For leaders at Heartland Payment Systems, the discovery of a hacking attack on thousands of its brick and mortar clients led to a period of soul-searching, followed by a commitment to re-engineer the security protocol for accepting credit card payments. However, the operators of typical e-commerce Web sites may not realize that their own operations could be vulnerable to similar attacks. Effective e-commerce Web site design should include credit card security that complies with industry best practices and federal regulations.

How Criminals Compromise E-Commerce Web Sites

Credit card fraud affects the Web site owners in a variety of surprising ways, not all of which immediately cause alarm or impact a business financially. Submitting stolen credit card numbers as payment for goods and services may be the most obvious form of fraud on an e-commerce Web site, but some more insidious methods include:

• Using a compromised Web site to "taste" credit card numbers for validity. Hackers often trade stolen customer data using large blocks of numbers. Criminals submit purchases for small amounts through e-commerce Web sites to ensure that their fraudulent numbers can later be used for larger amounts.
• Forcing a compromised payment processing system to submit credits back to a stolen credit card account. This process allows criminals to use a merchants funds to effectively "reload" a stolen card, so account holders notice no net difference in short term account balances.
• Hacking a system to divert legitimate customer payments to a fraudulent clearing account. Criminals can replace the payment data on a compromised e-commerce Web site with their own information. While the merchants system passed order information to fulfillment centers, hackers clear cash payments their forged account, robbing the merchant of revenue.

E-commerce Web site programs and merchant payment platform operators often place the blame on each other when asked about the growing tendency for sites to get hacked. Merchant gateway providers operate relatively open systems, designed to make it easy for customers to pay. Site designers rely on a series of common programming protocols to transmit customer information to payment gateways.

Making PCI Compliance Part of E-Commerce Web Site Design

Since 2004, five of the worlds largest credit card payment platform operators have collaborated on industry guidelines for secure transaction processing. Payment Card Industry Data Security Standards simplify the process of securing customer information from hackers and intruders. PCI standards dictate the minimum levels of security present in e-commerce Web site software, on server database archives, and even around a physical server location. Failure to comply with basic PCI standards can cost merchants the ability to process online transactions.

E-commerce Web site operators who fail to maintain PCI compliance on their servers may find themselves liable for penalties of up to $30 per card number compromised. Even with a cap of $500,000, no Web merchant can afford to skimp on server security. Leading e-commerce design professionals use their experience with PCI compliance and secure payment gateways to meet industry guidelines while minimizing the risk of a successful hack attack. The extra money it takes to find a skilled Web design team pales in comparison to the tens of thousands of dollars in potential liabilities from lax server security.

Sources

E-Commerce Guide

Philadelphia Inquirer