Information on Merchant Accounts,
Ecommerce and Credit Card Processing

April 6th, 2006 by Jamie Estep

SEO for Ecommerce Websites

Filed in: Ecommerce, Industry News |

I normally try to keep SEO separate from the realm of credit card processing, but this is a great article written by Bill Hartzer that details the importance of optimizing ecommerce websites. Ecommerce websites are often cookie-cutter OsCommerce and other dynamic shopping based sites, and this article can greatly help those sites to rank in the search engines. Even if you don’t run an OsCommerce website, this article is a must for anyone involved in ecommerce.

Bill Hartzer manages the Search Engine Marketing division of MarketNet Inc http://www.marketnet.com. He is also a fellow moderator of mine at the webproworld forums http://www.webproworld.com/forum.php.

If you run an ecommerce site, then you know that it’s important to make sure that your products show up in the organic search results ahead of your competitors-especially if your competitor is selling the same products. Optimizing your ecommerce web site for the search engines can be tricky at times, so we’ll examine what’s really required in order for your products to rank better than your competitor’s products in the organic search results.

Full Article


April 5th, 2006 by Jamie Estep

Payment processor fears credit card crooks

Filed in: Fraud, Industry News |

Several Web hosting companies that use the Authorize.Net service to accept credit cards online saw a sudden spike in transactions over the weekend. The transactions, most for $500 and $700, were billed to Visa, MasterCard and American Express cards that belong to people across the U.S., representatives for three Web hosts told CNET News.com.

The Web hosting companies discovered the unusual charges through e-mail alerts that Authorize.Net sends after each transaction. Close to 3,000 suspicious transactions were pushed through the merchant accounts of three companies with which CNET News.com spoke, and more likely happened at other Web hosts, these three companies said.

On Sunday morning, in about an hour-and-a-half time period, fraudsters ran close to 1,500 transactions through the Authorize.Net account of Defender Technologies Group, a Web host in Ashburn, Va., said Tom Kiblin, the company’s CEO. “It was just under $1 million that got put through on our account,” he said. Kiblin says he has reported the matter to the U.S. Secret Service.

This sounds like a really bad credit card fraud case, but looking at the situation positively, the business caught the huge amount of fraudulent charges before it became an even bigger problem. If these credit card numbers were obtained from a single source, there should be very little trouble finding where the data was lost at. Visa and MasterCard have systems dedicated to tracking down the source of a loss of information, by matching similarities in charges on different credit cards.

Full Article – http://news.zdnet.com/2100-1009_22-6057305.html


April 4th, 2006 by Jamie Estep

A Guide to Small Business Security, Free PDF Download…

Filed in: Ecommerce, Fraud, Guides, Merchant Accounts, My Favorite Posts |

The BBB has co-authored a guide to help small businesses be secure and to help protect user privacy. This is an excellent guide for any small business. It was sponsored by Visa, IBM, Equifax, Verizon, The Wall Street Journal, Ebay, and Paypal. We support and recommend these practices in every way.

Small Business Security

Please click on the link to view the PDF, or download the ZIP version to your computer.
Guide to Small Business Security PDF
Guide to Small Business Security ZIP Download


April 3rd, 2006 by Jamie Estep

CISP, SDP, PCI Compliance required for every business…

Filed in: Ecommerce, Fraud, Merchant Accounts, My Favorite Posts |

CISP LockSDP /CISP / PCI is a standard that many businesses must adhere to to help protect consumer data. CISP (Cardholder Information Security Program) is a Visa security standard that is designed to help protect all levels of business from fraud and loss of data. MasterCard has a similar program called SDP (Site Data Protection). CISP / PCI is a standard that is designed to help secure and protect sensitive data specifically relating to the payment card industry. CISP compliance extends beyond online businesses and applies to Retail (brick-and-mortar), and Moto (keyed entry) businesses in addition to ecommerce. CISP compliance is outlined here rather than the SDP program because it is more restrictive and better organized.

PCI / CISP is designed to be implemented by any businesses that accepts of facilitates credit card transactions or the handling of sensitive credit card and user information. Businesses that do not store or handle credit card information, are not subject to CISP regulations.

Visa: Note that these Payment Card Industry (PCI) Data Security Requirements apply to all Members, merchants, and service providers that store, process or transmit card-holder data. Additionally, these security requirements apply to all “system components” which is defined as any network component, server, or application included in, or connected to, the card-holder data environment. Network components, include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP. Applications include all purchased and custom applications, including internal and external (web) applications.

