Batten Down Online Shopping Carts, Visa Warns!!!!May 26, 2006
BATTEN DOWN ONLINE SHOPPING CARTS, VISA WARNS: Visa USA is warning today
of an increase in a particular type of attack on online merchants and
recommending strategies to address it. "The attack method most recently
detected targets shopping carts that are not properly patched and are
therefore susceptible to attack," Visa says in a data security alert.
Visa added that the SQL injection attacks may exploit unpatched or poorly configured Web servers, database servers and applications. In an SQL-or structured query language-attack, a hacker deliberately enters information on a Web server in a way that opens it up for further attacks. To mitigate risk of SQL attacks, Visa recommends merchants use only secure shopping carts, preferably validated by Visa's Payment Application Best Practices. A list of compliant carts and other precautions, including purging cardholder data no longer needed and using only secure Web servers, are listed at www.visa.com/cisp. Visa reports it will be issuing security alerts as other "significant vulnerabilities" arise.
Visa Canada does not have an up to date list of certified providers, shopping carts and other certified software pertaining to online commerce on their site as of yet. You have to go to your vendor and ask for their PCI DSS (payment card industry data security standards) certificate if it isn't posted on their web-site as OURS is posted on the opening page of the webboard and all of our sites.
We wanted to make sure that our customers and consumers understood that our web hosting, payment hosting, and all of our e-solutions are PCI certified and have been audited annually for the last three years. We have always passed our audits without requiring any remediation other than passing on any new type of documentation of our very strict methodologies of creating secure applications, servers and network systems. Prior to the mandatory auditing procedures begun in 2003, we used best business practices and common sense to create secure applications and network systems to assure our customers of the highest level of security offered at that time.
We made a committment to our customers in 1994/95 to have security and privacy as our number one priority. We never compromise security for convenience or revenue so that we can assure our customers and the customers they serve are in the ultimate trusted secure environment.
We created a proprietary secure infrastructure from end to end including our own line of security products like VBV/Secure Code our IP guards, etc., to assure their would be no break in the secure pipeline of service offerings for our customers.
We are unique in the world in this offering as most providers have partnered with other software vendors to provide solutions to their customers. We wanted to control every aspect of security for our customers. To do so and maintain a trusted environment means all of the e-solutions we offer from web and payments hosting, payment applications, database solutions and the like are built, maintained and monitored by our expert staff. Our knowledge and expertise is unparalled in our industry as we have always built and harden our servers and network systems from scratch.
We patch in real- time, sometimes having to rebuild several times in a day to keep up with the vulnerabilites as they come out. You and your customers deserve nothing less than that committment.
To take it to the next level we founded our security company SPIguard Security Solutions Inc. in 2004 and together with its sister company Strategic Profits Inc., qualified as a PCI global security auditor so that we could also help our clients create and maintain PCI compliant secure environments for their organizations.
All Visa, MasterCard, Amex and other card associations require that all merchants globally become PCI compliant and be audited annually.
For our customers who host their sites, payment, applications et al with us...you can view our certificate on any of our sites thru the CN Wylie group of companies...www.cnwylie.com
For those of you using other vendors as well as our e-solutions you must ask those software providers and hosting companies to provide you with a PCI certificate if you cannot view it on their site. DO NOT listen to: "We are secure"...if they cannot produce a PCI certificate they are not considered secure and you could be at risk for compromise. Your reputation and the trust of your customer could be at serious risk.!
For far too long merchants and consumers have taken for granted that security was a given and maintained properly...this just isn't so. Creating a secure environment isn't just about buying a digital certificate...that means you just have SSL encryption...For far too long consumers have been under the misconception that seeing that digital certificate meant that the servers and systems of the company they were buying from online were secure...those certificates have been misleading for consumers. Of course those certificates are necessary but it does not guarantee that the site the customer is buying from is actually secure...but that is all changing with the manadatory PCI DSS compliance rules for all merchants world-wide.
To create a secure organizational environment takes a dedicated executive and IT team to maintain the minute by minute process, procedures, policies and methodologies required to keep the criminals out and away from your confidential data.
So for all of our customers who didn't know...you are in the safest of hands with our e-solutions. Keeping your data secure and private is our number one priority! If you want more information on PCI DSS visit www.visa.ca