1.) Create a Professional Design

Several beginners make their first critical mistake at the design stage.  Being that HTML programming is fairly easy to master, some develop the gumption to go at it alone and decide to build their own website from the ground up.  Even though web technology has made it much more feasible to create a site with little to no experience, there are many reasons why you may want to leave this task in the hands of someone else.  Building a fully functioning website from scratch can be a hassle and very costly when considering that you will have to invest countless hours on time that could have been spent focusing on something else.  By outsourcing this part of the project to a professional design or development expert, you can devote your time and energy to developing a sound business strategy.

2.) Make Easy Navigation and Usability a Priority

Creating an e-commerce site that offers simple navigation and usability is a must.  You can get a better understanding by viewing your website as the aisle of a retail store.  In an ideal environment, all items are organized accordingly and easy to find.  Customers should have no trouble finding what ever it is they want to purchase.  The same holds true for an online storefront.  Even it is a measly checkout button, it is should be made visible and easy to find on your site.

3.) Don’t Forget Your Inventory

There are some online store owners that get so caught up in running their business, they forget about other key areas such as inventory.  You can avoid this by cataloging all the items you have for sale.  Be sure to update your inventory on a regular basis to avoid scenarios where a customer tries to purchase something that is out of stock.  This can help you salvage a sale and elude embarrassment as well.

4.) Incorporate Customer Friendly Features

One surefire way to succeed with an e-commerce venture is to incorporate and make effective use of desirable features that will benefit your customers.  These features could range from essentials such as an easy to use shopping cart and SSL certificate to novelties like a site map and talking avatars.  You may also want to consider rich media features such as animation and video or something simple and effective like auto-responders to deliver immediate responses.  By pampering your customers, you can increase the probability of a pleasurable shopping experience that keeps them coming back for more.

osCommerce Installation

- Login into your cPanel account and click on the Fantastico icon at the bottom of the main page.

- Navigate to the “E-commerce” section and click on the “osCommerce” link.

- Next, click on the “New Installation” link.

- Now you must go through a multi-step process in order to define the installation location:

Step 1: Choose your domain from the provided drop-down menu.

Step 2: Enter the name of the directory where you want osCommerce to be installed.

Keep in mind that the “install in directory” field is the one part where several users make critical mistakes.  Enter a single phrase of the new folder that will be created for the osCommerce application.  If you try to add dashes, the installation will fail every time.

Step 3: Return back and double check the information you entered in the above field.  If you want your customers to access your store when visiting “http://yoursite.com,“ you would then leave the “Install in Directory” field blank.  On the other hand, if you already have an existing website, you want to enter a given directory name in that field.  For example, if you decide to use “store” as the name of the directory, customers would access your osCommerce store by visiting “http://yoursite.com/store”.

- After entering the required information for the installation destination, enter a user name and password for your osCommerce administrative area.

- Next, enter the name of your store, an owner name, and valid email address.

Activate SSL

Once you have the installation destination squared away, the proceeding steps are self explanatory.  The SSL process deserves a little more detailed explanation.

- Set the “Use SSL” option to”Yes”

- Enter the hostname for your secure server.

If you have a dedicated IP address and SSL certificate for your website, simply enter your domain name in the next field.  If not, just use the server name entered above.

- Choose the information you want to require from your customers.  You will see that these options are pretty straightforward and can be either set to “Yes or “No.”

- After entering the information, click on the “Install osCommerce” tab.

- Lastly, on the next page click “Finish installation”.

You have now successfully installed the osCommerce shopping cart program equipped with an SSL certificate for security.  Now all you have to do is the click the provided link or type the appropriate URL into your browser to log in and set up your online store.

Though PCI standards were introduced to protect consumer information and ensure integrity across various industries, they have also introduced a new level of frustration for the smaller business that has a need to sell products or services online, but doesn’t possess the resources to meet compliancy.  There is a lot that goes into protecting sensitive card data and unfortunately, one too many organizations are not equipped to provide this protection.  Everyday, companies are scattering in attempts to gather the necessary resources to not only fend off attackers, but also keep the government out of their business.  Difficulties aside, PCI compliance is needed as threats are growing rapidly in terms of numbers and sophistication.

