Tell us what you have in place to keep our billing information safe.

[Quick1]

The use of SSL certs does not indicate secured merchant services. SSL is used to encrypt information between a server and a client for a given purpose. You can look at the certificate (easiest way is to click on the pad lock icon in your browser) to ensure that the site using the certificate is the same as the site that was issued the certificate, although your browser should show an error if this is not the case-it will by default). Now obviously you want your communication secured if you are passing any confidential information (CCs, passwords, private info, etc). However, someone can easily bring up a shady site and use ssl to encrypt communications. I'm afraid there is no magic there, as anyone with a site and a dedicated IP address can buy a SSL.

I agree. In fact, I think the need for SSL is highly overated. Stemmed from the black helicopter hype early on. People equated it to someone climbing a telephone pole to clip a headset on the wire and evesdroping on your phone conversation. The government may have some capacity to do this (like Lawful Intercept for voip) but it's impractical and not effective for thieves. SSL is for encryption over the wire. Relatively insignificant compared to your connecting to somewhere other than where you think you're connecting to or data being compromised after it gets there.

It sounds like a few people in the thread are looking for the silver bullet that they can use to make 100% sure that a site they are dealing with is safe. There are a lot of aspects to Internet security-way more than can be covered in this thread-in fact, there are IT career certifications in it (cissp for one).

Well yes . But at least people can get some understanding of what is behind the scenes and what to look for to feel more secure or at least reduce the risk. Maybe something like "shopping cart powered by XXX" gives you some assurance that the service is a commonly used reputable service and known to be fairly secure. Or at least put some effort into security measures/processes/standards.

As I stated in an earlier response, the best advice is to use reputable companies, and trust your instincts. If a site looks shady, get away. If there isn't SSL encryption, get away. If 1/2 the words are misspelled, things don't look professional, the prices seem to good to be true, and you just don't have a good feeling about using that company, get away.

That's going to eliminate all the Chinese sites isn't it?

This conversation could easily delve into many aspects of online security, and common advice stands here too: don't share your passwords, don't use the same password on multiple sites, protect your information, etc, etc, etc. One other thing you might consider is checking with your bank or CC company. Many of them offer 1 time use card numbers for online purchases. I wish more banks still offered this the way they did several years ago, but there are still quite a few who do.

There are a number of other threads on this subject already. I'd like to keep it more specific to our e-cig online supplier sites. Appears there is a good bit of commonality in the merchant service providers chosen, etc. A lot of people weren't aware of that. I think many just assume most suppliers download the store website template from Microsoft, fill in the titles and pictures and start taking orders. maybe some do.

 

[iamjn]

I agree. In fact, I think the need for SSL is highly overated. Stemmed from the black helicopter hype early on. People equated it to someone climbing a telephone pole to clip a headset on the wire and evesdroping on your phone conversation. The government may have some capacity to do this (like Lawful Intercept for voip) but it's impractical and not effective for thieves. SSL is for encryption over the wire. Relatively insignificant compared to your connecting to somewhere other than where you think you're connecting to or data being compromised after it gets there.

No, no, no, that is not the message i was trying to portray at all. The use of SSL is not overrated, and is a definite requirement. It is just not the end all solution that someone earlier eluded to it being.

 

[PVPuff&Stuff]

Just saw this topic today at work, so I had to add my 2 cents once I got home.

We run on an open source cart that has a ton of community involvement. Safer setup of the cart involves deleting a lot of folders typically used for exploits by hackers. Technical tweaks to the base software, that are designed to thwart access attempts. Renaming of critical folders, moving others to areas not accessible by web, etc.

Every interaction with Valley Vapor is logged. I'm just enough of a nerd to actually read logs from time to time, but that's not what they are there for. Stored data on access attempts in case it's needed.

I check the cart patch version daily, and if the program is updated, I take the site down and update. Patches have come pretty frequently, and it's a major hassle. I do it first day. My office computers are checked for updates and patches on a regular basis as well. Daily virus scans with 2 scanners, malware and spyware scans as well.

Patches are a double edged sword. If you don't keep up with them, they could bite you. Every release of a new security fix or patch usually comes with a fair description of the hole that was fixed. You don't fix the hole, well, now everyone knows where it is. I see a TON of old version carts out there.

Transactions are reviewed daily before they are processed. The cart kicks out orders that don't have the correct information, and if anything looks screwy with your order I'll either call you or email you. If it looks screwy and I can't get a hold of you, I'll void the order until I do. I'm not taking a bad/stolen card.

No credit card information is stored on any system at Valley Vapor. Your customer information is locked away in a database, behind 2 firewalls, with passwords and user names that change weekly.

There are no wireless access points.

Encryption is used everywhere possible to minimize the risk of snoops.

Any hard copies are shredded before they are pitched.

There are also about 200 detailed questions vendors answer (and comply with) to get PCI certified.

The questions and procedures relate to safe access and storage of sensitive information. If you were interested, you could go to Trustwave and see what a vendor needs to do to comply with credit card processing regulations.

It's a major pain to comply, but I think it would be worse to get hit with a pile of bad cards once the evil script kiddies find out you're a pushover.

 

[SeriousLevity]

Another very interesting and informative thread !

Thanks to all who have contributed.

 

[Driver]

Lots of imfo and hours of reading while vaping. I do appreciate all the vendors who posted and are aware that there might be a problem in what is mostly an online industry. I have noticed a theme though, its one or 2 vendors and the words merchant services comes up alot. Ive seen others along with myself that got charged once or twice almost immediately after using that card on a known vendors site. Sorry I cant use any names or I get booted, so it all has to sound like rumors. Just another reason it might not stop.


