A Self-Assessment Questionnaire (SAQ) is an important validation tool for all businesses that sell goods on the internet. These merchants are often required to complete an SAQ before they can be approved for a merchant service account. Let us take a moment to explain.

The process is actually quite simple. When a company wants to sell goods or services online, they must apply for a merchant service account at a bank or reputable financial institution. If accepted, the bank will be responsible for processing all of the company's online credit and debit card transactions.

But since the bank is liable for fraud, theft or unnecessary charges, they must make certain that the company's site is secure before they grant them a merchant service account. The tool that helps them verify that a business has a safe website is the Self-Assessment Questionnaire. (more...)

In response to the staggering increase in cybercrime, the Payment Card Industry Security Council (PCI SSC) was formed in 2006. It was the mission of this group to create a set of security requirements for online merchants. Their solution was the Payment Card Industry Data Security Standard (PCI DSS). This set of continually evolving requirements must be followed by all companies that accept credit card payments on the internet.

Why are they important? Let us take a moment to explain how selling on the internet actually works. When a company makes the decision to sell online, they must first obtain a merchant service account. These accounts are issued through banks and other financial institutions. But before any bank will issue a company an account, that company must prove that their website is PCI DSS compliant.

There are three ways for a company to prove that they are, in fact, compliant. The first is and most common validation tool is called a Self-Assessment Questionnaire (SAQ). Then there is the PCI SSC Validation Scan, which must be administered by an approved Scanning Vendor (ASV). Finally, there is the Qualified Security Assessors QSAs. (more...)

For most internet users, a firewall, spyware and antivirus protection is more than enough to keep hackers at bay. But part of the reason these programs are effective is that hackers rarely waste their time breaking in to personal computers. However, they will go that extra mile to access the servers of businesses where they can find sensitive financial information.

How does it work? Well, when a user visits a web page, any web page, some of the information get stored on the server. Then when a talented hacker breaks into a hosting server, he may be able to access some of the information that is restricted to customers, such as credit card numbers. How can you protect your servers? Unfortunately, catching a hacker in the act is not always easy. They rely on a number of different tricks and techniques to illegally access servers. Believe it or not, most of the programs they use are freely distributed on the web. Of course, they must first find a way in for the hacker to have any chance of accessing confidential files on the server.

Malicious computer programs are the easiest and most effective way for a hacker to break in. Therefore, the first thing you must do is make certain your spyware and malware programs are current. Of course, no security program can guarantee that your server will not become infected. (more...)

Introduced in 2006, the Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to protect online shoppers from cyber thieves. Though the standards do vary from small to large businesses, all companies that accept credit card payments through payment gateways must comply with PCI DSS.

One common misconception is that small companies that do not do much business online do not have to abide by these rules. But the truth is that is just as important for a small company to adhere to PCI, maybe even more so. The reason for this is simple: all companies that violate PCI DSS are subject to the same fines. And these penalties obviously have a much greater impact on small companies than they do on large ones.

On average, a business will be fined five-thousand pounds if it is discovered that it is violating PCI DSS. And when credit card theft occurs on an unprotected site, the company will be held financially responsible. Of course, PCI DSS does not make a site 100 percent secure and theft still occurs even on protected sites. The only difference is that sites that comply with PCI DSS are not held financially responsible. (more...)

The PCI Security Council is turning its attention more and more to smaller online businesses. Companies who are termed level 4 by the Council are only involved in processing less than 20,000 transactions per year. Yet these companies as whole represent the vast majority of online transactions for credit card payments. Many lack knowledge of the technology behind web hosting which often leaves them more vulnerable to security breaches than larger firms.

At present in order to show compliance to the PCI rules, small companies need to complete a Self-Assessment questionnaire and have their online card processing systems scanned once per quarter. But a payments processor may require a more strict level of scanning, possibly once a month.

Small online merchants who do not store credit card details but process payments through a third party such as PayPal need only fill in Version A of the Self-Assessment questionnaire. Since they represent no risk in terms of breach of security this should take minutes to fill in. (more...)

ASP is a dynamic web application framework which has been developed by Microsoft and allows a programmer to build web applications, web sites and web technology. It is built on CLR or Common Language Runtime. ASP started life as ASP+. The .NET was added later in a move to integrate ASP with Microsoft's.NET framework.

PHP is a widely used system for scripting in dynamic web programming. The code is embedded in HTML, and must be read by a server which has a PHP processor. PHP is a free software system and users can access the complete source code to use as they wish.

PHP is generally thought to be less secure than ASP.NET. Much of its vulnerability has been put down to the ability of hackers to access information from remote sources such as an SQL database which may be linked to a web server which is run by PHP. (more...)

July 1st 2010 is the date set down by the PCI Security Council for when all companies doing e-business, no matter what their size, to be fully compliant with the PCI DSS regulations.

All the relevant regulations are listed on the PCI website. The PCI Security Council has as its aim the reduction of credit card fraud worldwide, and comprises five of the world's largest credit card companies.

