New PCI E-Commerce Guide Advocates SSL
In the world of e-Commerce, the strength of encryption that you employ – and the use of Extended Validation SSL (EV: a highly rigorous and demanding standard of verification) – needs to be beyond all compromise. Get this right and you will have loyal, long-term customers who will return time and again. Get it wrong and they will desert you and tell their friends to do the same.
Why? Because on-line fraud has been soaring out of control, and is ranked as one of the biggest problems within the Payment Card Industry (PCI). E-Commerce without proper safeguards, guaranteed and independently validated, leaves your valued customers wide open to attack and at the mercy of the cyber criminals that attempt to dupe them into providing critical information that can lead to substantial financial loss and/or identity theft.
It’s a serious problem. More than 234 million records with sensitive information have been breached since January 2005. As a merchant, you are at the center of payment card transactions, so it is imperative that you use the most sophisticated security procedures and technologies to thwart theft of cardholder data.
So, what can you do to ensure your customers are always safe? Online scams are increasingly making headline news. With many people walking away from on-line transactions fearing they will be the next, you have to show, beyond any shadow of a doubt, that you are exactly who you say you are.
In January this year, the PCI Security Standards Council (PCI SCC) published its E-Commerce Guidelines, detailing the technical and operational requirements set by the council to protect cardholder data. This will almost certainly become the reference point for merchants and customers alike. PCI has aligned with NIST standards in stipulating that adequate encryption of a cardholder’s sensitive data is imperative while it is being transmitted, insisting on nothing less than 128-bit encryption. It also calls for crypto keys – their storage and transmission – to be effectively managed.
What does that mean for you, to meet these requirements? The council singles out Secure Sockets Layer/Transport Layer Security (SSL/TLS) Encryption as an important way forward – technology that is at the very heart of Symantec’s security ethos and best practice. First, you need to provide full visibility into the SSL (Secure Socket Layer) traffic to detect possible threats. Second, you need to employ Web gateway solutions that offer SSL scanning and policy enforcement for encrypted traffic.
The PCI DSS (Data Security Standards) require that payment card data be protected during transmission over open, public networks (to include the Internet). SSL/TLS is used to encrypt information sent between the consumer and merchant, and between the merchant and e-commerce payment gateway. The proper implementation of SSL/TLS is one key mechanism that can be used to meet this requirement. Not only does True 128-bit SSL Encryption protect your customers’ credit card numbers, payment information, passwords and other confidential personal data, all at the highest level, but it is easy to implement, too. And, by employing EV (Extended Validation) SSL Certificates as well, you effectively eradicate the threat of a ‘brute force’ attack.
One further level of reassurance you need to communicate to your customers is the presence of the green address bar – growing in familiarity – that indicates these are properly authenticated sites, with the identity of the organization displayed. Research has found that 93% of Web users who see a green address bar are more inclined to engage in transactions at those locations than on sites without.
When you talk about winning trust, this is where it happens. What your customer gets from all of this is the confidence to transact on line. What you get, by delivering these highest levels of security, is more business.
*In the document, PCI SSC acknowledges the contribution of the E-commerce Special Interest Group (SIG) – which includes Symantec – in the preparation of its document.