» Merchant Resources
» Merchant Memos

eCommerce Best Practice

Internet merchants should seriously consider the following security issues.

Cardholder data security at your location is very important. It is costly to recover from the negative press and loss of customer confidence after being victimized by fraud. One of the main reasons businesses are outsourcing card processing service instead of purchasing and running payment software on their servers is due to the risk associated with security and recent hacker attacks.

The following are the Existing guidelines in place you will need to follow:
1. Maintain cardholder account information in a secure manner with limited access.
2. Maintain cardholder personal information in a secure manner with limited access.
3. Limit access to information to authorized personnel.
4. Ensure those with access comply with security requirements.
5. Provide communication security and encryption.
6. Do not disclose cardholder information to third parties.
7. Do not retain mag-stripe data.
8. Perform background checks on all those with access to cardholder data.
9. It is also highly recommended that you employ fraud screening tools like the services of CyberSource.
10. Implement Verified by Visa and MasterCard SecureCode.
12. Become Cardholder Information Security Program (CISP) compliant

• Install and maintain working firewall to protect data
• Keep security patches up-to-date
• Protect stored data
• Encrypt data sent across public networks
• Use and regularly update anti-virus software
• Restrict access to data by "need to know"
• Assign a unique ID to each person with computer access
• Don't use vendor-supplied defaults or passwords and security parameters
• Track all access to data by unique ID
• Regularl test security systems and processes
• Implement and maintain an information security policy
• Restrict physical access to data

Other best practices that are highly recommended are:
1. Ensure the billing statement name exactly matches the service establishment name. This includes limiting confusion by matching the web address name.
2. Ensure the required MCC (merchant category code) or SIC for each product matches the product delivered.
3. Make sure you are implementing AVS (address verification service). This service provides you chargeback protection. You want to verify the billing address, not the shipping address. For the most security, you will also want to ship to the billing address if possible and get your customers to sign for receipt.
4. Clearly state up front what you are selling, as well as what your billing, return, and shipping and out of stock policies are. Do not bury these policies deep within your site. Be open and up front.
5. Display both customer service phone numbers and email service addresses in prominent positions and promote their use by customers with questions about their order or product.
6. Be cautious of first-time orders with large quantity and overnight delivery request.
7. When taking cardholder information, ask for card type not just card number. Fraudulent use may result in someone with a card number, not the card and who doesn't know the type of card they have.
8. Always obtain and submit actual valid expiration dates.
9. Build internal fraud avoidance files that track fraud by monitoring normal purchasing patterns and red flag those that are abnormal.
10. Watch for repeat orders in a short period of time. Fraud transactions will send a trial balloon transaction and if accepted will use this card to move in for the kill.
11. Watch free email accounts. They are commonly used by those who wish to hide their identity.
12. Protect your reputation as a safe place to do business.