With the rise in the numbers of identity theft and hack attacks on numerous corporate websites, website security has become one of the hottest internet-related topics for consumers and businesses alike. Despite the validity of the topic, however, as with anything with a huge demand, a new breed of scams geared towards business owners have sprung up and grown through marketing tactics analogous to a mafia shakedown for “protection.”
While many online merchants are familiar with Payment Card Industry (PCI) Scanning – the industry standard of security for e-commerce – “trust seals” have recently sprouted as a more attractive security measure. By promising to increase conversions, and also providing a false sense of security, many business owners have fallen victim to the services.
Although PCI scans are required quarterly for virtually any merchant accepting credit cards online, trust seals have gained appeal because they give the illusion of ongoing security audits at a fraction of the cost of a security firm retainer. Additionally, many services also include an icon boasting the site as being “hacker proof,” which in theory increases shopper confidence. While PCI scan packages start around a couple hundred and go up to over a thousand, the trust seal vendors push their plans from as little as $4/month to $50/month.
Although such alternatives might sound attractive, in reality it is a case of “buyer beware” since most of them are snake oil as they do not conform to industry standards. Rather, many of them are poorly coded programs, which aside from providing a false sense of security, also can get your website blacklisted by your webhost, or even lead to security breaches.
For insights into reputable scanner products offered by professional “white hat” hackers – industry jargon for good guy hackers – I interviewed Bill Pennington, chief strategy officer at WhiteHat Security, to gain information on how legitimate scanners check for vulnerabilities.
Before continuing, a quick note is in order: There is no such thing as a fully secure website, and while having an expert promise invincibility against hackers, such promises should always be red flags, which cause you to turn the other way. Additionally, depending on where you host your website, your host might already handle PCI scanning on your part, meaning that you don’t have to pay an additional fee for scanning unless you have a significant reason to justify the investment.
Before picking a security vendor, especially as a small business, it is best to contact your web host and ask if their servers are PCI compliant. For the most part, unless you are running your own hardware, the host will say they do handle the PCI compliance on your behalf. Additionally, if you happen to be running a dedicated server, or you collocate (meaning you fully control the hardware), you might be able to get scanning at a discounted rate.
Going back to Whitehat Security, sometimes it pays to have additional audits done to ensure the integrity of your website. Although PCI covers a significant part of website security for the average merchant, audits typically occur quarterly instead of in real time, and they are limited to a fairly generic overview of the “average” way businesses sell items online. If you have a heavily customized system, a high volume site, or your company is the target of opposing groups, retaining a security provider might be worth the investment.
In my interview with Pennington, I asked how an automated scanner stacks up to their services. As a very simple analogy, automated scanners are similar to how Google and other search engines scan sites. If they hit a password protected page or form requiring human intervention (such as a checkout process, registration, etc) the scanners are immediately thrown off. Additionally many automated scanners are “dumb,” meaning that some tests can flood your company email accounts and databases with thousands of dummy records, plus in some cases your web host might shut your site down due to a false hacker alert from the tests.
In contrast to the automated scanners, Pennington discussed how most white hat security firms have expert teams who handle the majority of auditing, and when it comes to automated portions, they monitor the numbers of errors so if a section is breached, rather than constantly hammering it, they choke off that specific test.
Additionally, while automated scanners can bring down websites due to hogging resources, Whitehat and most other reputable firms employ intelligent automation, which ensures it is friendly for up and running websites, so that business can continue while testing occurs. Additionally, for online stores, experts check the forms by hand since it currently is not practical for computers to fully process an entire checkout process.
In general, the majority of reputable web hosts out there will already handle the majority of security for you, however the key piece of information to keep in mind is that when shopping for a security firm – if a deal is too good to be true, it probably is, and also if something is fully automated chances are the service is ineffective. Also, when it comes to PCI scanners, make sure your vendor of choice is on the official list of approved PCI scanners.