You know you have to take measures inside your store to protect customers' credit card information. But what happens when someone else handles that sensitive information...like your website provider? So many retailers wonder "how do I know if my web provider is following best practices and protecting me and my customers"?
If you've ever wondered that...you're not alone. Read on to learn the right questions to ask and due diligence to perform. And if you haven't? You may need this information even more!
1. Verify your web provider has an Attestation of Compliance (AoC).
When investigating how secure a site is, many people logically assume they can google that. And if you do, you'll find a whole list of automated security scans that boast they can assess your website for compliance and security. Unfortunately...these scans really can't deliver because they don't know enough about your site and servers to look at the right things. For example, these scans almost always indicate you're missing a software patch...but if you're server isn't running that software to start with, you definitely don't need any patches for it!
Instead of relying on an Automated Security Scan, ask your web provider to provide an Attestation of Compliance (AoC) certificate. This document certifies the provider's results of a Payment Card Industry Data Security Standard or PCI DSS assessment. This means they completed the necessary documentation to be properly and thoroughly assessed based on the software their systems actually use. The AoC is the ultimate document to prove your web providers have your back – you can always request to see the form if you are curious about your provider's security practices.
If you accept credit card data via your website, you need a current AoC. If anyone tells you otherwise...run the other direction!
2. Make sure credit card numbers are never transmitted by email. Whenever you receive a sale through your WebFront, you're automatically alerted via email. But...that email never includes the customers' credit card information. Email is too easily intercepted and is not a secure method for transmitting this sensitive information.
3. Know where and how your customers' credit card numbers are stored. When retailers get an email alerting them to a new WebFronts™ sale, they're directed to login to their own secure digital backroom to see more information. This secure backroom is where all customer payment information is stored to facilitate the completion of transactions.
4. Make sure you can control and limit who has access to credit card information. Not only are credit card numbers stored in the separate and secure backroom of a retailer's WebFront, store owners can control who on their staff has - and does not have - access to the backroom via powerful permissions control. You may want one employee to be able to access the WebFronts™ App and control which items are in your clearance center...but you may not want that same employee to be able to access the backroom where credit card information is kept. With WebFronts™...that's no problem.
5. Know how long credit card information is kept. Make sure your web provider is not keeping credit card information around for longer than necessary. Once an order is marked as complete in the secure backroom of your WebFront, all but the last four digits of that consumer's credit card number (for reference) are purged entirely from the system within 48 hours. You can't steal what isn't there!
6. Ensure servers are kept in secure locations. In our digital world, secure locations require both physical and connectivity security. That's really only possible to achieve in facilities specifically designed for that purpose. All data collected via WebFronts™ sites are routed and stored on servers in a high security data center. We can take you to visit our servers...but it will require passing a retina scan in a sally port to even step foot inside!
7. Only accept credit card information from consumers over HTTPS.
Customers completing a purchase or submitting payment information during checkout are always doing so through a secure HTTPS link on every WebFronts™ site – no matter what level WebFront a retailer has chosen. HTTPS encrypts and decrypts security-sensitive communications like the information transmitted from a shopper's computer to your website's server. Today, many browsers even warn consumers if the site they are on lacks the necessary Secure Sockets Layer (SSL) certificate to have an HTTPS link during sensitive activities. It looks like this...and can scare consumers away from buying from you:
Example of a browser warning that a site is not secure.
Retailer Web Services already provides the most secure websites in your industry. Now you are thinking, "But wait a second, you said the most secure websites in the industry got MORE SECURE!" They did...just wait for it!
The rollout of the brand new WebFronts™ Level 4 product brings with it an upgrade to our retailers not only in functionality, but in security as well. In addition to all of the baked in security mentioned above, all Level 4 WebFronts™ now have their own unique SSL certificates registered to the retailer in addition to HTTPS URLs on every page. There is an additional benefit to the SSL certificate...can you say organic SEO goodness? Google awards higher rankings to sites with registered SSL certificates!
Ask Questions! If you aren't a WebFronts™ client use this information as a launch pad to have discussions about security and PCI Compliance with your current web provider.
If you are a WebFronts™ client, rest assured your website and your customers' data is protected. You have the most secure website in the Industry.