| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
| « Feb | ||||||
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | |||
- February 7, 2007: New Techniques for Guarding Financial Data
- February 6, 2007: Increased Scrutiny From Card Associations in 2007
- January 28, 2007: The State of PCI Compliance 2007
- January 23, 2007: Background Checks on IT Personnel
- January 5, 2007: 100 Million Notifications of Data Breaches in US
- December 17, 2006: Inside Jobs: The Risk of Data Breach From Insider Threats
- December 12, 2006: Card Associations Step Up PCI Enforcement
- December 1, 2006: CompTIA Survey Emphasizes Importance of Security Training
- December 1, 2006: CompTIA Survey Emphasizes Importance of Security Training
- November 16, 2006: Average data breach costs $5 million
Credit Card Companies
FAQ
Helpful Sites
Small E-Commerce Sites Targeted for Identity Theft
Everybody knows that hackers focus their efforts on large e-commerce sites because of the huge treasure trove that these sites represent, right? Hackers aren’t going to waste their time going after small, virtually unknown e-commerce sites, are they? While this might be the conventional wisdom, Brian Krebs has a very interesting article in the 9/28/06 edition of The Washington Post that presents a totally different picture.
The article, titled ID Thieves Turn Sights on Smaller E-Businesses, describes how hackers penetrated a small e-commerce site and posted stolen credit card information “into an online forum that caters to criminals engaged in credit card and identity theft.” Mr. Krebs also exposes the sometimes false sense of security that is conveyed by security seals on sites.
I highly recommend this article as an expose’ of how this dark world operates. Certainly, it is good for a site to be tested by a security scanning vendor. However, as Mr. Krebs points out, this is not foolproof, and he cites examples of how hackers penetrated sites that were thought to be secure. Here is one particularly revealing line from Mr. Krebs’ article: “Jason Lam, who teaches a course on securing Web sites for the SANS Institute, a Bethesda, Md.-based security research and training group, estimated that Web site scanning services in most cases only identify about 60 percent of a Web site’s potential security problems.”
This article really exposes the need for all merchants and service providers to become fully compliant with the Payment Card Industry (PCI) Data Security Standard (DSS). Many merchants and service providers claim that they are secure because they use SSL, or because they pass all the tests from a scanning vendor, or because they have a firewall. Yes, these are all good measures, but they are just a small part of the rigorous requirements of the PCI DSS.
As a merchant, particularly a small- to medium-sized e-commerce site, the easiest way to comply with the PCI requirements is to avoid them altogether by outsourcing to a PCI-compliant service provider. But don’t just take their word for it — the only way to know if a service provider is PCI compliant is to find them in Visa’s official List of CISP Compliant Service Providers.