Tag Archives: Tim Callan

About 1266 days ago Data Security

For Holiday Cheer, Keep Customer Data Safe

our beautiful site

This is Greg Balestrieri’s first Christmas as the Candy Man and he’s doing everything he can to make it a good — and safe — one for customers of his online sweet shop, Candy.com. Balestrieri and his cousin and co-owner Joe Melville opened Candy.com in July stocked with 6,000 types of candy from 500 sweets makers. Christmas goodies include gingerbread-shaped Peeps, a two-pound mint stick, and old-fashioned ribbons and sourballs like your Grandma used to keep in the living room candy dish. To prep for Christmas, the eight-person Weymouth, Mass. company also stocked up on e-commerce security measures to keep customers safe while they shop, including the latest website encryption technology, multiple security seal programs, and payment options that don’t require customers to input a credit card number. “It’s all about conversion,” Balestrieri says. “When you have thousands of people coming to your site every day, if making one little change like putting a security logo on your checkout page makes a 1 percent difference in conversion rate a day that can make a huge impact on your bottom line over time.” Like Candy.com, small online merchants are mimicking the security practices of bigger, more well-known e-tailers to give customers a little peace of mind along with their wares this holiday season. It’s vital for small businesses to show they’ve got their customers’ best interests in mind because they don’t have the familiarity of big brand names to fall back on, says Robert Siciliano, a Boston Internet security consultant. “In this day and age, you should be screaming about how secure you are,” Siciliano says. “Consumers are overwhelmingly concerned about their personal security as it relates to fraud prevention and identity theft. If you can show them you’re a security-minded brand, they’re more likely to do business with you.” Secure holiday shopping cheer When planning their online store, one of the first things Balestrieri and Melville did was hire a website hosting company that met widely used PCI DSS standards for processing credit card payments, which include a number of mandatory security measures. To keep customers saying “Ho, ho, ho” instead of “Oh, no, oh, no,” here are other measures electronic shopkeepers should take, according to security vendors and consultants: Use EVSSL — Extended validation secure socket layer, or EVSSL, is an upgrade to the existing SSL security standard that requires certification requests to go through a more rigorous identity check and authentication process. When a website’s got EVSSL its browser’s URL address bar turns green: on the left for Firefox, on the right for Internet Explorer or green text on white background on Mac Web browsers. Since its February 2007 introduction, EVSSL has been adopted by 18,000 sites, including big names such as eBay and Overstock.com, but predominately small merchants, says Tim Callan, vice president of product marketing at VeriSign, part of the consortium that created the process. Some companies opt for EVSSL coverage throughout their entire site, while others like Candy.com use it only for the checkout process. Sign up for seal programs — Small merchants can pay security agents to vet their websites to ensure they’re operating within set security precautions and get trust marks or seals to display if they pass. Charges for such programs vary; VeriSign’s is $995 a year per server. Other programs include TRUSTe, BBB and McAfee Secure. Some also display the date and time a site went through its most recent security check up. Experts suggest merchants prominently display trust marks, especially on checkout pages or other spots where they’re asking customers to fill out forms. Offer multiple payment options — For shoppers leery of giving credit card information to an online merchant they’ve never dealt with before, offering alternatives such as PayPal or Google Checkout is another way to gain their trust. Unlike larger merchants, small businesses don’t pay PayPal a monthly fee to maintain an account so it’s helpful and cheap, says Eddie Davis, the company’s director of small and mid-sized business service. However, merchants do pay PayPal a commission of 1.9 percent to 2.9 percent on each transaction. According to Davis, PayPal’s research has shown small merchants conversion rates go up 23 percent when they offer alternative payment methods. “We bring a lot of consumers who love using PayPal and they’ll seek out sites,” he says. Another option that security experts suggest is this: if you accept credit card payments, delete card information after a transaction, thereby eliminating any risk hackers could break in and steal it. Show and tell — It’s not enough to display security program logos or trust marks on your website. You need to create a page somewhere that explains in detail what precautions you take, Siciliano says. That goes against the grain at some major online merchants, who treat their security measures as a competitive advantage. By contrast, smaller merchants who promote their security programs can use it as a way to differentiate themselves from their like-sized competitors. “Partnering with those big companies helps us get closer to that point of being trusted,” Balestrieri says. Keep customers in the loop — If the name of your online store isn’t the same as your corporate name, include both on order confirmations or credit card receipts that get e-mailed to customers — it’ll save them from refusing the charge because they don’t know where it came from. “You’re also showing them you’re conscious of their card activity, you’re concerned for the security of their card,” says Siciliano, the security consultant. Because Balistrieri’s company’s legal name is G&J Holdings LLC, both that name and Candy.com show up in the Web browser window when customers are checking out, and on receipts. E-commerce security isn’t just about keeping customers safe. Merchants have to make sure they’re not getting defrauded either. That’s why security experts suggest small businesses use intrusion protection hardware and software, monitor credit card activity levels and keep credit card blacklists. SIDEBAR: Safe Shopping Resources Resources online retailers can use to find out more about e-commerce security include: PCI Security Standards Council — The online home of the industry group that developed the PCI DSS security standard for credit card payments offers a variety of resources and information, including downloadable specifications. CA/Browser Forum — This volunteer industry consortium creates guidelines used for issuing EVSSL certifications and provides updates related to the standard. The Number One Sign of Trust on the Internet — Results of a May 2009 study from Synovate/GMI and commissioned by VeriSign about online shoppers’ security concerns.