PCI / CISP Basic Requirements:

  1. Install and maintain a firewall configuration to protect data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored data.
  4. Encrypt transmission of card-holder data and sensitive information across public networks.
  5. Use and regularly update anti-virus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to card-holder data.
  10. Track and monitor all access to network resources and card-holder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

If you read the full CISP manual, you will find that each requirement is broken into several sub-requirements. CISP attempts to leave no stone unturned and no margin for error.

How To Implement PCI / CISP:
Most of the CISP requirements are simple common sense. CISP is heavily geared toward websites and other easily accessible systems where there is a huge potential for a loss of sensitive data. Many of the technical issues are very complex and the requirements are very strict. I have helped to secure several web servers for CISP compliance, and to say that the requirements are strict is a gross understatement. Not only are there basic firewall and network infrastructure requirements, but there are hundreds of update, software versions, and patch requirements that must be met for a web server to be CISP compliant. A single missing software version update, or patch, or a single compromised web port, will cause a server to fail CISP compliance.

To start on the road to compliance look at the Visa PCI / CISP Pdf linked at the bottom of this document. All of the requirements are listed to be CISP compliant. After you meet all of the requirements, you will need to get with a company that certifies businesses for CISP compliance. They will normally perform a series of checks on your server, and give you the results of their inspection. The checks that they perform are essentially an attack on your web server, and they will try to exploit any known vulnerability. They also check the software, and current versions of several applications on the server making sure they are all up to the current version. You can also start by doing a scan and fix whatever areas are not up to standard.

A Warning: Make sure your web host knows that you are going to be doing these tests, or they may mistake them for a true attack.

CISP non-compliance and loss of data penalties:
The fines for not complying with CISP are low, up until there is an actual loss of data. Visa and MasterCard can shut down or fine non-complying merchants, but due to the current lack of organization and the impossibility to monitor every business and organization, larger companies are the only ones who are currently monitored. It is the responsibility of a business to ensure that they take the steps to become CISP compliant. If a business is not CISP compliant and a loss of data occurs, there is a $500,000 fine from Visa alone for loosing data and an additional $100,000 fine just for not being CISP compliant. $600,000 for not-becoming CISP compliant and loosing data because of it, and this applies for any business that accepts credit or debit cards. A single credit card number that is lost and is traced back to a business is considered a loss of data.

Apart from the monetary penalties, it never looks good when a business looses data. News agencies jump on these stories, and instantly make a business look like a criminal organization. I’m sick of reading about them, and I’m sure you are as well, so protect your data.

Overview:
I personally don’t recommend storing credit card numbers at all in an online database. Not only is the CISP compliance very difficult to achieve, but it just isn’t a safe practice. If card information is stored online, it must also be encrypted so that if there is some sort of data loss, the data will be useless. Even with CISP compliance it is still possible for someone to gain access to a server. No matter how secure something is, there is almost always a way for the system to become compromised. Also for retail businesses, employees are one of the largest causes of loss of data. Card information should only be accessible by select people that need access to it.

PCI / CISP Resources:
Visa CISP / PCI Compliance PDF
ScanAlert – PCI CISP Certification

Related Articles:
Credit Card Truncation


March 31st, 2006 by Jamie Estep

CardSystems Security Breach Settlement

Filed in: Industry News |

CardSystems gained notoriety last year when they experienced that largest loss of financial and credit card date in history. As many as 40 million credit card numbers were compromised after CardSystem’s database was hacked. The database was apparently unencrypted resulting in a potential total loss of customer information.

CardSystems was acquired by pay By Touch shortly after the incident and CardSystems subsequent breakup. Pay By Touch must now implement a third-party managed information security program for the next 20 years.


March 28th, 2006 by Jamie Estep

Gone Phishing – Protecting yourself and identifying phishing attempts.

Filed in: Fraud | 5 comments

Paypal and other financial institution phishing is a major concern for many individuals and businesses. I personally get several hundred phishing emails per day and a huge percentage of them are ebay and paypal phishing attempts.

Phishing is type of fraud where an email is sent to a person and the sender of the email is acting like a major institution, trying to get the user to log into their website. What the person getting the email sees when they click on the link, is a duplicate of the real website, made by he person sending the email. The duplicate website will have a form that the user inputs information into, and is normally a login box. Once the user enters their information and presses submit, the information is sent to the person who sent the email. The phisher just obtained the login information from the person who was phished. They also now have full access to whatever website the user-name and password are used at. They can empty your bank account, make fake ebay purchases, or anything else that the website allows them to do, and they are doing it as you…

Phishing a normally easy to spot, but recently I have been receiving better planned and implemented websites and phishing emails.

