Ecommerce - 1.2 - Security Flashcards
User data security standards USA
USA is one of the most lenient in the world
User data security standards EU
EU data privacy states that you cannot store most any customer data outside of the EU. Used to have safe harbor agreement in place, but that no longer exists.
User data security standards Canada
just has very strict spam laws
PCI standards and processes
PCI SAQ (self-assessment questionnaire): a detailed piece of information to assess whether you and your website are following best security practices.
• Cardholder data must not ever be stored or transmitted unencrypted.
• Unencrypted cardholder data must not be seen by unqualified individuals.
• Encrypted cardholder data is still subject to safety measures.
• Reference:
• https://www.pcicomplianceguide.org/faq/
• https://www.pcicomplianceguide.org/pci-saq-3-1-ecommerce-options-explained/
PA-DSS / PCI-DSS rules and practices
• https://securityintelligence.com/difference-pci-dss-pa-dsspayment-application-vendor-thinkappsec/
• Every organization that handles credit cards needs to comply with PCI DSS (Payment Card Industry Data Security Standard).
• Build and maintain a secure network.
• Protect cardholder data.
• Implement strong access control measures.
• Ensure the maintenance of information security policies.
• Vendors that make and sell payment applications need to
meet PA DSS (Payment Application Data Security Standard).
SSL usage in ecommerce
- SSL when transmitting cardholder data is a must.
- Preferably use TLS 1.2 but limited due to older browsers that no longer support that.
- Browser vendors are pretty much forcing all sites to switch to https.
What is PA-DSS? When should PA-DSS be applied?
- https://securityintelligence.com/difference-pci-dss-pa-dsspayment-application-vendor-thinkappsec/
- It helps achieve PCI-DSS compliance. A good overview for this is the PCI Awareness Training.
- All organizations that handle cardholder data must be PCIDSS compliant.
- PA-DSS is validating compliance of a system or a program. PCIDSS is the validation of an organization (meaning the people, systems and hardware).
What is the process for getting a site certified as PCI compliant?
• https://www.pcicomplianceguide.org/the-pci-basicsquick-guidewhat-do-small-merchants-need-to-do-to-achieve-pci-compliance/
• Determine merchant level.
• Visa: https://usa.visa.com/support/small-business/securitycompliance.html
• MasterCard: https://www.mastercard.us/en- us/merchants/safety-security/security-recommendations/merchants-needto-know.html
• This determines whether a SAQ will work or if you have to have an on-site assessor.
• Determine the SAQ.
• Complete the SAQ.
What are the best practices for protecting ecommerce user data?
- Don’t store cardholder or other sensitive data. It is good to see the “saved credit card” option gone with Magento 2.
- Be careful with who handles cardholder data.
- Use strong hashing for passwords. This is another benefit of Magento 2.
- Use https on the website to protect cardholder and other data.
What are the requirements of the EU “cookie law”?
• https://www.cookielaw.org/the-cookie-law/
• Required after May 2011 (though, to my understanding, it is very poorly enforced).
• It requires that a website give customers the option to opt out of cookies being set on their computer.
• Requires that a website:
• tells visitors that the website uses cookies.
• explains what the cookies do
• gets their approval for storing cookies on their computer.
• (exceptions do apply)
• https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/
