Your Site Probably Is Insecure
When retailers review their online security vulnerabilities for the first time, in almost every case the merchants find potential holes that require attention.
Ken Leonard, CEO of ScanAlert, a Napa, Calif.-based Web site security certification company monitoring more than 65,000 sites, estimates that 80 percent of his firm’s new clients aren’t in compliance with online security best practices.
Leonard reminds site owners that good security practices aren’t optional — they are mandated by an alphabet soup of regulations and standards, including the Payment Card Industry (PCI) Data Security Standard, the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act.
In June 2005, Visa mandated strict security guidelines for retailers that accept credit card payments online. Yet this past January, Visa reported that only 32 of the 215 largest retailers were in compliance with these PCI standards — a dismal 15 percent success rate.
David Taylor, vice president of security at Protegrity, a Stamford, Conn.-based online security software and services firm, believes PCI compliance among smaller retailers is even worse. Taylor estimates that less than 5 percent of all online retailers are in compliance with the security requirements mandated by the credit card industry (see “How to Comply With the New Payment Card Industry Security Standards,” in the September issue of Catalog Success).
AlertSite’s Godskind agrees that almost no new clients arrive with clean bills of health. “Most larger e-commerce sites aren’t too bad off, but almost every retailer has a few things wrong,” he notes.
Questions to ask yourself:
• Which security standards and regulations apply to our business?
• Do we comply with those standards and regulations?
• What penalties do we face for noncompliance?
Do You Store Credit Card Data?
While Web sites collect many types of personal data that must be kept private, credit card information is the key concern for online retailers.
- Companies:
- The Rimm-Kaufman Group