Last week we looked at the obligations under PCI DSS and the ramifications for online merchants. Not only is compliance a legal requirement if you want to conduct business online, but if your payment processing doesn’t meet the grade you could be fined up to £500,000.
PCI DSS has helped to reduce online payment processing fraud, and recent horror stories about Heartbleed have highlighted the need to be extra vigilant.
What is Heartbleed?
In short, Heartbleed is an error in the coding which has allowed cyber-crooks to hack into passwords and other details on affected merchant account websites. It’s been called the biggest online security breach ever, and because it’s in the coding of OpenSSL (the encryption that’s meant to save us all from card fraud) it allows cyber-fraudsters to bleed security data from the very heart of a business’s systems.
Worst of all, Heartbleed has been around for at least two years – though it has only recently been discovered.
According to recent surveys by Netcraft, two thirds of websites are at risk.
The only way to ensure your security is to update your OpenSSL. After updating, all your passwords will need to be changed.
The good news is that the major providers are all in the process of updating, so the threat is going to subside very quickly.
Saving time and money
The Heartbleed bug has highlighted how criminals are still able to target online businesses. Cardholder data has to be held securely, but Heratbleed has allowed a hole through which cyber criminals can extract payment processing data.
The PCI DSS holds the merchant accountable for compliance. Even though the affected OpenSSL is not the merchant’s proprietary security system, it is still considered the merchant’s responsibility.
Clearly, there is huge cost, not only in £’s but also in reputation should a merchant fail to remain compliant. You’ll need to spend time, effort, and money staying on top of the law, data requirements, and security updates. Every step has to be documented. It may even be that the online merchant finds itself requiring an extra member of staff, or even department, to administer all of this – and that’s before the IT responsibilities are dealt with.
By working with a third party PCI DSS compliant provider, all of this expense and effort will be saved. The eCommerce business transfers responsibility to the provider, and because it is the providers main business, it has the resource to commit to dealing quickly with industry wide issues such as Heartbleed.
The money saved by the online merchant can then be better used for business development, save in the knowledge that requirements under PCI DSS are being dealt with professionally.
Whether you are a large multi-national or a small one man band, you will either be PCI DSS compliant or you won’t be. Securing your own PCI DSS certification is a costly and time-consuming business. Working with a third party PCI DSS compliant payment processor avoids this cost, secures the business, and allows you to concentrate on finding and servbing more customers securely and professionally.