My Merchant Account Blog

The Security of Your Customers

Wednesday, March 19, 2008

So I know in the past, we have always talked about credit card security, PCI Compliance, etc.  But I would also like to remind you about your customer's usernames and passwords.  How are these being stored?  A lot of shopping carts will store this information in plain text.  If the passwords are being stored in plain text and you have a server compromised, your users' information might be readily available for the hackers. 

Most shopping will store the information in a database like Microsoft Access, mysql, or MSSQL.  You should be able to view the databases somehow, either though phpMyAdmin, Microsoft Access, or Microsoft SQL Server 2000 Desktop Engine (something similar).  How you access this information is usually established when you choose a web hosting provider.  Some will allow you to access the information also via an Open Database Connectivity (ODBC).

When you are viewing these tables and records, look for the table that stores your user's information, especially the password table.  Are the passwords encrypted?  If not, you should consider getting another shopping cart or contact the vendor for assistance to enable secure passwords.

A lot of consumers use the same password for everything.  While this is a great risk to them, it is the quickest way for consumers to get to their information.   This is the reason you want to protect them as much as possible.

Your Shopping Cart Password

First and foremost, your administrator password should be changed immediately when you start to add your items.  Don't wait until you are going live - you have too much on you mind by then.  Your password should contain letters, numbers and maybe a couple of extra characters like %, !, *, {, etc.  The harder it is for you to remember, the better. 

Did you know that by changing your password from the vendor-supplied password, you have already met one of the requirements for PCI DSS?

Password Strength and Security

When new customers are signing up, your website should ask them for a unique password.  And explain to them why your company is asking for this information.  Password checker is also a great website to have them check their password strength. 

And when asking users to create an account, their session should be in a secure.  This will help to protect them when they are entering their username and password.  Even if you use a third party processor or have one of the electronic payment gateway's web page handle the transaction, if you are asking for a password, the page should be secure.

Comments

Name
URL
Email	Email address is not published
Access Code
Please enter the access code
Remember Me
Comments