Tag: pci

SiteLock website security

PCI Compliance: The Dangers of Noncompliance

If you accept credit card payments, you’re likely familiar with PCI compliance and what it entails. If you accept credit card payments, or are considering it, and are NOT familiar with PCI compliance, be sure to take accurate notes on the information that follows.

PCI DSS Overview

Created in 2004 by the five global payment brands — Visa, Mastercard, American Express, Discover and JCB — the Payment Card Industry Data Security Standard (PCI DSS) is a security compliance requirement for businesses that handle credit cards. It was created to protect customer and cardholder data from cyber attacks and fraud.

Read More

5 Ways to Protect your Website from Malware

There are over 1 million new strains of malware created every day. One identified infection can get your website blacklisted by Google, who currently blacklists over 10,000 websites each day. Mind you, the malware need not even be on your site.

SMEs (Small to medium-sized enterprises) are unfortunately one of the largest targets of cyber attacks. On average, over 30,000 SME websites are targeted each day, and to make matters worse, nearly 60% of their IT professionals think they aren’t at any real risk of being attacked.

Don’t allow your business to suffer expensive cyber attack damages (which average around $50K per attack) — instead, be proactive in your web security efforts to prevent security threats, protecting you and your customer’s private data. Here are 5 tips to help you protect your website from malware and other cyber threats:

1. Updates and Patches

Is your website running off of a Content Management System (CMS) such as WordPress? A CMS can be an easy and cost-effective way to manage your business’ website, but they’re also large targets for cyber attacks.

Why? Many CMS platforms and plugins are often easy targets for hackers and allow backdoor access to your server and data (a recent example of this vulnerability was the SoakSoak attack that occurred last month). Make sure your system, plugins and themes are always up to date, strengthening your web security. Many CMS solutions will even automatically update files for you, if you choose.

2. Website Scanning

Many web viruses and other malware go unnoticed until it’s too late, due to their elusive nature. They can often be implemented with a simple one-line script, injected into the code of your website – made to look like normal code.

Website security scanning software can scan your website for existing malware and other harmful code that doesn’t belong, and notify you immediately of any threats. Our SMART (Secure Malware Alert & Removal Tool) software takes it a step further by automatically removing anything harmful – similar to what a virus removal software does for your PC.

3. Web Application Firewalls

Removing existing website threats is one issue, but keeping them from coming back is another. With over 1 million new malware strains created each week, your business’s website can potentially to be infected by a new virus every day.

Web Application Firewalls (WAF) can help prevent attackers from even visiting your site. How do they work? Let’s take our TrueShield WAF, for instance – it evaluates traffic based on where it’s coming from, how it’s behaving, and what information it’s requesting. Based on these and other criteria, the firewall will allow “legitimate” traffic (e.g. customers and search engines) access while blocking “malicious” traffic (e.g. spam bots and hackers).

Used in conjunction with a website scanning solution, a WAF can help provide around-the-clock, hands-free security for your business’s website.

4. PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS), or PCI for short, is a security standard that businesses must adhere to if they accept major credit cards. This compliance helps ensure that your business and customers are protected from cyber attacks and fraud by providing a documented, baseline security posture for your site. Failure to comply with PCI standards can result in direct financial damages, lawsuits, government fines and ultimately ruin brand reputation in the event of a data breach.

Fortunately, it’s not difficult to become PCI compliant. There are many solutions that walk you through the steps to help create your own customized PCI policy. Our SiteLock® PCI Compliance program takes it even a step further by scanning your site and network, and you can also add on our PCI-certified TrueShield firewall.

5. Strengthen Passwords

Even in 2015 the world is still using weak passwords. A strong password is one that contains over 8 characters, no dictionary words, has a mixture of uppercase and lowercase letters, and includes digits and/or special characters. Unfortunately, many of those boxes aren’t checked – allowing brute-force hacking techniques (repeated attempts to login to your website) to become effective.

It’s extremely important that you create a strong password for your website’s back end, since it can often times be an easy way into your private data. You should also advise your customers who have online accounts to do the same, to help protect them from future attacks. After all, it only takes seconds for a computer to crack a poorly created password.

Is It Time For Mandated Website Security?

website security tipsWe’re now closing in on nearly one billion websites worldwide, and with another 6 million new domains being registered daily. Yet it’s estimated that less than 3% of those websites are secure. And guess who’s really taking notice of this glaring absence of website security?

It’s nothing new that hackers are constantly changing their tactics. What’s troubling is how quickly they adapt and adjust to whatever security countermeasures they encounter, and how creative and sophisticated their workarounds have become. That’s what happens when a crime becomes a lucrative industry, and when things like website security get overlooked hackers won’t waste a moment exploiting it.

