TrustWave
certifies our
PCI compliance
Security
Privacy
Statement
Your Cartsupport.com cart is fully PCI
compliant. VISA and Mastercard now require all merchants to adhere to the PCI security standard. Our
compliance with PCI standards is audited and certified by two outside
agencies: Ambiron/Trustwave
and ScanAlert.
How & Why to Comply:
PCI Letter to
Merchants
We use 1024 bit RSA encryption ciphers using a 512-bit key in our shopping cart and in our administrative cart control panels. This is the most powerful 'super-cert' available and is capable of making older browsers with the older 28 and 40 bit encryption behave like they have stronger encryption installed.
Cipher technology is an extremely arcane subject, but we are experts at it with over 10 years of e-commerce design and support to our credit.
But encryption and good cipher technology are not enough to do the job properly. At times, good encryption and cipher technology simply mean that a fraudster is receiving the same privacy and cipher protection from observation and compromise that our merchants and your shoppers receive. There has to be more than just good cipher technology.
As good as our security is, we must rely on a partnership with you to maintain good security on our systems. A single merchant who values convenience above security can put security at risk for himself and all the other merchants on the system.
What You Need to
Do
There are several measures you need to take to ensure that credit card data
is safe on your own computers, and that your connection with us is
secure.
Use Secure Passwords: you should use a long, 10 character password that contains at least one upper case letter, at least one lower case letter and one number. This complexity requirement makes passwords much harder for an attacker to guess. You should also use such a password on your own PC - access to all your office PCs used for orders should not be granted without a complex password. Change ALL your passwords everywhere every week or every month. It's best if you DO NOT allow standard users such as Administrator, root or Guest to be used at all on your systems (disable them).
Be aware of what your password really is and do not use old passwords to try to log in to the system. If you are really unaware of what your cart control panel password really is, and try a couple of different passwords, then you look like a hacker to our system and may get locked out and have to contact the support desk to get unlocked.
Do not use password memorization tools such as your browser's 'remember my password' function or software password 'wallets' - these resources are simply too easily tampered with by viruses and con cause an immediate compromise of your valuable passwords.
Use Firewall Protection Software: install firewall software on your PCs and/or your local network. Good firewall software is available from Symantec and Kerio. Use a firewall that makes use of application hardening like Kerio is at all possible.
Use Virus Protection Software: A virus that infect your system could 'call home' with information that helps an attacker compromise your systems or network. Symantec is a good choice for protection. Be sure to subscribe to updates, as new viruses emerge every day and you must keep your protection up to date. If we have asked you via email or phone to run a Virus/Trojan check now, then click for Symantec, then click 'Security Response' in the top menu bar, then click 'Check for Security Risks' two thirds of the way down the resulting page. Run BOTH tests offered.
Use Spyware Protection: if you have spyware installed by a virus or web site visit on your PC, every keystroke (including credit card numbers) could be recorded and conveyed over the internet to an attacker. Your cart control panel password could also be compromised in this fashion, and attackers could log in to your cart control panel and see every order. Spybot spyware protection has gotten good reviews and free trials are offered on their web site.
Use Wireless Security: Secure your wireless network with WEP. It's best, not to use wireless networking at all for handling order information. If you must, use WEP security or anyone can eavesdrop on your network traffic. Check your wireless documentation for information on setting up WEP security on your wireless network. Use a 128 bit cipher and rotate keys. DO NOT use public wireless networks such as in airports or Starbuck or Borders or hotels/motels for order handling at all. Use of an unsecured wireless network is a major risk that can compromise all the confidential information your business handles. DO NOT rely on the assertions of a desk clerk that a hotel wireless network is secure. They are not. Don't take the risk. For full details on wireless security, see www.visa.com/CISP
Note that all the above precautions will vastly reduce the likelihood of a hacker discovering your cart control panel password and 'logging in as you' and thus gaining access to your sensitive credit card information. If you password becomes compromised, our outstanding security cannot protect you.
Use Detailed Logging: Your PCs and Your own web site: You should have access logs turned on for your PCs, network and your web server and should review the logs weekly or monthly. Your logs should be set to record failures as well as success entries, and should be set to log information for at least three months, with a year of logs stored offline on tape, CD, etc. Windows users can get help on setting up appropriate log settings at security.microsoft.com.
