Topic: Security
Last Updated On: June 12, 2006
Applies to: MC Storefront Software, versions 4.1+

Summary

Business Security

This document will help you understand how to best protect your customers' sensitive data.

Good Security Habits - Just the Basics!

The information contained within this quickguide is intended to highlight some of the most basic computer security techniques that can help protect you and your customers.

Passwords

  • Always use strong passwords with your MonsterCommerce storefront. Your passwords should:
    • Be at least 7 characters long
    • Contain both upper and lower case letters
    • Contain at least one number
    • Contain at least one special character. For example, replace the letter “A” with “@” or “S” with “$”.
    • Not contain all or part of a previous password
    • Extra Protection: Stay clear of words found in the dictionary.
  • Reset your MonsterCommerce admin panel password once every 90 days.
  • Do not use a password similar to or containing your old one.
  • Supply admin user passwords to other people only when necessary and reset or change them as soon as they are finished with their work/task.
  • Check your password area often to make sure you recognize all configured user names.
  • Do not use the “remember passwords” feature on shared computers.

Email

As a web merchant, you will be called on often to use email to send information. It is important that you practice secure email policies. By observing the following rules, you will protect your organization from an unexpected security incident.

  • Encrypt sensitive information transmitted by email. Cypherix makes an easy encryption and decryption software that is free and can be downloaded at: http://www.cypherix.com/downloads.htm. You will need both the Cryptainer LE product and the DecypherIT product. If you want to encrypt a lot of information on your machine, this software will also work. It requires a paid upgrade at 25MB of storage.
  • Do not email full credit card information unless your email is encrypted.
  • Do not email anything that you would not want a non-trusted third party to see without encryption.
  • Never email your customers asking for any sensitive information or order confirmations.

Local Network

Many merchants feel that nobody can touch their local machine. Unfortunately, this is not the case! You must protect yourself from hackers and other types of data loss from problems such as viruses. MonsterCommerce recommends that you talk with a local network security company to ensure that your local network and internal security practices are up to par. If you store order information downloaded with a program such as MonsterDataPort, be sure to encrypt this information. If someone steals your laptop, your most precious data should not be viewable.

At a minimum any PC that attaches to the Internet should be running a virus scanner, such as Symantec or McAffee and you should never attach to the Internet unless you have a firewall either running on your PC (Microsoft XP comes with one) or as an external device (Such as a CISCO PIX).

Credit Cardholder Data

The easiest way to protect credit card holder data is to not store it at all. If you make it a practice never to download or store this data than you can rest assured that you are totally protected as credit card data stored through MonsterCommerce is completely protected as we are certified and periodically tested to hold this sensitive data. If you do download or store cardholder data on your local computer, there are some very important things to keep in mind.

Visa and MasterCard require any merchant that stores, processes or transmits credit card data to self certify to the Payment Card Industry (PCI) standard. MonsterCommerce can help you with this. You will be held responsible for any breach of security that results in the release of card holder data. Keep in mind, you will have to allow audits by Visa or Visa-approved entities in the event of a cardholder data compromise. You will also have to continue to secure cardholder data during and after contract terminations.

Always store cardholder data in an encrypted format. Ensure that you are the only one that has access to this information. Do not "backup" credit card data anywhere. If you feel that you must “backup” this data, burn it to a CD and secure it in a bank vault.

Interested? Learn more from Microsoft!

For more complete information on how to protect your business, visit Microsoft's small business security hub. Click here to visit this resource.

Top