PCI-Friendly Hosting Features

Achieving compliance requires a multitude of security components.  Some of the essentials include:

Malware Protection – Malicious software such as viruses, worms, Trojans and keyloggers pose a direct threat to card data stored on any computer or web server.  Businesses are strongly advised to keep their systems protected with reliable solutions capable of detecting and eradicating the latest malware programs.

Firewall - A firewall provides an organization with the ability to control inbound and outbound traffic going to and from the system.  With the right configurations, it can halt malicious traffic and also help to prevent basic hacking attacks.

Intrusion Detection – Though very effective, a firewall can only do so much.  An intrusion detection system enables PCI compliance by detecting the presence of malicious activities that pose a potential threat to card data resting on the system.

Network Monitoring – Even with all the right security mechanisms, card data can still be at risk due to a wide range of circumstances.  This could related to hardware failure or a problem with a backbone provider.  Network monitoring allows companies to stay one step ahead of such issues by watching over the network and reporting its status to system administrators.

SSL Certificate System - SSL (Secure Sockets Layer) is a must-have security feature for any business that sells goods or services over the internet.  Credit card data is in jeopardy whenever transactions are made on any website that isn’t protected.   With an SSL certificate, businesses can ensure the protection of sensitive information as the protocol creates an encrypted tunnel for which credit card details to travel through.

Not all hosting providers make the commitment to aid in PCI compliance but more are getting onboard with the concept.  Those who are should be commended for their efforts to aid in business-friendly solutions that take the stress out of meeting these demanding standards.

]]> http://webhostinggeeks.com/blog/2009/05/29/the-need-for-pci-compliant-hosting/feed/ 0 http://webhostinggeeks.com/blog/2009/03/17/practicing-ftp-security/ http://webhostinggeeks.com/blog/2009/03/17/practicing-ftp-security/#comments Tue, 17 Mar 2009 19:04:33 +0000 CommunicateBetter http://webhostinggeeks.com/blog/?p=246 One of the most highly sought after features on the web hosting market is FTP.   Short for File Transfer Protocol, FTP provides a means for transferring data from your computer to the web host’s server.  While the protocol is quite useful, FTP also presents many security risks and making yourself aware of them is crucial.

Beware of FTP Attacks

FTP is ideal for transferring files to a remote location.  However, you should know that in its purest form, this protocol is far from secure.  FTP transmits your data over a network in plain text.  If the transmission is intercepted, the contents of those files can be viewed by unauthorized parties.  Furthermore, a knowledgeable hacker can use the FTP server as an entrance into your website.  This is done by repeatedly trying to logon with an incorrect user password.  In most cases, the profile is disabled after reaching the maximum threshold of three sign in attempts, thus giving the hacker all the ammunition they need to launch the attack.

The most effective way to protect yourself from an FTP password attack is through the use of an FTP server logon exit program.  This mechanism can provide security in the following ways:

Rejecting logon requests by any user profiles that you have not granted FTP access to.  With the use of an FTP server logon exit program, the logon attempts from the profiles you decide to block are not counted towards the maximum sign in count.

Limiting the number of clients from which a user profile is able to access the FTP server.  For instance, if someone from accounting is granted access, you can make configurations where only users with an IP address from the accounting department have FTP access.

Recording the credentials and IP addresses of all FTP logon attempts.  This allows you to regularly view the activity of each FTP logon attempt.  If a profile is ever disabled for reaching the maximum count, you can use their IP address, identify the perpetrator and handle the matter accordingly.

FTP Security Recommendations

Because FTP is naturally insecure, you may want to strongly consider backing it up with a reliable security mechanism.  The most highly recommended is Secure Sockets Layer, or simply SSL.  SSL is an encryption protocol that enables secure communications between the FTP server and client.  It ensures that transmissions are encrypted, maintaining confidentiality and integrity for all data that passes through.  This includes files as well as usernames and passwords.  Most FTP severs support SSL through the use of a digital certificate which also provides additional security with client authentication.

Though some recommend the use of anonymous FTP for the sharing of non-confidential data, this can be an even greater security risk.  With anonymous FTP, anyone can upload to your server without a username or password.   They could be transferring pirated software or malicious files.  Before taking such a gamble, be sure to weigh all the risks and take the appropriate measures to ensure that your FTP communications are secure.