Do Not Record CVV: It is a key MC/VISA security arrangement and requirement that neither you nor we store CVV information or keep any kind of record of CVV data.
Security Checklist: Every VISA/MC merchant must certify to VISA/MC that they comply with the above rules (and a few others). To get a copy of the actual requirements and a checklist, download this document.
IMPORTANT NOTE: When you joined our service your user agreement notes that you will make use of the security advice on this page. If you do not, your cart account with us can be closed instantly without notice.
What We Do to Help Protect You...
Database Protection
Our database security is under constant review to detect and thwart attacks.
We have never had a data compromise. We have automated tools probing
and prowling
our systems and database for possible attack. We also have human
beings constantly reviewing database access practices and patterns for signs
of attack.
Database Encryption
In the remote event that a database attack is successful, the attackers
would get only useless 'junk' -- all critical fields, such as credit card
numbers are stored in encrypted form. A successful attack would yield
useless junk characters instead of a useful credit card number. If our
data were ever compromised, the hacker's attack problem would just be
beginning - once they have our data, they would have to figure out how
to decrypt it so they could use it.
Partnering
We also partner with the security
departments of the major credit card companies and gateways, sharing information on
practices observed among fraud attempts and helping all our e-commerce partners keep
security tight, while optimizing the shopping experience for honest, authorized shoppers.
Cartsupport.com's security meets the stringent requirements of Mastercard's SDP program. The Mastercard SDP Program provides acquiring members with the ability to deploy security compliance programs, ensuring that online merchants and Member Service Providers are adequately protected against hacker intrusions and account data compromises.
Cartsupport.com's security meets the FBI's
stringent requirements for the joint SANS program
Merchant Control
Because merchants have their own workflow
practices and their own day-to-day business needs, we place some security settings
directly under merchant control. Merchants, when they visit their cart control panel
to pick up orders, are using the same 256-bit super-cipher that their shoppers use to keep
their order information private and safe from compromise or observation.
Fraud Control
From time to time you may have a shopper report that payment information
given to you was compromised and fraudulent charges were charged to their
credit card. You can use the spreadsheet below as a template for an
investigation. The spreadsheet has been developed over years of
investigative work and will help you ask all the right questions to
determine if your firm of ours was involved in a data compromise. For
instance, recording the ZIP of every reported fraud will help you determine
if all reporting shoppers are on the same mail route - if they are, then you
should suspect a low-tech 'mail hack' rather than a high tech database
attack.
Cartsupport.com's security meets the FBI's
stringent requirements for the joint SANS program
Credit Card Compromise or Fraud
Common Consumer Practices Often Equate
to Poor Security
Although many consumers regard using the internet as a 'high risk' venue
for credit card use, it's actually the safest way to use a credit card,
provided that adequate common-sense measures are taken. Consumers who
would never do a transaction on the internet for 'security' reasons often
let a waiter or waitress disappear with their credit card for 5-10 minutes.
Other practices that can cause a compromise include using MS Wallet (credit
card information is stored on a remote server for multiple use transactions;
using web page 'blank auto- fill-in' software such as Gator (again, credit
card information is stored on a remote server for convenient use use later
without typing in the information again). Even the use of typical
browser features such as 'Inline AutoComplete' built-in to all browsers can
enable a child or co-worker to get credit card information from the browser
if a web site where a purchase has been made is visited again. Turning
cookies on or off, and clearing history files does NOT remedy these security
holes and does not block future compromises.
Low Tech vs. High Tech
Although many folks immediately suspect a high-tech compromise (hacker)
when a card fraud event takes place, the opposite is usually true.
Low-tech attacks are much more common. Consider: smart or clever
people who are capable of a high tech attack (a hack) are usually also smart
enough to know that they can't get away with it. They also have
valuable skills and are highly paid, so they have no economic motivation to
risk that high income on a dubious plot to make some 'easy' money and get
caught. Conversely, poorly paid workers at gas stations and
restaurants may more readily think they can get away with credit card fraud
scams and their poor pay makes a low-tech undertaking such as a dumpster
dive or writing down credit cards numbers seem worthwhile. These
people usually get caught, too.
So the set of people who are motivated and capable of undertaking a low-tech fraud attack is much, much larger than the set of people motivated and capable of undertaking a high-tech fraud attack. It makes sense to start investigations with the assumption of a low-tech attack -- as that is the avenue of investigation that will most frequently lead to the culprit (or family member in many cases).