About 1875 days ago Computer Security

New Ammo to Battle Online Fraud

When it comes to protecting customers online, small businesses can’t act small. Customers expect them to use the same safety measures employed by larger businesses. That’s why Terence Johnson didn’t wait for a customer at Scribendi, the Canadian editorial services company where he’s vice president of technology, to fall victim to a “phishing” expedition before upgrading his website security. Last year, Johnson upgraded to a newer security protocol called extended validation secure socket layer, or EV SSL, an improvement to existing SSL that requires certification requests to go through a more rigorous identity check and authentication process before being approved. EV SSL is one of a handful of measures security experts and industry analysts suggest companies of all sizes take to combat phishers, identity thieves, and others out to steal valuable personal information from unwitting Internet users. Acting before you need to is one way to keep the bad guys at bay, according to a December 2007 report on e-commerce fraud from The Aberdeen Group, a Boston technology researcher. According to Carol Baroudi, the Aberdeen Group analyst who wrote the report, all types of businesses that sell something or conduct financial transactions online can also prevent fraud if they: Authenticate new customers while they’re creating an account Add layers of user authentication, geo-location and device authentication Establish and enforce security policies Use anti-fraud directories Continuously educate themselves and customers on new types of security threats and protections Consortium created EV SSL to combat fraud A consortium of more than two dozen Web browser and security technology companies formed the CA/Browser Forum to develop and introduce EV SSL in February 2007. Since then, approximately 4,000 websites have been certified to use the protocol, says Tim Callan, vice president of SSL product marketing at Verisign, a consortium member. Seventy-five percent of those websites are VeriSign customers, and of that number, 80 percent are small businesses, Callan says. The thinking behind EV SSL: increasing the hoops parties need to jump through to be certified will weed out undesirables who create fake websites, and at the same time, make consumers feel safer when they visit legitimate online establishments, Callan says. To that end, when someone using Microsoft Internet Explorer 7.0 visits an EV SSL-certified Web site it turns the browser’s URL address bar green, much the way a green traffic light signals it’s OK to proceed. Upcoming releases of Firefox and Opera Web browsers are expected to work with EV SSL, according to industry reports. Appleisn’t part of the consortium and EV SSL doesn’t work with its Safari browser. EV SSL isn’t cheap. VeriSign charges $995 per server per year, with volume discounts, and a second version with even stronger server cryptography costs $1,499 a year per server. It’s not cheap, but it is worth it, says Johnson, the technology guru at Scribendi, in Chathan, Ontario, which has provided editing services to authors and other clients for 10 years and has a staff of 100. Customers appreciate businesses that go out of their way to provide them with security, Johnson says. And it pays off. In the four months after Scribendi started using EV SSL, the number of orders from Internet Explorer users who visited the website increased 27 percent from the four months immediately prior. “That’s an indication that people are learning to recognize” what it means, Johnson says. As New York City apartment dwellers know to use more than one lock on their doors, Websites should use more than one security system, business owners, security experts and others say. In addition to EV SSL, Scribendi uses security tools from the company’s Internet service provider, encrypts transmissions of manuscripts and other documents that editors are working on and authenticates payments in real time, Johnson says. “When it comes to security, being a small business doesn’t count,” he says. “You have to use the best tools you can.” SIDEBAR: Resources to Learn about EV SSL Here are some resources small businesses can use to learn more about EV SSL and other measures for stopping e-commerce fraud: EV SSL FAQ — Everything you wanted to know about EV SSL, from the CA/B Forum, the volunteer consortium of 27 security companies and 4 Web browser makers that created the security protocol. A primer on e-commerce security issues — published by Ecommerce-Digest.Com, an online publication that covers the Internet security industry. E-commerce white papers — A collection of research papers and other documents explaining online fraud and security measures used to combat it, from ZDNet, the technology trade publisher. The Anti-Phishing Working Group — A five-year-old industry association with 3,000 member companies that documents phishing activity and shares best practices for stopping it.