Read More

10 Important Security Decisions Before Launching Your Website

security decisionsSo you’re thinking about finally launching your first website. Or you’ve had a website up and running for years but it’s time for an upgrade, an overhaul, and brand new chapter in your online presence.

You’ll have plenty of things to think about and to get right, so just make sure you don’t leave security as an afterthought.

  1. Where will you host it? Hosting matters. Some hosts take security very seriously, because they understand that their reputation counts on your trust in them. Other hosting companies are less than enthusiastic about spending their budget on your security. Choose a host that has lots of experience, a reputation for reliability, a solid support team that’s there in an emergency, and a relentless commitment to protecting your online presence.
  2. What do you intend to use it for? Will you just use your website to advertise your business and encourage people to call or drop by your physical store? Will you collect personal information, maybe even accept credit cards, and even run your entire business online? What you collect and transact on your website will determine how big a target you could be and how much you could lose if you fail at website security.
  3. What kinds of information will you collect? It’s not just about collecting information from visitors to your website, it’s about what kinds of information, what you do with it, and how you protect it. Remember, even if you ask visitors to share their email address so you can send them a newsletter, that email address is of great value to hackers and identity thieves. The more information you request, the greater your responsibility to protect it. Are you ready for that responsibility?
  4. Will you have e-commerce? Selling your products and services online has never been easier, and it’s a great way to maximize sales and minimize costs. But it comes with risks, and in particular the risk that hackers will breach your security and get their hands on customer credit cards. So before you start accepting online orders, talk to security experts who can make sure security is built in from the start.
  5. Will you have to be PCI compliant as a result? If you plan to accept credit or debit cards , you have to PCI compliant. No discussion, and no exceptions. But getting in compliance is not as daunting as it might sound. For most smaller firms, the process is quick and straightforward. You can complete much of the process yourself in a matter of minutes, then use a firm like SiteLock to perform the regular website security scan you’ll need in order to be PCI compliant.
  6. Will you be using lots of third-party plugins? One of the great things about building killer sites is the number of low-cost and even free plugins you can use to give your customers the best experience possible. The downside is that many of those plugins may have security weaknesses or vulnerabilities that have to be patched quickly. So you’d better make sure that have a process in place to identify plugins with known issues and update all your plugins regularly.
  7. Who’s going to manage, update, and access your site? Maybe you’re talented enough to build and run the entire site on your own. But chances are, you have better things to do. Whoever you choose to build and maintain your website, whether a friend, a local guru, or your web hosting company, you need to make sure that security is a key part of every decision they make. And make sure they know what they’re doing when it comes to security. So many breaches are as a result of mistakes by programmers and web designers who didn’t think about security.
  8. Do you know enough about security to be dangerous? Dangerous to hackers, that is. You don’t have to be a security expert to have a secure website. But if you’re running any kind of business you have to familiar with the basics of security, identity theft, fraud, privacy, and all their cousins. Just like running a bricks and mortar store – if you don’t know how to spot a fake $20 bill, you’re going to end up with lots of them. So take some time to learn about what hackers are up to so you can spoil the party and ruin their day.
  9. Who’s going to guard and patrol your online premises? You know you can’t right? You can’t be there all the time, and the web is a very big and dangerous place. So never open a business on the web without first enlisting the protection of a company like SiteLock. Having the best experts with the best technology in a constant state of vigilance for any sign of attempts to break into your business is more than worth the dollar a day it might cost you.
  10. So how are things at home? Nothing personal, but one of the easiest ways for hackers to break into your website and steal your customer information is to infect your personal and home computers with malware first, then use that to steal your passwords as you log in to your site. So make sure you and everyone at home is aware of the risks and knows how to avoid them.

Good luck on your journey. May your website welcome lots of visitors that leave happy and return often. And make sure it’s as repellent to hackers as it is welcoming to shoppers. This shopper will thank you for it.

