Website security is more than providing a SSL (Secure Sockets Layer) website certificate. Many online merchants indicate their website as secure because they offer the SSL technology. Unfortunately, this is a simplification of website security and is misleading to the customer.
A website SSL certificate allows the secure transmission of information across the internet. It permits a customer to send and receive information securely when exchanging confidential and personal information such as credit card data. However, SSL technology is only one aspect of website security and there are other important security measures that must be employed to offer customers a secure experience when making a purchase at an online retail store.
Here are the major security areas that must be integrated into any online operation that receives confidential information from a customer:
We utilize the industry standard Secure Sockets Layer (SSL) technology with the highest available encryption for transmitting and receiving confidential information during all online order processing. With SSL, the transmission of confidential data from your browser to the server is encrypted for your security. Encryption is a method of scrambling information to prevent others from intercepting it. HealthGoods obtained a Digital SSL Certificate from Verisign, a worldwide recognized name in SSL certificates. Verisign provides third party independent verification that the HealthGoods.com domain name (URL) is owned by the authorized and registered legitimate business.
When you connect to a secure web server, you ask that server to authenticate itself. This authentication is quite a complex process involving public keys, private keys and a digital certificate. The certificate tells you that an independent third party has agreed that the server belongs to the company it claims to belong to. The site authentication process enables your browser to confirm our identity before your confidential information is sent. A valid certificate means that you can have confidence that you are sending information to the rightplace.
The presence of a secure location on a website is identified on your browser in several ways:
- The URL for the page you are on will begin with the letters "https://" instead of the usual "http://".
- You may see some type of security symbol that indicates you are operating in a mode that supports our security measures. If you are using Microsoft Internet Explorer, you may see a "closed lock" in the bottom right hand corner of the screen.
If you are making a purchase on a website, your payment information is being transferred across a “Payment Gateway” to your card issuing bank and back again to the website for payment processing. This means there is another organization providing the Payment Gateway that must be considered in website security. A Payment Gateway must capture your payment information and how it handles that information before and after the sale is important. The HealthGoods.com Payment Gateway is provided by PayPal, a recognized leader for website security. Our PayPal Payment Gateway is fully PCI and CISP compliant assuring the customer’s confidential information will not be compromised. The PayPal Payment Gateway does not store your credit card number after the transaction has taken place, so it is not possible for any individual or entity to “hack in” and obtain this information.
How it Works
Payment processing occurs in a real-time synchronous transaction. The PayPal Payment Gateway serves to pass appropriate order information from HealthGoods.com to the necessary financial networks for processing.
- HealthGoods.com encrypts each transaction request using the latest Secure Sockets Layer encryption (SSL provided by Verisign) and establishes a secure link with the PayPal processing server over the Internet.
- PayPal receives the request and transmits it over a secure private network to the appropriate financial processing network in real-time for payment authorization
- The approval or decline response is received from the financial network and returned to HealthGoods.com.
Customer Information Storage
Confidential customer information must be stored in a manner that is secure and safe. In fact, it is a requirement from all the major credit card companies that any business that stores, processes, transmits or comes into contact with cardholder data comply with the Payment Card Industry Data Security Standard (PCI DSS). Few Internet retailers are certified to the PCI standard because it is an expensive and time consuming process. HealthGoods.com is fully compliant to PCI DSS standards. Additionally, we do not store your credit card information after the sale transaction is complete. Your credit card number is deleted from our system once the order is processed. There is no possibility of any individual or entity to obtain your complete credit card number.
The PCI DSS was developed as a collaboration effort between Visa and MasterCard to establish a common industry security standard. As of June 30, 2005, the Payment Card Industry Data Security Standard has been a requirement of all companies that accept Visa, MasterCard, American Express and Discover credit cards. It is a contractual obligation between the company accepting credit cards and the credit card companies and is not a legal regulation. PCI Data Security Standard has 12 basic regulations and over 200 sub-regulations. Here are the major requirements:
- Build and maintain a secure network.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain an information security policy.
Some important questions to find out before making any transactions at an online store:
- Does the website offer an SSL certificate from a recognized organization? Today, there are all types of SSL issuing authorities including many web hosts that issue their own certificates. Some businesses use a shared SSL certificate that they do not own. Part of the process of obtaining an SSL certificate is the verification of the legitimacy of the business that will be issued the SSL certificate. Each issuing authority varies in the verification process of the organization obtaining the SSL certificate. Look for a recognized name in SSL certification to help ensure the SSL certificate was obtained from a legitimate source and a thorough verification process has been done of the business obtaining the certificate.
- Does the website use a Payment Gateway that has been verified to PCI DSS standards?
- Is the website certified to PCI DSS standards for the safe and secure storage of your personal and confidential information?