What is an SSL Certificate?

Secure Sockets Layer or SSL, is a security protocol that enables encrypted communications between the customer’s web browser and the server your store is hosted on.  This is accomplished by what is known as a handshake, a process where the server’s identity is confirmed and a secure connection created.  SSL typically offers 128-bit encryption, formulated by an algorithm which generates a key that is virtually impossible to crack.  An SSL certificate shows that your site is secure and safe for shopping.

How to Get a Certificate

SSL certificates are offered by entities known as Certificate Authorities, with the most popular being GoeTrust, Thawte and Verisign.  For the most part, these authorities provide certificates that give you the same level of security.  A single certificate can encrypt the data traveling between the server and each of your customers’ web browsers.  The average online storefront can get adequate protection from a basic SSL certificate.  You also have the option to purchase additional services to strengthen the level of security.

Installing the Certificate

Although many web hosting providers offer SSL certificates as add-on products, you typically have the freedom to incorporate one purchased from a third-party vendor as well.  In most cases, you can learn how your SSL certificate is to be installed via the instructions in the control panel software or by contacting the host’s technical support department.  Some of the most advanced control panels even allow you to incorporate an SSL certificate directly from the interface.  Once installed, the certificate is automatically enabled.  You will know it is activated when noticing “HTTPS” in front your URL rather than “HTTP”.

Designing for SSL

The design of your site is very important when implementing an SSL certificate.  In order for your web pages to be viewed as secure, all scripts, graphics and media elements must be deemed secure as well.  You have probably visited web sites where a warning displays stating that some of the elements of a particular page are not secure.  These messages are prompted when external elements of a web page are not called using the HTTPS protocol.  In many cases, the certificate is valid and secure but the page isn’t designed properly for SSL.  All the external elements of your page must be called using links that include the full URL.  One simple graphic that doesn’t use HTTPS will generate a “not secure” error.

Conscious online shoppers are increasingly looking for SSL certificates and if you don’t have one, you are missing out on a lot of business.  You can have some of the most beneficial products online but if no one feels safe buying them, they will hesitate to proceed with the transaction.

The major issue with shared hosting has always been the same – the availability of security and the fact that this platform can only be so secure.  Without adequate protection, the web host’s server is vulnerable to a wide range of threats including DDoS attacks, malware infection and network intrusion.  You could also be exposed to attacks such as SQL injection, cross site scripting and even the malicious actions of your neighbors on the server.  When your hosting environment isn’t properly secured, you stand the risk of losing the most sensitive of information.

Security is definitely an issue in the shared hosting environment, one that could make the low cost an uneven trade.  The good thing is that several web hosting providers are aware of these vulnerabilities and they are taking the necessary approaches to deliver a secure service.  When looking for a company to host your site, we recommend keeping the following security considerations in mind.

Protection from Thy Neighbor

When assessing the security of a particular web host, you must not only analyze the protection offered against outside threats, but security that keeps you protected against other website owners on the server.  You never know who you’re sharing the server with, as they could be into dealing porn, distributing spam or malicious software.  A few of your next door neighbors just might be prolific computer hackers.  To keep yourself protected in this regard, you should make sure the provider doesn’t allow any unsolicited code to be executed or access to your directories.

Clean Code

One of the biggest threats to your website lies in the code used to build your applications.  When they are not properly scripted, intruders can use them as an entrance to your data and reap major havoc.  You can minimize the possibility of common website exploits by ensuring that the web hosting company offers the latest in development tools whether its PHP and MySQL or ASP and MS Access.  Most importantly, it is up to you to make sure you are coding your applications and web pages in a secure manner.

Security Features

There are also a number of features that will give you an idea of how secure a particular web hosting platform is.  This includes protection for the actual server such as software that defends against DDoS attacks and viruses as well firewalls and network intrusion systems to fend off hackers.  If your site is to involve online business transactions, you will also require SSL support to protect your customers’ credit card information.  When making sure all the vital security issues are addressed, you can better your chances of enjoying a smooth run in the shared hosting environment.

