| |
| SkullandBonesSkateboards.com Forum Index » BUSINESS, SHOPS & RETAILERS » Visa and online security proof ! |
|
Page 1 of 1 |
|
| Author |
Message |
| Rich215 |
 Posted: Wed May 17, 2006 9:12 am |
 |
|
|
Joined: 21 Jul 2003
Posts: 815
Location: Mi.
|
I'm in a different business than skating.
Anyway, I have a website and sell product off it. I have to supposedly prove to VISA that my site and credit card functions are solid and have no
security holes.
My merchant service (credit card processor) last year told me I have to respond to new security proofing demanded by VISA.
So I had to pay $100-$149 to a 3rd party that verifys security with websites and hosting of ecommerce sites. The company is called Security Metrics. Well, after the first go around with my domain host and them, Security Metrics aplications of checking my site and domain, proved to be incapable of understanding my custom aplications (web hosting + my ecommerce software) and could not give me a full 100% ok. It was more like 90% safe in their tests. Well it is actually 100% safe as my website design/ecommerce person has customized the entire process. Security Metrics follows basic ecommerce aplications that are the "norm" for ecommerce websites and hosts. Since their checking aplications/software only ok's normal or well astablished ecommerce aplications and such.....it's uncapable of understanding how my system works. So they only gave me a 90% safe rating, but VISA has no problem with that. My ecommerce person explained on the phone to Security Metrics and VISA directly.
Well, now I find out that Security Metrics wants me to pay them every frickin year to stay in compliance with VISA's rules.
Anyone else utilizing ecommerce and credit card merchant services have this going on too? I'm wondering if this is all a scam for this Security Metrics company to rape me over the coals? |
|
|
| Back to top |
 
|
|
|
| mikebu |
| Posted: Wed May 17, 2006 10:25 am |
|
|
|
Joined: 29 Aug 2005
Posts: 185
Location: Renton, WA
|
A couple of random thoughts about this...
Paying a maximum of $150 for a security audit of your website seems incredibly cheap to me. It makes me wonder if they even did anything. When I hire contract Programmers at work we pay between $60 - $75 a hour for them. When we do security audits at work they last for weeks at a time and they always find something. Granted our websites/applications are probably bigger then your website but I would expect your audit to take at least a week.
I would not be so certain that your website is 100% safe. Nothing is 100% safe and a simple misconfiguration/programming mistake in your website could leave you vulnerable.
Check with Visa and see how often they require audits to be compliant with their policy.
Maintaining the security of your website is pretty important. The last thing you need is to have your customers credit card numbers stolen and then have them post on the web about how crappy your security is. This happens and you have lost a big chunk of business. |
|
|
| Back to top |
|
| Luna-C |
| Posted: Wed May 17, 2006 11:10 am |
|
|
|
Joined: 17 Apr 2005
Posts: 237
Location: UK
|
Yeah - it happened to me. I learn a very valuable lesson from it. And that lesson is:-
"learn to do internet credit card fraud". Best job there is.
My site got hacked, and no cared. Not the police ("cant see what we can do about that sir!") not the credit card companies ("oh well, our card memebers will be insured") and not my merchant bank, who asked for proof, and when they recieved it said "doesnt matter that you can prove you did everything correctly, we still arent going to refund your losses". Web designer said "the site is 100% secure" then, after we got hacked said the equivalent of "oh well" in a long complicated letter.
So basically, if you can work out how to steal the info, you might as well. No ones coming after you! Of course, I live in the UK where incompetance comes as standard, we have no police because our government doesnt want to upset all the criminals, and a really good cup of Tea is the only reason to get up each day. But it really pissed me off - I lost 1000's of pounds, and no fucker cares.
Combine that with increased tax and red tape on small businesses in the UK and it really is better to fake an injury and ponce off the government for the rest of your life. Seriously considering it as a career option. Half the mortgage paid, no taxes, money each week for food...honestly, why work?
Anyway, after that rant, I meant to say to Rich215...I suggest you ask a seperate web designer to try and hack into your website. Because unless your web designer will loose money if your site gets hacked, he probably wont care. And you really dont want to get hacked, cos it costs you soooo much business. Trust me on that! |
|
|
| Back to top |
 
|
|
|
| DomitianX |
| Posted: Wed May 17, 2006 12:44 pm |
|
|
ORDER OF THE SKULL
Joined: 28 Sep 2003
Posts: 2473
Location: Faribault, MN
|
When conctrating a web developer you need to have a contract that stipulates something like the following:
1. If someone hacks the website the developer builds, they are responsible for X amount of the damages. Usually not 100% but 50% to 75% is common. This way they are financially liable for the software they create.
2. The developer needs to provide a 3rd party analysis of the software to make sure its as secure as possible before it goes live.
Those two stipulations will save you time and money in the long run. You will end up paying more for the developer because the fly by night guys wont touch anything that has those stipulations, but you will have a better product.
Nothing is hack proof. Literally. *Anything* can be broken into if its connected to the web and someone takes enough time. It just depends on what the potential take is whether or not it will get hacked. You need to go into it knowing that fact.
I've been a freelance and corporate web application developer and database admin for 10+ years and I have been through all of this before.
Simple things like encrypting the credit card numbers in the database, 256bit SSL certs, etc can go a long way to help thwart hackers, but nothing is hack proof.
Oh yeah, Security Metrics is scamming you. You should keep the software up to date, but there is no reason you need to sign a yearly contract wth them to keep checking the site, especially if they couldnt figure out the software the first time through. If Visa has a requirement for yearly audits or something, then just sign a new contract each time. I would switch up the auditors once in a while too. One outfit will notice some things while another will notice others.
Also, you shouldnt be storing credit card numbers in the website, at least not for very long. Post them to the merchant processor during checkout, maybe hang on to them for a few days in case you need to refund or something and then delete them. There is no reason to hang on to a customers credit card number for very long, if at all. Its just asking to be stolen by someone.
I dont store any of those numbers in my store. I have no reason to.
I have read about the CISP requiments that Visa and Mastercard are pushing, but I havent seen anything about them actually requiring it these days. |
_________________
Old School Skaters Online
Pool and old school boards. Run by skaters, for skaters. |
|
| Back to top |
 
|
|
|
All times are GMT - 5 Hours
The time now is Tue May 07, 2024 3:26 am
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
