We're getting more frequent requests to explain the how's and why's of running a jewelry e-commerce website. To answer those requests we usually talk about business strategies, marketing ideas, and SEO methods. But it looks like we've never written any Daily Golden Nuggets about security... until today.
When you think of website security you probably think of SSL, sometimes referred to as a secure certificate. A "secure" website is one that uses "https://" in the web address instead of "http://", that extra "s" indicates a secure communication state between the website and your web browser.
That was important to understand, so let's repeat it. The "https" security only applies to the information transmitted to and from your website to the customer. A secure certificate does not prevent your website from being hacked; it only prevents criminals from eavesdropping on personal account information, like credit card numbers or banking information.
Once you accept a customer's personal information you need to keep it secure. This type of security doesn't involve SSL, but rather, it's whether or not your website itself can be hacked into.
Your web hosting company is responsible for the hardware and software that runs the web server, which is probably some type of Intel or AMD hardware. Software is either Linux/Apache or Windows/IIS. Normally you don't need to know what your web host is doing, but when it comes to security you need to make sure your hosting contract says they will keep their system updated. Just like your own Windows computer is updated by Microsoft every week, a Windows Server needs the same security updates.
You are usually responsible for whatever software you use on your website, which could be Joomla, WordPress, Drupal, Zencart, etc. All that personal customer data will be saved in the software that runs your website, and it needs to be secure, and updated when security holes are discovered.
If this is starting to sound complicated it's because it actually is. As the owner of a jewelry store e-commerce website you could ask your "website guy" to take care of all the technical stuff, but you should at least have an understanding of the how's and why's explained here.
You may completely trust your website guy to handle all your security, but your bank won't. Your bank will want proof that your website is secure enough to prevent hacking and they will ask you to prove your compliance with the PCI Data Security Standards (PCI DSS).
PCI Standards are technical and operational requirements intended to protect cardholder information. The technical requirements include security of your website and your physical jewelry store. The operational requirements include how you restrict sensitive information inside your store to only those who need access to cardholder data.
Again, that was important, so let's repeat it: PCI DSS compliance is actually a requirement for your website and for your jewelry store, however, your bank may not enforce your compliance until you set up an e-commerce website.
The PCI compliance proof your bank will ask for is a security report from an outside company like McAfee or SecurityMetrics. These companies will test your website and your store's internet connection for security holes and report their findings. When they find a security hole you will need to have it fixed.
Over the next few Nuggets we're going to dig into some of the PCI compliance issues that beginning e-commerce jewelry websites need to deal with, which include:
Introduction: You will hate PCI compliance too
1. Storing cardholder data on your website
2. Protecting internal and wireless networks in your store
3. Security used in payment card applications
4. Controlling which of your employees has access to cardholder data
5. Frequency of testing and reporting