Security certificates are deemed necessary for websites that offer online monetary transactions. It serves as a sign that the website conforms to with Payment Card Industry (PCI) data security standard.
All credit card companies, including MasterCard, Visa, American Express, Discover, and JBC endorse the PCI standard. Merchants that store, process, and transmit cardholder data are required to conform to this standard. It is applicable to all kinds of payment channels used by all merchants. This includes retail, mail or telephone order, and online transactions. A failure to follow the standard may result in fines from banks and credit card companies. It may even result to the loss of rights to process credit cards.
In order for a merchant to get a security certificate, it is required to submit, at minimum, one website for auditing. The merchant must then pass some tests in compliance with the PCI data security standard. There are six categories that must be met in order for a merchant to be deemed compliant.
First, the website should have a secure network. Hosting companies should take responsibility for ensuring the security of their networks because payment card information is directly forwarded to the web server. An unsecure web server equates to unsecure information.
Second, the merchant should protect cardholder data. At transmission of payment, the cardholder information must be encrypted with at least a 28-bit SSL certificate.
The third one is that the web server must have a vulnerability management program. It is important to make sure that internet safety is always up-to-date because the number of hacking and data mining tools taking advantage of security vulnerabilities are released in the wild everyday. A vulnerability management program ensures that a web server is secure from new threats.
The fourth is that the website must have strong access control measures. Physical access to cardholder information must be limited or restricted. Only the parties that completely have to access the data must be given permission. A unique identifying code should be given to the parties that need to access the information.
The fifth is that it is required to always monitor and check networks. Security measures and processes should be regularly checked to ensure that they are up-to-date. Network access to private information should also be closely monitored.
And lastly, an information security policy should exist. The merchant should make sure that the employees know and understand their responsibilities with regards to customer information before it becomes an issue.
If the above standards are met, a Security Certificate will be issued to the verified website owner. A security certificate is the first line of defense in protecting the merchant and customers from hackers, browser exploits, spammers, phishing attacks, and scammers.