Questions to Ask
By far the most common result of reported credit card fraud investigations
is the revelation that one spouse made a purchase they did not want the
other spouse to know about. This is followed by children or teenagers
making a purchase they did not want a parent to know about. Once
you have investigated a few frauds, you will perhaps become a little
skeptical about reported fraud and such skepticism may serve you to some
extent.
Here is a list of questions you can ask of
a cardholder to begin an investigation:
1. Did you make the purchase with us from your home, office or a
friend's computer?
1a. What virus protection is installed on this computer
and what is the date of the latest update?
1b. Which merchant assessed you the fraudulent
charge? What was the date, time and amount of
the
charge?
1c. Can you contact this merchant? If
so, did you?
1d. What
was the charge for and who caused the fraudulent charge?
1e. Did the purchaser place the order with
valid contact info?
1f. What is that contact info for the
purchaser?
1g. Can you and would you repeat the above
info for subsequent fraudulent charges?
2. Do any co-workers, friends, spouses or children have access to that
same computer?
3. Do you have 'Inline AutoComplete' turned on in your browser?
4. Do you use Gator or MS Wallet on that computer?
5. What other companies have you purchased from online? (ask for a
list)
6. Do you auto-pay bills using this same credit card?
7. Has your credit card been out of your sight (including at a
restaurant or store) for any period of time?
8. Do your use your credit card to pay for gas?
9. If so, do you swipe at the pump, or leave the credit card with the
attendant while you pump?
10. Do you ever given your credit card to a child, spouse or friend?
11. Have you called the security department at the credit card
bank?
12. Have you asked for your money back from the merchant who charged
the fraudulent charge?
13. Have you asked the bank to return your money on this fraudulent
charge? (MUST DO THIS!)
14. Will the merchant who charged the fraudulent charge talk to you?
15. Where did the merchant ship the merchandise on this fraudulent
charge?
16. If delivery was electronic (download or site access) what IP
address was the download or access delivered to? (ask the merchant)
17. Did the merchant processing the fraudulent charge require AVS or
CVV information to accept the card transaction?
18. What was the result of a computer scan with Norton Anti-virus?
(will identify commonly known spy-ware)
19. Is your computer password protected, or can anyone who turns it on
use it?
20. Do you shred your credit card bills?
21. Do you throw your credit card bills away in the trash without shredding them?
22. If filed, are your credit card bills under lock and key? Who
has keys?
23. Have any of your other credit cards been compromised?
24. What is the zip code where your credit card bill is sent?
If you cannot get answers to all or most of these questions, you probably
should not begin a serious investigation. You can copy and paste the
questions above into an email to your customer, or read them over the phone
in a courteous, helpful tone.
To help ensure that the compromise did not occur at your own merchant office, you should ask yourself the following questions (and send the answers to us if you are participating in an active investigation):
1. What
virus protection is installed on each computer and what is the date of the
latest update for each computer in your office handling order or shipping
information?
2. Do you have any former or disgruntled employees of workers who may
have interfered with your security?
3. Are credit card numbers locked up when you leave the office?
4. Do you turn your computers off when you leave the office?
5. Have you changed all passwords, including your cart control panel
password, to a long (16 character) non-english password?
Investigation
If the fraudulent use of a card
you have handled is reported to you, the first thing to ask is if the
cardholder has reported the event to the security department of the
cardholders bank, and asked that the charge be reversed. If they have,
get the incident number and the security department's phone number and
proceed with the investigation with the help and supervision of the card
issuing bank's
security department.
Due to the high number of investigations we are asked to participate in, and due to the high number of investigations that result in a non-cybernetic, reasonable and rational explanation for the compromise (such as one spouse reporting fraudulent use for purchases where it was undesirable for the other spouse to learn of the purchases) we can only initiate an investigation with you if you contact a law enforcement agency and have them contact us, or if you submit the suggested investigation template spreadsheet (below) to us completely filled out for each fraud event reported to you. Email the fully completed spreadsheet to rsr@cartsupport.com. Note that most investigations are never concluded due to the fact that either the cardholder or the card issuing bank's security department does not cooperate fully with the investigation.
Click here to download: security.investigation.xls