The sure proof guide to not getting phished.
First off you need to know two things. First, reporting phishing attempts does absolutely nothing, so don’t waste your time. Phishing attempts and the website’s that go with them are almost always hijacked, so reporting them will not lead authorities or anyone else to the responsible party. Second, there is nothing you can do to stop getting phishing emails, so don’t concern yourself with that one either.

1. Don’t Click
The most important thing to do, to not get phished, is to never click on a link in an email that asks, requests, begs, prays, or anything else in attempt to get you to login or even access a website. If you need to access the website, open a new browser window, type the website address in the new window, and login to the website from there. Whether you think the email is a phishing attempt or not, this is just plain common sense to protect yourself. If you never click on a link to a phishing website, you will never be a victim of phishing fraud.
New Window

2. Delete any identified phishing emails
Identifying phishing emails can be difficult, but a few simple flags will tell a phishing email from a real email almost every time. One thing you should have is a computer based email program. Online email like yahoo or hotmail, are terrible at helping a user to identify a phishing email. If you need an online email, I recommend using gmail, which also allows POP3 access from your home computer. Use Microsoft Outlook or Outlook Express to view your gmail emails. Using Outlook or Outlook Express will allow you to view extra information that is sent with each email. Whether you use an online program or Outlook, there are several flags that will make phishing emails stand out.

  1. Email sender is not who the message is from.
    • The email sender in the header or the from box is different than who the message appears to be from. This would be like getting an email from chase bank, but in the FROM: field, Reply-To: field or in the header itself the message is from someone9876@earthlink.com.
  2. The link that the page wants you to click on is a large, fake, or obscure address.
    • A phishing email will always try to get you to visit the fake website to enter your information. When you place your mouse over the link, look at the URL that appears. Another way to view the link in a web based email is to right click on the link and select ‘copy target’ or ‘copy link location’. Then paste the link in your web browser address bar and look at the link. If the email is real, the link will be directly to the website organization. If the email is fake, it will normally have a large obscure website address.
    • Good Link: http://www.paypal.com/us/
    • Bad Link: http://mabarrackfurniture.com.au/images/www.paypal.com/cgi-bin/webscr.php?cmd=_login-run
  3. The email ends up in your spam box.
    • As simple as it seems, emails that end up getting hit by spam filters are filtered for a reason. While recently I have been seeing phishing emails routinely make it through the most strict spam filters, the majority of phishing emails will get caught in web based, and outlook spam filters. If it goes in your spam folder, it did so for a reason, so be extra careful with that email.

3. Use a different email address if you run websites
This is targeted at webmasters and others who manage websites. If you have websites and you have customer service email addresses on them, never use those email addresses for paypal, ebay, your bank, or any other personal, financial, or access related purposes. Keep the email addresses on your websites completely independent of ones you use for paypal, ebay, etc. The reason is that, spammers get huge lists of email addresses by scrubbing websites for email addresses. They send phishing emails to the email addresses that they collect. If the phishing emails you get are sent to the email addresses that your website’s use, then you instantly know that they are fake.

4. If you click on a link, make sure you are where you should be
If you do click on a link in your email, make sure that the link sends you to the actual organization’s website and not a fake. Look at the address bar. Does it look right?
Phishing
Notice how the link in the address bar is not paypal, but the page looks just like the login page. This a phishing page. Never enter your information if the address in the bar is different from the organization that you are trying to visit.

A good phishing example:
This example is one of the best phishing emails I have ever seen. It instantly made me want to click on the link. It passed every spam filter I have and if I did not know exactly what to look for in a phishing email, I could have been a victim of it.

(more…)


March 24th, 2006 by Jamie Estep

MSN Money – 22 ways to foil credit card thieves…

Filed in: Industry News |

You probably won’t end up paying the bill, but a stolen credit card can still cost you big in time and aggravation. Here’s how to protect yourself online and off.

In some ways, credit card fraud isn’t the problem it’s often made out to be.

Visa says fraud accounts for about 7 cents of every $100 spent on its credit cards, an all-time low and about half the rate of 10 years ago. Add to that the fact that the major credit card companies have “zero liability” policies, which means the vast majority of consumers who are victims don’t wind up paying a dime out of their own pockets.

This is a great article targeted at consumers about how to protect themselves from credit card fraud, and how credit card fraud effects them.

http://moneycentral.msn.com/content/Banking/creditcardsmarts/P87328.asp


March 21st, 2006 by Jamie Estep

AbyV.org – Conversion Rate, Usability, and Marketing Blog

Filed in: Industry News |

I just started a new blog today, after making yesterday’s post. The blog is going to be geared toward web usability, increasing customer conversion on and offline and anything else related to making a business sell better.

