How to Build a Small-Business Web Site, Part 9: Security and Transaction Processing
For any business setting up an e-commerce Web site, ensuring security and transaction-processing compliance are critically important. Although they can seem like daunting challenges, there are many resources and services available to help a small business navigate these tricky waters.
Apr 2, 2009 4:00 AM PT
This is the ninth in an ongoing series on building a Web site for your small business. Part 1 looks at essential elements of a business Web site. Part 2 offers basic site design guidelines. Part 3 tackles some advanced design issues. Part 4 examines social media tools for building traffic. Part 5 compares outsourcing against doing maintenance work in-house. Part 6 offers tips on marketing your site. Part 7 covers analytics for measuring effectiveness. Part 8 delves into content management issues.
It's all well and good to have a business site that encourages online purchasing and open dialog. However, with every interaction comes the associated risks and requirements in terms of payment processing and security. So, it's important to do your homework when it comes to securing your Web site.
"It's not terribly difficult to set up and maintain a secure site, provided you do some due diligence up front," Alfred Huger, vice president of development for Symantec, told TechNewsWorld.
Still, the level of complexity can change significantly from one Web site to the next. Even if you don't plan to process payments online, you still need to make sure you have things locked down on the security front.
Out With the Bad
"You want to make sure your Web site is protected from both internal and external threats," Fiaaz Walji, Canadian country manager for Websense, a provider of hosted security solutions, told TechNewsWorld. "What is happening internally could be malicious. Externally, you need to think about folks who are hacking or posting malware."
Having a blog requires extra vigilance on the part of business owners, large or small, he added. "Any time you allow users to post things on your site, you have created another dimension to your security needs. And once you have possession of people's personal information -- through transactions or data collection -- that's a different ball game altogether."
One of the key things that can lead you astray is using free software. "There's nothing wrong with that, except people don't tend to stay on top of it, particularly when it comes to security updates," Huger pointed out, adding, "You should be especially careful selecting free software on Web site properties."
A good place to start is Google he said. "Google is your friend when it comes to researching software. Find out about its performance and if there is a history of vulnerabilities."
It's also a good practice to run a security analysis to "check for holes on your site and the individual pages," Walji advised. "When running an audit, you also have to think in terms of messaging and email. Basically, you want to make sure anything coming in is clean from malware, phishing, malicious URL links, etc., and doesn't contain private information. At the same, you need to know that nothing that leaves your site is corrupted."
For anyone doing transaction processing on any scale, it's essential to continue to keep up with the audit process.
"Once the audit is done and the security is set up, a lot [of businesses] don't continue to secure their site," Symantec's Huger noted. "To make it easier, users can tap into affordable automated services like Qualys or WhiteHat Security to perform vulnerability, policy and PCI (payment card industry)-compliance assessments on a routine basis," he suggested.
Securing the Deal
Despite all the available resources, when it comes to transaction processing, some Web site owners can be surprisingly undereducated.
"A lot of people are setting up Web properties for business transactions with no background on the risks they face," Huger observed. "The good news is information is freely and easily available -- you just need to do the legwork to get your hands on it."
With the right partners, setting up an e-commerce site is actually a straightforward process, Eddie Davis, senior director of services for PayPal, told TechNewsWorld.
Merchants using PayPal have seen up to a 14 percent increase in sales and conversion rates of up to 72 percent, he claimed.
"Sometimes, businesses don't understand the different players they have to sign up with and the different fees charged by multiple merchant providers," explained Davis. "Setting up an account through PayPal, for example, is a good route for small- and medium-size businesses to go, because it serves as a front-end gateway that simplifies all your payment processing. In addition, it can [relieve you of the burden] of meeting compliance requirements, because it adds that layer of security and trust."
It is extremely important to make yourself aware of the risks involved in selling on the Internet, as well as your responsibilities, according to the "Visa E-Commerce Merchants' Guide to Risk Management". It's also important to put measures in place to avoid chargebacks where possible.
Businesses should choose an acquirer with "robust" e-commerce capabilities, and make sure they get a clear understanding of terms and conditions of the contract, Visa advises in the guide.
PCI or Die
One of the most important things any business conducting e-commerce needs to know is how to ensure that all credit card transactions comply with the PCI DSS (Payment Card Industry Data Security Standard). Any lapse in this area leaves a firm on the hook if anything goes wrong with a particular transaction.
By way of explanation, PCI DSS was established by the PCI Security Standards Council for merchants that accept credit cards online. It includes guidelines for user authentication, firewalls, antivirus, encryption, truncating account numbers, programming maintenance and vulnerability testing.
The standards apply to all organizations or merchants -- regardless of size or number of transactions -- that accept, transmit or store any cardholder data.
"Maintaining security within the payment system is a shared responsibility of the service providers, agents, merchants [and] vendor," said Martin Elliott, senior business leader for Visa. Businesses that have Web sites "must make sure that any downstream partners -- [such as] gateway and service providers -- and payment applications are PCI-compliant."
Among other resources, Visa provides businesses with lists of PCI-compliant providers. "When selecting a provider, just take the time to make sure they are listed," Elliott told TechNewsWorld.
Minding the Web Store
A number of additional operational and logistical issues can be overlooked when managing e-commerce transactions, Elliott added. "Accurate product descriptions, clear terms and conditions, digital content policies, negative renewal options, etc. -- these can easily be forgotten. All those set the tone for a positive e-commerce experience."
Another thing to consider in online transaction processing is making sure you have the infrastructure in place to handle the volumes, he advised. "You don't want e-commerce to turn into a nightmare if you are not prepared to handle anticipated volumes. Small businesses getting into the online sales channel should carefully study their business plans and marketing techniques so they can plan their infrastructures properly."
Additional best practices for securing transaction activities include having a layered security strategy in place; implementing fraud control functions through services such as CyberSource; and using address and card verification tools and identity confirmation services such as Verified by Visa to protect yourself from chargeback liability.
Depending on the level of sophistication, you might also want to consider outsourcing your shopping cart application to handle the ins and outs of currency conversion, shipping and tax calculations.
"When you peel back the layers of a transaction it can be a daunting task," said Elliott. "It's a huge value proposition if you can simplify it all."
So, before you decide to take any shortcuts when setting up your Web site, just remember that any kind of breach can lead to no end of problems -- from loss of customer trust to unwanted penalties for noncompliance. It doesn't matter what size you are -- the consequences could be the same. So it's important to do the job right from the start.