Google Author: Neal O’Farrell

7 Things You Need To Know About PCI

  1. It’s there for a reason. As the Target and many other data breaches have shown, there’s a huge underground market for stolen credit and debit card numbers. Crooks will go to great lengths to get these numbers, and the resulting breaches can be very costly. Even more important, credit card processors worry that more security and data breaches will hurt consumer confidence in using their credit and debit cards, and that’s bad for everyone. PCI
  2. It’s got teeth and it’s not afraid to bite. PCI is like a guard dog that’s not afraid to turn on its master. It’s ultimately designed to protect you, and in the case of smaller firms, without much effort. But if you ignore PCI, it’s not afraid to bite. Failure to comply can mean penalties, fines, and even the inability to accept credit and debit cards.
  3. If you accept credit or debit cards, you can’t avoid it. One of the most common misconceptions is that PCI is only for bigger firms, only applies to businesses that process a minimum number of credit card transactions monthly, or that smaller firms are exempt. None of the above are true. If you accept credit cards, even one transaction, then you have to be PCI compliant.
  4. It’s like a free security plan. While any kind of regulation can seem like an unnecessary burden, PCI should be looked more as free security. The world’s top credit card processors, who between them process the majority of credit card transactions in the world each day, created a free roadmap to help you protect against card breaches. And PCI is not just about protecting credit cards. It’s ultimately about protecting your business, your reputation, customer trust, and your future. Not a bad freebie when you think about it.
  5. It’s not a security guarantee. The more credit card transactions you process each year, the more complicated PCI can get. The higher the number of transactions, the more rules you have to follow and the more it will cost you. Yet in spite of all the rules, being PCI compliant is no guarantee that you’ll be secure. PCI should be seen as a baseline and a minimum standard, meant to be combined with other layers of protection.
  6. Expect it to get tougher. With so many breaches, and so much in-depth coverage of them, it’s become apparent that even major organizations with huge investments in security and compliance have still fallen victim to security breaches. That’s led to calls to make PCI even tougher. You can expect that to happen in the next few years.
  7. Despite #6, it doesn’t have to be hard. For smaller firms, PCI is remarkably easy. Compliance is based around a self-assessment questionnaire. That’s right – you answer some questions and you conduct the assessment yourself. A major focus of compliance is making sure that if you accept payments through your website, your website is secure. Luckily that’s also easy. Firms like SiteLock can manage that process seamlessly and affordably.

Read More

10 Ways to Defend Against Cyber Risks

website_vulnerabilities

  1. Look in the window. Most business owners look at their websites and security risks from the inside-out, and never see what it looks like from a hacker’s perspective. Even a cursory inspection, but even better a basic website scan, could easily help you spot vulnerabilities quickly.
  2. Understand what the risks are. After all, you can’t fix them if you don’t know what they are. A little light reading on common business and website risks could tell you all you need to know. Focus on technical and procedural risks – from exploits of unpatched vulnerabilities to common errors by employees.
  3. Focus on passwords, and especially to your FTP account. Passwords can be the keys to the kingdom, and even the biggest security breaches at the biggest businesses have been traced to the smallest password mistakes.
  4. If your business has a lot of sensitive information to protect, consider having your website developers use a dedicated computer to access the website. This can significantly reduce the risks of things like keyloggers, which can steal website passwords and give hackers access. By using a dedicated computer that’s not used for anything else, you eliminate the risk of downloading a keylogger or other malware through drive-by downloads, email attachments, or infected files.
  5. Create a list of your Top 10 security rules, that everyone has to follow, and make that everyone knows what those rules are. Ten is a good number. You could easily have a hundred but too many could cause more harm than good. Focus on the biggest risks and vulnerabilities and pursue them relentlessly.
  6. If you accept credit cards, make sure you’re PCI compliant. Achieving PCI compliance is not difficult or expensive, especially for smaller businesses. Not only is PCI a great security place to start, you don’t have an option. Failure could mean big fines and the inability to accept credit card payments.
  7. Don’t forget to get physical. Not all attacks or exploits have to be digital or virtual. Hackers can walk into an unprotected business or rummage through a dumpster. And many of the information-rich laptops and tablets stolen in burglaries end up in the hands of cybercrooks.
  8. Control who you give access to. That can range from access to buildings and rooms to access to computers, networks, and websites, to access to specific files and privileges. It’s not about people getting access to sensitive data, it’s about the wrong people getting access.
  9. Choose your web hosting provider carefully. There are thousands to choose from so pick yours thoughtfully and focus on what they say about security. If they don’t talk about it at all, that could be a warning sign. If they do mention security, present them with your list of top security worries and risks and see what their response is.
  10. Review your security regularly, with a comprehensive top-down review at least a couple of times annually. Nothing stands still, and new vulnerabilities are being discovered or created daily.

Read More

PCI Compliance Could Be The Best Christmas Gift For Your Business – And Your Customers

giftData has always been a currency for crooks but, now more than ever, personal data has become a hot commodity for everyone from petty identity thieves to major organized crime. And one of the easiest ways to get this kind of information is from websites just like yours.

Read More

PCI Compliance – Embrace it, before it cashes you out

pci complianceIf you own a small business and you take credit cards and you’ve never heard of PCI, be afraid. If you own a small business and you’ve heard of PCI but you don’t think it’s important enough for you to comply with, be very afraid. If you’re a small business owner and you’re supposed to be PCI compliant and when you have a data breach it’s discovered that you’re not compliant, you’d better have very deep pockets.

There are millions of small business merchants in the U.S., and while every small business that accepts credit cards has to comply in some way with the Payment Card Industry Data Security Standard (PCI DSS), many observers believe that most small businesses are still not in compliance. Even though the rules have been in place for more than eight years.

Read More

Powered by WordPress & Theme by Anders Norén