One of the most important requirements to e-commerce is security. Unfortunately, there's no magic bullet that will make you secure, nor is there a way to fully outsource your security (though you can radically reduce your burden by using a hosted e-commerce platform like FoxyCart). This chapter exists to inform you about potential threats, common insecure practices, and best-practices.

One of the common complaints we hear from people getting started with e-commerce is:

I couldn't care less about this technical stuff. Security isn't my job! That's what I'm paying you for!

If only it were so easy. The simple fact is that anybody with access or even knowledge of an e-commerce website can potentially put the security of the entire system at risk. For example, many people use the same password for their email, website administration, and on random sites they visit. If any one of those sites is compromised, a malicious user could potentially reroute all your hard earned sales to their own bank account. So even though we at FoxyCart take our security very, very seriously, you could still create problems if you aren't familiar with basic security concerns.

Companies both giant and teensy get attacked every day. If you have a website available to the public, we'd bet dollars to donuts that it's getting attacked by bots on a daily basis. An ounce of prevention is worth a pound of cure, and a security breach averages between $150-$200+ per stolen customer record ^{1) 2)} (though various state and federal fines can easily double or triple that figure, depending on the residencies of the impacted customers and the nexuses of the breached company).

So, yes, we're paranoid. But that doesn't mean they're not out to get us all.

If you've been looking at e-commerce or gateway solutions for more than a few minutes, odds are that you've seen references to PCI DSS. While we can't give you specific advice relating to your own compliance requirements, we can help you understand some of the more important pieces of PCI DSS compliance.

First, it's important to know that the Payment Card Industry Security Standards Council (PCI SSC) is made up of the major card payment brands like Visa, MasterCard, AmericanExpress, and a few others.³⁾ They put together the Data Security Standard (DSS), giving us PCI DSS. There are a few different levels of PCI compliance, and determining your level of compliance can sometimes be tricky. The multiple levels of PCI compliance is further complicated by the considerable amount of FUD and outright misinformation that is used to try to make a sale, sometimes for a product or service that you may not need as a merchant.

The two “deliverable” requirements of PCI DSS are:

1. The Self-Assessment Questionnaire (SAQ), ranging from SAQ A through SAQ D. The SAQ A is very short, while the SAQ D has over 200 questions and requirements.
2. The Security Scan from an Approved Scanning Vendor (ASV).

You may be told by your merchant account provider or gateway that you are required to purchase a security scan through them in order to be PCI compliant, or that paying for a service will make you compliant. That is dangerously misleading information; simply paying for a service will not make you PCI compliant, as compliance can involve things like security training, paper shredding, and business policies and procedures that simply cannot be addressed by paying a 3rd party a monthly fee. So while the SAQ and the scan from an ASV are the pieces that are required to show compliance, they aren't simply things you pay for and magically become compliant.

Though we cannot tell you with certainty what your compliance requirements may be, we can offer a set of guidelines that may help you discern when you do actually need to pay for a service to become compliant (and conversely, when you're being sold misinformation or FUD). This is not an exhaustive list of scenarios, and more information is available at the PCI DSS site if you need clarification.

If you're being told by your merchant account provider or gateway that you need to pay a fee to become compliant, be sure to understand the actual requirements. In many cases you may not need a scan at all, and your SAQ requirements may be quickly and easily completed without paying any additional fees.