Building the Site

Obviously, creating your website is the first essential step.  There are several tools available to help with this process from simple web building programs to dynamic programming languages.  While a piece of cake for the experienced webmaster, this could present a huge challenge for someone who lacks web design skills.  In this case, you should strongly consider hiring a qualified designer to build your site.  A costly investment?  Perhaps, but look at it from this perspective – it will cost far less than paying the architecture and construction company to build the facility for a traditional storefront.

Collecting Payments

Whether you’re dealing in goods or services, you need a way for customers to select items and take them to checkout.  To accomplish this your e-commerce site will need a shopping cart.  A quality program will allow you to add different products and categories, add taxes and shipping options, accept payment in various methods and more.  When it comes to shopping carts you generally have to options: you can purchase a commercial product or go with an open-source solution.

Open-source shopping carts like osCommerce are widely available and may be offered at no additional cost with your web hosting package.  Such a program will provide all the features you need to set up an online storefront.  The disadvantage of open-source shopping cart is that some are not easy to customize and don’t cater to inexperienced users.  Additionally, stores created with open-source software tend to look very similar to one another.

Commercial solutions are generally easier to customize and offer more features.  This type of shopping cart will provide the uniqueness that allows you to standout from all the other store owners on the web.  The downside here is that a program like Miva Merchant carries a high-end price tag that ranges from hundreds to thousands of dollars.  You also need to make sure that your web host supports the software so it can be easily incorporated into your e-commerce platform.

Selecting a Payment Gateway

In addition to the shopping cart, you will require a payment gateway that enables credit card payments to be transferred to your banking account.  To accomplish this task you can either sign up for a merchant account or use a third-party payment processor.  Merchant accounts have setup fees, transaction fees and strict qualifications.  However, the transaction fees are lower than using a service such as PayPal.  In either instance, the overall cost are typically less when your monthly sales are over $1,000.  Keep in mind that you will also need to secure the payment environment and protect your online transactions.  The best way to ensure this security is with an encryption protocol known as SSL.  You may have to purchase a certificate with a merchant account while PayPal takes care of securing your transactions.

Bringing in Customers

After creating the site and setting up the store, it’s time to generate some traffic and sell your items.  There are many ways to go about this including advertising, getting your visitors to sign up for a newsletter, pay-per-click campaigns and specially crafted landing pages.  Succeeding with e-commere is no easy task, but when laying a solid foundation, you can give yourself a much better chance of making continuous sales.

Lost Sales

Today’s shopping cart applications offer numerous features.  However, all of them are designed to collect sensitive information from your customers.  This includes their contact information and credit card numbers among other details.  While this is a standard procedure of online shopping, one needs to consider the perspective of the new buyer.

After navigating your site, the visitor has come across a product they want to purchase.  They click on the checkout icon and proceed to enter the required information.  From there the customer is directed to your preferred payment gateway where they are forced input the same information again.  This results in lost or aborted sales as consumers are generally lazy and cautious about handing over their sensitive details.  Ideally, it would be great if your shopping cart could bypass all these requirements and take the customer straight to your gateway.  Unfortunately, there are a number of gateways, all of which require different variables.

So, how do you salvage the sale from here?  Log into the administrative section of your shopping cart, find out if you can track the abandoned sale and contact the potential customer via email.  Let the customer know that you have observed their attempt to place an order and ask if they had any trouble making a purchase.  Explain that you are willing to assistance with any problems they may have experienced.  By reaching out to the consumer on a personal level, there might be a chance of recovering the sale.  In a worse case scenario, you can at least find out if something in your ordering system isn’t functioning properly.  Everyone wants to feel like they are more than just another number.  Taking out the time to make contact and find out the problem might give them the confidence that you are worth doing business with.

The Dreaded Chargeback

Charge backs have been a nightmare for many E-commerce businesses.  You receive an order for one of your products, ship it out, and a week or so later there is a charge back.  This results in you shipping your goods for free, being forced to refund the customer and then pay a charge back fee.  One way to avoid this is to make sure your gateway offers some of type of protection against fraud and dishonest customers who purposely cause charge backs after receiving products.  While every charge back isn’t of a fraudulent nature, all can have a major impact on your pockets.