Hopefully it can become a great resource for business owners.

AbyV.org – Conversion Marketing Blog


March 20th, 2006 by Jamie Estep

Online Stores – Shopping Cart Abandonment – Don’t do this…

Filed in: Ecommerce, Guides |

I was online today purchasing some network hardware for the company, and after visiting about 20 different sites, all with similar prices, it was only one site that ended up getting my business.

Accepted Payment MethodsIt made me wonder why, of all the websites that I visited, and all the shopping carts I added products to, did I chose the one that I did. I then remembered reading a shopping cart abandonment article a few weeks ago, and I put my experience and the article together. I normally don’t write about this specific topic even though it is one of my strongest areas, but so many sites are making the same simple mistakes.

Why I abandoned so many shopping carts:

  1. Required Customer Registration.
  2. Not listing accepted payment methods.
  3. Not listing shipping prices early enough.

You can read articles all you want about shopping cart abandonment and user conversion, and while there are probably hundreds of reasons why a customer might abandon a shopping cart, there are three above all others that will kill your customer base. These three are coincidentally the same three that caused me to leave so many websites.

1. Required Registration: The number one shopping cart killer in my research and personal opinion is requiring customers to register before they can place an order. Customer registration can be a very useful tool, and can greatly improve future experience with customer support and tracking, but don’t require it. Not everyone wants to register with your website. If every website I place an order with required me to register, I would have several hundred memberships each year across the internet. If you require registration, you just lose me, as well as a huge amount of other potential customers from ever ordering from your site.

Offer registration as an option, and give users the specific benefits of registering, but also allow an easy way to place an order without doing it.

2. Not showing what methods of payment you accept: While not quite as annoying, this one comes in at a close second to required registration. When I get to an ecommerce site, especially one that has lots of products that can be found at several thousand similar websites across the internet, I need to know how I can pay. I should know long before I think about checking out, how I am able to pay for the merchandise that I want. What if I want to use the company Amex card, or I need to use paypal today. Let me know how I can pay. If I cant find it at the very latest by the shopping cart page, you can probably consider my business lost. I shouldn’t have to search for this, it should be in a very conspicuous place on every single page of the website. The footer and sidebar make excellent places to put a website’s accepted payment methods.

To compound problems, if you only show your accepted payment methods after a visitor is forced to register, you can probably assume that you are loosing 50% or more of the people who otherwise would have made a purchase from you.

3. Not showing shipping prices early on: Shipping prices allow a bit more leniency because you cant normally give a shipping price until a visitor’s order is summed up, but show the shipping prices as soon as they can possibly be generated. Don’t wait until the payment form. Show them on the shopping cart page if possible. Or, if you have fixed shipping prices, give customers an idea of how much their order will cost to ship.

It doesn’t get any more frustrating than going through a checkout process, to later find that my bicycle handlebar grips which cost $10 are going to cost $35 to ship FedEx ground.

You are not amazon.com:
Unless you sell something that is absolutely unique that everyone wants, or your prices are so low that your visitors are willing to jump through hoops to buy from you, don’t do any of these on your website. Make it as convenient and easy as possible for your visitors to make a purchase from you, and your visitors will reward you for it. Use common sense when designing a website and shopping cart. If something doesn’t have a useful purpose or is confusing, get rid of it. There are hundreds if not thousands of things that can help or hurt a website’s customer conversion rate, but these three will make a marked difference in almost every website’s efficiency.


March 17th, 2006 by Jamie Estep

Visa Warns of Cash-Register Flaw – Consumer Data Privacy Concerns

Filed in: Industry News |

Visa has put out a warning to consumers and businesses about POS system flaws that can jeopardize credit and debit card holder’s security. These POS systems are used by many of America’s largest retail chains.

Visa USA Inc. is warning that two versions of popular software installed at cash registers could be used to steal information from credit and debit cards.

The software, which is used by retailers to help ring up transactions, can be used — sometimes inadvertently — in a way that allows the cash register to store customer data, such as personal-identification numbers used in debit-card transactions. Under card-industry guidelines, retailers aren’t supposed to store that information because it can fall into criminal hands if a computer system is hacked or an unauthorized person gains access to it…

The software company ‘Fujitsu Transaction Solutions Inc.’ denies that its software is being used to steal customer data. Visa has not specified whether the data is being recorded as result of a glitch or from malicious intent.

These reports come several weeks after reports of large amounts of debit card fraud has been traced to OfficeMax stores around the US.

This story can be found at the Wall Street Journal Online: http://online.wsj.com/ but is available by subscription only.