The new regulations which come into force in July are concerned primarily with payment applications. Payment applications include anything which can accept, store or process electronically, credit card information. A shopping cart on a website is a payment application since this is in contact with a customer's credit card information. (more...)

All businesses involved in taking credit card payments, or processing and storing payment details have been responsible for making sure they comply with regulations laid down by the Payment Card Industry's Security Council which was formed in 2005.

These regulations known as the PCI DSS or Data Security Standards are regularly updated in order to circumvent new methods of fraudulent activity taking place when customer's pay for goods and services with credit cards online.

Although the regulations are set up on a voluntary basis i.e. they are not legal requirements, lack of compliance with them by merchants could mean that they will no longer be able to trade by taking credit card payments – something which could put them out of business. (more...)

All companies running websites which take payments from customers via credit card must ensure that they are hosting them in line with the security standards set down by the Payments Cards Industry. Companies that fail to do so run the risk of fines, restrictions or expulsion from the scheme.

Compliance is measured by assessment, initially by being scanned by an ASV or approved Scanning Vendor, approved by the PCI Security Council. The Vulnerability Scan covers everything which has been touched by an outward facing IP address regarding the acceptance, transmission and storage of sensitive credit card information.

The length of time taken to achieve compliance depends on the percentage of perceived security threats thrown up by the scan. The more threats the scan reveals then the longer it will take to fix them and achieve PCI compliance. Also there is a difference in the number of PCI protocols which different types of merchants must adhere to. (more...)

PCI compliance and PCI DSS mean respectively Payment Card Industry compliance and Payment Card Industry Data Security Standard. All websites no matter how large or small, if they take payments from customers online via credit card, must be compliant with the DSS set up by the PCI. These regulations have been in place since 2005 and are there to help prevent fraud and identity theft.

The five credit card companies who make up the PCI Security Council are: American Express, Visa International, JCB International, and Discover Financial Services. Companies who take payments from customers via a third party such as PayPal may not have to become PCI compliant, since it is PayPal who process and utilise sensitive data such as credit card information.

All e-businesses who deal directly with the public however do need to know about and address PCI compliance. (more...)

There are several main areas to focus on when it comes to meeting the PCI requirements from network security, anti-virus software to applications and segregation of encryption of data.

The range of PCI DSS requirements will vary according to which level a merchant is on. Very big e-commerce websites will be on level one which involves needing to comply with a lot more protocol than a company on level four who, since they process far fewer transactions, has a more restricted list.

One area of compliance which needs the attention of all companies is that of making sure that firewalls are strong and up-to-date. Companies must also make sure that any default passwords supplied by vendors are changed and are adequate in terms of security. (more...)

The deadline is July 1st 2010 for compliance with the new PCI regulations. By this date all level four merchants' websites must be run by PCI DSS web hosts which are compliant with PCI standards.

If you operate an e-commerce site then you must be prepared for this compliance deadline or you may be fined or dropped as a merchant by all the major credit card companies. This will apply whether your company stores customer's credit card details on a server or not.

In order to prepare for compliance you must first understand that all websites are given a merchant level, from one to four – PCI rules differ according to which level you are on. Level one websites have historically been the biggest concern to the PCI Security Council: To be on this level a company must process more than 6 million customer transactions a year. (more...)

In recent years security surrounding how we make payments online has been a hot topic – many people still remain fearful about purchasing products using a credit card due to the risk of fraud and identity theft. This is why credit card companies have made increasing the security of taking payments online a high priority.

The PA DSS was originally set up by VISA in 2005 and stands for Payment Application Data Security Standard. Over the last few years VISA has joined up with another four big credit card companies to form the PCI Security Council.

The Security Council has the aim of ensuring that all companies with an e-commerce website are compliant with its regulations as regards online payment security. (more...)

In April this year a series of new protocols to the PCI-DSS compliance regulations were brought in, designed to increase security when making credit card payments online.

All companies from the smallest upwards who accept credit card payments online must comply with these regulations. There are more than 300 new protocols to adhere to which cover all aspects of online payment security including how credit card data is managed by companies to how servers are run. From July onwards all servers for all e-commerce sites should be screened three times year, as part of a system of penetration tests – which will scan them for over 3000 potential risks.

Preparing for these changes in online payments is proving a daunting prospect for many, especially for smaller firms. Most of these will lack the in depth knowledge required, for example, about how servers work. Many are being forced to turn to the services of specialists to ensure they will be ready for the July date when they will be assessed. (more...)

Every company that accepts online credit or debit card payments must abide by PCI DSS. The actual acronym stands for Payment Card Industry Data Security Standard. This set of continually updated regulations was designed to protect online shoppers from internet thieves.

Because PCI standards are relatively new, there are a number of popular misconceptions that can get businesses into trouble. Probably the most common one is that smaller companies need not comply with PCI DSS. This misconception is based on the fact that there are different sets of rules that apply to businesses when it comes to internet selling. But the fact is that all companies must comply with PCI DSS.

