Security Risks With Credit Cards in B2B eCommerce

Taking credit card payments on your eCommerce site allows you to streamline your order taking process, but is also opens you up to security risks. In order to protect consumers, there are a lot of rules and regulations around handling credit card information online, and they can change frequently. The primary concerns are around transmitting as well as storing credit card information. It can also become an issue when you are upgrading or working on your website. Here’s what you need to know.

PCI Comliant Hosting

I can’t tell you how many companies I have worked with that think they are handling credit card data securely when, in fact, they are not.  

I have met people who were certain they were not storing any credit card data only to find out that their site was, unbeknownst to them.  

Countless people have told me they were PCI compliant (and believed they were) when, in fact, they had not met the requirements for PCI compliant hosting.

Taking credit card payments on your eCommerce site allows you to streamline your order taking process, but is also opens you up to security risks.

Having your customers’ credit card information stolen is not something any company wants to deal with. It jeopardizes your reputation and the trust of your customers.  Several years ago, I walked out to the parking garage in downtown Milwaukee after a long day at work.  I found the window broken in our minivan and our GPS gone.  I was shocked.  I felt violated and vulnerable. Had they taken other things?  Was I safe?  Should I not park in this garage anymore? You don’t want your customer experiencing feelings like that associated with your website!  In the case of eCommerce, customers are expecting you to protect their data and you have a responsibility to care for that data well.

In order to protect consumers, there are a lot of rules and regulations around handling credit card information online, and they can change frequently. The primary concerns are around transmitting as well as storing credit card information. It can also become an issue when you are upgrading or working on your website. Here’s what you need to know.

Transmitting Credit Card information

Credit card information needs to travel from your customer’s computer to your web server to the payment gateway and back, without any other party gaining access to it.  I have seen a lot of poor business practices when it comes to securely transmitting credit card information.  Here are just a few:

  • Sending full credit card information via email.
    I have seen other development companies who are not familiar with how to take credit cards using a web-based form that emails the results to the inside sales team to process manually. This is really bad. Email is not a secure medium. The only credit card data that can be in an email is the last 4 digits of a credit card number.
  • TLS 1.0 encryption not being disabled.
    The latest PCI compliance standards require any site that accepts credit card payments to use TLS 1.2 after June 30th, 2016. To do this, you should be enabling TLS 1.2 and disabling TLS 1.0. Many companies think that doing this just means a change to their SSL certificate, but that is wrong. To learn more about what TLS is and the changes you need to make to support it – check out our eBook here.

Storing Credit Card Numbers 

Storing credit card numbers presents a security risk for your customers and puts your company at greater liability.

Here are a few of the reasons that companies want to store credit card numbers:
  • They don’t know how much the shipping will cost when a customer checks out. They need to add the shipping cost after the order.  They store the credit card number so they can charge the card for the full amount after the order is placed.
  • They want to use it to easily process future orders for customers.
  • Customers make changes and edits to the order via follow up calls or emails and they don’t want to require them to enter the payment information again.

Despite the fact that these scenarios may seem reasonable, the truth is that if you store credit card data on your system, you put your customer’s data at risk of theft, you increase your requirements and cost for PCI compliance, and you increase your liability.

While it is possible to be PCI compliant and store credit card data on your system, there are very specific rules on how it must be done and I always advise against it.  There is a better way.  Use a third-party processor, like Braintree’s Vault or Authorize.Net’s CIM, to store the credit card numbers in their PCI compliant system.  Use a token to access the data while avoiding the risk associated with storing it in your own system.  

Handling Credit Card Data during Development

When working on your eCommerce Site, developers must be aware of and have a process for handling credit card data without creating a vulnerability.  Even if you don’t store credit card data on your site, there may be temporary records that store encrypted credit card data while a transaction is in process.  When a developer is setting up your site locally in their environment, they should be sure to clear out any records that might contain customer payment data, so as to ensure your customers’ privacy.  Ask your developer how they handle this.  

Identifying Your Security Risks

Is your site handling credit card information in a way that meets the requirements? If not, your company could be at risk for lost trust, lost business and numerous financial liabilities.

We conduct website reviews that include a full screening of your payment process and credit card handling.

We look at:

  • Your customer information database
    We confirm what information is actually being stored and make sure you aren’t storing anything you shouldn’t be.
  • Your hosting configuration
    We make sure your web server and database server are setup on separate machines.
  • Encryption
    We check that you are using TLS 1.2 and that you have TLS 1 disabled.
  • Customizations
    We review your customizations for their security implications and make recommendations for how your site could be making you more money.

If you are interested in having us review your eCommerce Site and determine your level of security, request our Store Analysis Report here.

Lori McDonald

President & CEO

About

Lori McDonald

Lori graduated from Purdue University with a Bachelor’s degree in Computer-Electrical Engineering and leads Brilliance Business Solutions with over 20 years of computer engineering and software development experience.  She is an Episerver EMVP, a Microsoft Certified Professional and a regular contributor on Practical eCommerce. Her status as a recognized industry expert has resulted in regular speaking engagements at business conferences.

Related Articles