Im reminded of my kids here all of a sudden, one could lie, 2 could lie, but when I put all 3 kids and my wife in the same room and then asked a question. I either got guilty silence or the truth. I wont make anymore posts where I have to play word games. I'll just read and wonder.

 

[butterbean03]

OK, just saw this thread. Almost everybody is required to have a SSL encryption in place. It is the ones that spend more money and rev up security by getting the PCI DSS certificate. This is a vulnerability test done by a third party (Security Metrics) and issues the certificate. My merchant account is with First Data and also have the gateway with them. They are required by an internal policy to have this cert also.

As oettinger said a couple of pages back, and this may have been covered, I didn't read the last 2 or 3 pages, but ZenCart is the most hacked cart. He said most fraud comes from bits of software placed on the customer's computer and sending every keystroke back to the hacker.

To prevent this, we use Bitdefender, which scans our computers daily and also updates them daily. It seems that when a virus or malware pops up, they jump on it and sends the update ASAP. I do not work for them or have any affiliation with them, just have been using them for years with no problems, even with my sign/graphics shop where I have 6 - 8 top of the line computers. I have tried quite a few different security programs, but not a problem with this one.

Every site should have a logo as to their account info, and if you click on that badge, you will see the info you are looking for.

Go to my site and click on my two badges and look at the info given about security. It is on every page except the age verification. When I talked to them, they said your site is nearly as safe as FT. Knox. So anybody doing business on the net should click on these badges and see when the cert was issued. Mine is issued quaeterly, but I have the ability to do the test daily if I wanted. I also can not see anything but the last four numbers of a customer's card and don't store cards. If I did, I could not pass the PCI DSS vulnerability test done by an outside party.

Just a little info on my site and most of this has been covered. Go ahead and click on these badges. You might be surprised what you find.

Don

 

[iamjn]

As oettinger said a couple of pages back, and this may have been covered, I didn't read the last 2 or 3 pages, but ZenCart is the most hacked cart. He said most fraud comes from bits of software placed on the customer's computer and sending every keystroke back to the hacker.

Are we reading the same thread? I don't see that anywhere, and would whole heatedly disagree with anyone claiming this. OS Commerce is far less secure than Zen Cart. Magento and Zen Cart are both secure, but like any other web site software, part of making it secure is the person who sets it up.

 

[butterbean03]

Maybe you misunderstood. I said and was told and have researched Zencart and they have had many security leaks. You can research this. I will not do your homework for you. What I was getting to was that a lot of fraud comes from customer's computers which hackers place small hidden pieces of software on your computer that log every keystroke. That is where info is stolen. That cat made that very clear. Looks like you are using Zencart. That is why you got defensive. I would consider talking to an IT company and they will give you the stats. I maybe didn't make myself clear, but they have a lot of security hacks. Go to the Zencart help forum and look around. I had three IT tech's tell me to not use Zencart. I pay experienced techs to give me the most secure site I can get. Sorry if I wasn't clear! I just want the most secure site I can get for my customers. It's a liability if you don't have your customers best interest.

Don

 

[iamjn]

True, I'll give you that I did get defensive, but you did in fact state that oettinger made this claim, which I do not see. I also did my homework when choosing a cart, and I am speaking not only as a vendor, but as someone who actually IS in IT network security for a global, very large company that everyone would recognize (for more years that I care to admit). If I wasn't 100% confident in the security of my site, it wouldn't be up. I don't hide behind incorporation, limited liability, or any other umbrella. If something happens to a customer's information due to a security issue on my site, I am personally liable for it. If that isn't enough motivation to do things right, I don't know what is.

But, to bring this conversation back to what it was originally intended for and something I think we can agree on: any site that actually is storing any customer CC information is not only breaking their merchant vendor's rules (NTM Visa, MC, AMEX, etc. themselves), they are also not someone to do business with, as they do not have their customer's best interest in mind.

 

[butterbean03]

The sad part is that what MOST consumers do not understand is that MOST of the time when credit cards get compromised, it is something on their OWN computer that causes the problem. I am sure I am in the minority here, as EVERYONE seems to think EVERYTHING is someone elses fault, but being a Fraud Investigator for a bank caused me to understand that MOST credit card breaches come from a persons OWN viruses and Trojans on their computer, OR by some big company being compromised.

I worked as a FRAUD INVESTIGATOR, my main card is NEVER used online, and WAS STILL charged $5,000 from a store in MOSCOW!! The number was stolen by a person working at a Wendy's restaurant.

I think that a consumer education class is required.

I am also sure that every person that has been defrauded will scream to the mountains that there computer is virus and malware free, but I will also guarantee that these same people use ONE virus scanner, and do not use a program that actually scans, and removes malware. For example, Norton, and Mcafee DO NOT clean malware, and are historically rated the WORST in discovering virus threats.

Here is the claim, post #26. I'm not getting into a pissing contest with anybody.

The person asked what we were doing to keep their info safe. I merely responded. If you want to talk more about this, email me or PM me and I will give you my IT company's name and number that came in Thursday telling me she walked right into the back end of one of her customer's site that was using that cart. She is a coding geek and got out of grad school less than a year ago. The customer was using somebody else and switched to her and they did not give her the login info. She has a reputation as being the best in this area.

I am not trying to hurt you or your business in any way. Sorry if I offended you.

Don