Where to start? There are three basic tools that are used to validate PCI DSS compliance. The first and most popular one is the Self-Assessment Questionnaire (SAQ). There are several versions of this test depending on the size of the business and the number of monthly transactions. All internet sellers will be asked to complete the SAQ at least once a year to ensure PCI DSS compliance. (more...)

Before we begin, please excuse us for the number of acronyms that we are about to unleash upon you. In a recent announcement, the Payment Card Industry Security Standard Council (PCI SSC), an international organization that manages the Payment Card Industry Data Security Standard (PCI DSS), introduced a new program that is designed to help companies comply with their continually evolving rules and regulations. It is called the Internal Security Assessor (ISA) Program (ISA) and it will offer training to merchants, banks and processors.

The very first ISA course will be held in Sydney, Australia on May 19-21. This 3-day training session was designed to test the quality and expertise of in-house IT professionals in an attempt to determine how much they know about PCI DSS. In addition to basic evaluations, guests will be provided with technical instruction from PCI DSS experts like Qualified Security Assessors (QSAs).

The introduction of this program is a direct response to the astonishing increase in fines levied by the PCI Security Standard Council. The hope is that better training and more knowledgeable in-house staff will reduce these fines in short order. (more...)

According to a recent report, the number of cybercrimes has nearly doubled over the past five years. In 2008, there were over 3.6 million reported cases. The reprobates that commit these crimes rely on a surprisingly small bag of tricks. In this article we are going to discuss one of their favourites, brute force attacks.

We know, it sounds quite violent. But these attacks have nothing to do with aggression or physical confrontation. They are merely virtual attacks. Not that that makes them any less damaging. A cybercriminal can make off with twenty times as much as the average bank robber in half the time and with limited risk.

So, what is a brute attack? As the name implies, it is when an intruder attempts to force his way into your system. Once inside, the criminal can access encrypted data and steal confidential information, like credit card numbers before the owner can denyhosts. (more...)

All businesses that sell goods or services on the internet must obtain a merchant service account. These accounts are issued by banks and financial institutions throughout the UK. But before a bank approves a new account, an online business must prove that it has a secure website that can protect the financial information of its customers. That is where the PCI DSS comes in.

What is it? The acronym stands for Payment Card Industry Data Security Standard. In short, it is a set of rules that are used to ensure the safety and security of online shoppers. At present, there are three validation tools that businesses must use to prove that they are complying with PCI DSS.

The first and most common tool is the Self-Assessment Questionnaire (SAQ). Every online business that accepts credit card payments, no matter the size, must complete an SAQ at least once a year. Because the standards are different for larger companies, there are several versions of the questionnaire. Then there are Qualified Security Assessors (QSAs) and Free PCI Scanning. (more...)

In response to the staggering increase in cybercrime, the Payment Card Industry Data Security Standard (PCI DSS) was introduced in 2006. This set of continually updated rules and regulations was designed to protect online shoppers from internet thieves.

Since their introduction, online merchants have had a sort of love-hate relationship with the PCI DSS. On one hand, they respect the fact that the rules were meant to reduce the escalating level of online crime. But on the other, they are not keen on the constant updates. These new rules and regulations can cost online companies tens of thousands of pounds per year on security upgrades and new software.

Then there is the increasing cost of fines that are assessed to any company that is deemed non compliant. At present, these fines start at five thousand pounds per violation. Not surprisingly, banks are not big fans of PCI DSS updates either. Let us take a moment to explain. (more...)

Selling goods on the internet is not quite as easy as it used to be. Up until only a few years ago, there were virtually no rules or regulations in place to protect online shoppers. Finally, in 2006, a global organisation introduced the Payment Card Industry Data Security Standard (PCI DSS). This set of continually evolving rules was designed to protect online credit card users.

How does it work? Every business that accepts credit or debit card payments on the internet must first obtain a merchant service account. These accounts are issued by banks and other reputable financial institutions. But since online selling is especially risky, banks require that every applicant and current account holder comply with PCI DSS. Let us take a moment to explain exactly what that entails.

At present, there are three basic validation tools that are used to help confirm PCI DSS compliance. The first and most common is the Self-Assessment Questionnaire (SAQ). Every company that applies for a merchant service account must complete an SAQ. The questionnaire was designed to ensure that a company is complying with PCI DSS. It is a simple test that can be completed within a matter of minutes. (more...)

Contrary to popular belief, most hackers are not computer geniuses. They cannot break into secure websites in a matter of minutes or shut down systems on a whim. In fact, most of the tricks they rely on are quite basic. In this article we are going to discuss cross-site scripting.

Cross-site scripting is one of the most reliable techniques for virtual thieves. Basically, the hacker will infect a computer network with malicious scripts as a way to gain access to a private server. Once inside, the thief can root around for confidential financial information, like customer credit card numbers.

Like most hacker tricks, XSS attacks are rather simplistic, yet effective. Fortunately, there are a number of steps that any business can and should take to protect their servers. (more...)