Internet merchants should seriously consider the following security
Cardholder data security at your location is very important. It is
costly to recover from the negative press and loss of customer confidence
after being victimized by fraud. One of the main reasons businesses
are outsourcing card processing service instead of purchasing and running
payment software on their servers is due to the risk associated with
security and recent hacker attacks.
The following are the Existing guidelines
in place you will need to follow:
1. Maintain cardholder account information in a secure manner with
2. Maintain cardholder personal information in a secure manner with
3. Limit access to information to authorized personnel.
4. Ensure those with access comply with security requirements.
5. Provide communication security and encryption.
6. Do not disclose cardholder information to third parties.
7. Do not retain mag-stripe data.
8. Perform background checks on all those with access to cardholder
9. It is also highly recommended that you employ fraud screening
tools like the services of CyberSource.
10. Implement Verified by Visa and MasterCard SecureCode.
12. Become Cardholder Information Security Program (CISP) compliant
- Install and maintain working firewall to protect data
- Keep security patches up-to-date
- Protect stored data
- Encrypt data sent across public networks
- Use and regularly update anti-virus software
- Restrict access to data by "need to know"
- Assign a unique ID to each person with computer access
- Don't use vendor-supplied defaults or passwords and security parameters
- Track all access to data by unique ID
- Regularl test security systems and processes
- Implement and maintain an information security policy
- Restrict physical access to data
Other best practices that are highly recommended are:
1. Ensure the billing statement name exactly matches the service establishment
name. This includes limiting confusion by matching the web address
2. Ensure the required MCC (merchant category code) or SIC for each
product matches the product delivered.
3. Make sure you are implementing AVS (address verification service).
This service provides you chargeback protection. You want to verify
the billing address, not the shipping address. For the most security,
you will also want to ship to the billing address if possible and get
your customers to sign for receipt.
4. Clearly state up front what you are selling, as well as what your
billing, return, and shipping and out of stock policies are. Do not
policies deep within your site. Be open and up front.
5. Display both customer service phone numbers and email service addresses
in prominent positions and promote their use by customers with questions
about their order or product.
6. Be cautious of first-time orders with large quantity and overnight
7. When taking cardholder information, ask for card type not just card
number. Fraudulent use may result in someone with a card number, not
the card and who doesn't know the type of card they have.
8. Always obtain and submit actual valid expiration dates.
9. Build internal fraud avoidance files that track fraud by monitoring
normal purchasing patterns and red flag those that are abnormal.
10. Watch for repeat orders in a short period of time. Fraud transactions
will send a trial balloon transaction and if accepted will use this
card to move in for the kill.
11. Watch free email accounts. They are commonly used by those who
wish to hide their identity.
12. Protect your reputation as a safe place to do business.