  • 2011 was the year of new products

We launched hybrid hosting to our service offering. Hybrid hosting makes it possible to combine a traditional operating platform with modern public cloud services. Learn more about our service hybrid hosting.

  • 2011 was the year of exploring new market segments

We’ve had a breakthrough in the bank and finance market in Norway and within public sector in Sweden.

  • 2011 was the year of investing for the future

We are building a new colocation center in Norway

  • 2011 was the year of certifications

Basefarm was the first hosting provider in Norway and Sweden to be PCI DSS certificated. In Holland we have also been certificated according to ISO 27001.

  • 2011 was the year of customer satisfaction

We’ve got several new customers in 2011. To mention some of them: Avito (Europe’s largest website), Schipol, Viasat and Kirkerådet (a council for the Norwegian Church). In addition, we have renewed confidence to several customers.

We look forward to a new exciting year in 2012. This year’s christmas present goes to unicef (see christmas card below). We want to thank all our friends for a great year in 2011 by wishing Merry christmas and happy new year!