Conclusion

As the owner of an E-commerce business, you need to think like a prominent enterprise and focus on your bottom line.  If something is negatively affecting your profit, you need to make the proper adjustments to improve the service for customers and ultimately the longevity of your business.

Chris Babel, senior vice president at VeriSign, notes that consumers need a greater level of assurance that the sites they visit online are safe to do business with.  The milestone of one million active SSL certificates demonstrates the firm’s presence in the industry.  Babel went on to state that VeriSign will continue to collaborate with its industry peers and help customers find most secure places for making purchases online.   Already responsible for securing more servers than any other internet security company, the VeriSign Secured Seal has become the most trusted of all on the web.

SSL certificates issued by VeriSign include VeriSign, GeoTrust and Thawte, all of which help to safeguard consumers against fraudulent websites by providing and validating information about the owner of the certificate. Consumers can learn the identity of the person they are dealing with and if the certificate holder is the legal owner of the domain name.  Most of all, these SSL certificates encrypt the customer’s personal information during internet transactions.   When a consumer visits a site equipped with such a certificate, their browser will display a padlock icon as well as HTTPS in the address bar.  This enables visitors to browse a web page with a greater level of confidence, helping them to feel comfortable about dealing with a legitimate site.

The most widely recognized of all, the VeriSign Secured Seal gives indication that a particular web page is protected with a brand of SSL certificate issued by VeriSign itself.  Throughout the world, this seal represents trust and security, one that has become a common fixture to validate leading online merchants, financial institutions and other prominent businesses on the internet.

A recent study conducted by TNS Research shows that 79% of online shoppers in the United States are familiar with VeriSign’s Secured Seal, trusting it more than other mark on the internet.  This seal is viewed well over 150 million time each day, thoroughly tested and proven to help boost online transactions by as much as 31%.  The study also reveals that the VeriSign Secured Seal can be found on more than 90,000 sites in over 140 countries across the globe.

Since the late 90s, VeriSign has been providing services for a reliable internet infrastructure to secure the huge world of networked computers.  Countless of times each day, its trusted SSL certificates and recognizable seals help businesses and consumers from worlds apart engage in secure E-commerce transactions with the utmost confidence.

Intruders are just as aware of the critical information that can be accessed through an application as the webmaster.  In many cases, their entrance and overall success is attributed to numerous factors.  Those conscious of the roaming threats typically monitor network perimeters with firewalls and intrusion detection systems.  However, these components actually encourage exploits as they are required to keep ports 80 and 443 open to support SSL and protect online transactions.  To an intruder, these ports are open doors that enable website attacks in a number of different ways.  Most network firewalls are configured to secure only the internal perimeter, leaving the company open to a wide range of attacks.  And while both intrusion prevention and detection systems are somewhat more effective, they don’t perform complete analysis of a packet’s contents.  Without an additional layer of security, a knowledgeable intruder can penetrate a web application with relative ease.

An organization dedicated to improving the security of web-based applications, the OWASP (Open Web Application Security Project) recently composed a list of 10 of the most common vulnerabilities in today’s applications.  The potential threats are associated with the following:

1. Cross site scripting

2. Server-side scripting errors

3. The execution of malicious code

4. Insecure direct object reference

5. Cross site request forgery

6. Improper error handling and data leakage

7. Penetration of authentication and session management

8. Vulnerable cryptographic storage

9. Insecure web communications

10. Failure to restrict write permissions and URL access

The WASC Web Application Security Consortium have validated the OWASP’s top five application vulnerabilities with the testing of 31,373 sites.  Additionally, the Gartner Group reports that 97% of more than 300 sites studied in a survey were found to be vulnerable to application attacks.  The same study also revealed that 75% of today’s web attacks occur at the application level.

The numbers indicate that most E-commerce sites are easy targets for an array of attacks.  While proper coding is the key to prevention, one of the best methods of defense against application exploits is a web application scanner.   This type of mechanism protects both applications and servers from intruders by crawling through the site and analyzing every piece of content.  Such products conduct various tests along with simulated application attacks throughout the scanning process.  If genuine security holes are detected, reports are made and detail the severity of each vulnerability.  Security experts recommend using a scanner that offers a technical, in depth explanation of each vulnerability detected along with appropriate suggestions for eradicating them.