Ecommerce - 1.2 - Security

Question 1

User data security standards USA

Answer 1

USA is one of the most lenient in the world

Question 2

User data security standards EU

Answer 2

EU data privacy states that you cannot store most any customer data outside of the EU. Used to have safe harbor agreement in place, but that no longer exists.

Question 3

User data security standards Canada

Answer 3

just has very strict spam laws

Question 4

PCI standards and processes

Answer 4

PCI SAQ (self-assessment questionnaire): a detailed piece of information to assess whether you and your website are following best security practices.
• Cardholder data must not ever be stored or transmitted unencrypted.
• Unencrypted cardholder data must not be seen by unqualified individuals.
• Encrypted cardholder data is still subject to safety measures.
• Reference:
• https://www.pcicomplianceguide.org/faq/
• https://www.pcicomplianceguide.org/pci-saq-3-1-ecommerce-options-explained/

Question 5

PA-DSS / PCI-DSS rules and practices

Answer 5

• https://securityintelligence.com/difference-pci-dss-pa-dsspayment-application-vendor-thinkappsec/
• Every organization that handles credit cards needs to comply with PCI DSS (Payment Card Industry Data Security Standard).
• Build and maintain a secure network.
• Protect cardholder data.
• Implement strong access control measures.
• Ensure the maintenance of information security policies.
• Vendors that make and sell payment applications need to
meet PA DSS (Payment Application Data Security Standard).

Question 6

SSL usage in ecommerce

Answer 6

• SSL when transmitting cardholder data is a must.
• Preferably use TLS 1.2 but limited due to older browsers that no longer support that.
• Browser vendors are pretty much forcing all sites to switch to https.

Question 7

What is PA-DSS? When should PA-DSS be applied?

Answer 7

• https://securityintelligence.com/difference-pci-dss-pa-dsspayment-application-vendor-thinkappsec/
• It helps achieve PCI-DSS compliance. A good overview for this is the PCI Awareness Training.
• All organizations that handle cardholder data must be PCIDSS compliant.
• PA-DSS is validating compliance of a system or a program. PCIDSS is the validation of an organization (meaning the people, systems and hardware).

Question 8

What is the process for getting a site certified as PCI compliant?

Answer 8

• https://www.pcicomplianceguide.org/the-pci-basicsquick-guidewhat-do-small-merchants-need-to-do-to-achieve-pci-compliance/
• Determine merchant level.
• Visa: https://usa.visa.com/support/small-business/securitycompliance.html
• MasterCard: https://www.mastercard.us/en- us/merchants/safety-security/security-recommendations/merchants-needto-know.html
• This determines whether a SAQ will work or if you have to have an on-site assessor.
• Determine the SAQ.
• Complete the SAQ.

Question 9

What are the best practices for protecting ecommerce user data?

Answer 9

• Don’t store cardholder or other sensitive data. It is good to see the “saved credit card” option gone with Magento 2.
• Be careful with who handles cardholder data.
• Use strong hashing for passwords. This is another benefit of Magento 2.
• Use https on the website to protect cardholder and other data.

Question 10

What are the requirements of the EU “cookie law”?

Answer 10

• https://www.cookielaw.org/the-cookie-law/
• Required after May 2011 (though, to my understanding, it is very poorly enforced).
• It requires that a website give customers the option to opt out of cookies being set on their computer.
• Requires that a website:
• tells visitors that the website uses cookies.
• explains what the cookies do
• gets their approval for storing cookies on their computer.
• (exceptions do apply)

• https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/