Fraud Prevention

"Security is Everyone's Business"

 

Here are some recommended practices that you should implement to ensure that your Web site (or that of your hosting company) is secure.

 

Best Practices and Guidelines for your company and ISP/ hosting provider.

 

It is your responsibility to implement these security safeguards in your organization, and to require that your ISP, Hosting Company and /or Shopping cart provider if they implement the following practices before signing a contract with them.

 

 

1.Ensure Safe Storage and use of Passwords and Credit Card Numbers:

Passwords and credit card numbers (If they must be stored) should be stored encrypted, behind a properly configured firewall. This includes passwords and /or credit cards that are included in scripts, code, pages, logs, and databases. (It is best not to store credit card numbers at all).

 

 

You should Restrict distribution of passwords as much as possible. Never distribute passwords by email.

 

 

We recommend that you remember your password instead of writing it down. If you insist on writing down your password, then we recommend it be stored in a secure place. If it is stored on your computer, it should be encrypted.

 

 

Passwords should have at least 8 or more alphanumeric characters with combination of uppercase letters, lowercase letters, and numbers.

 

 

Example:     Zm23Cv9UcT     (Please do not use this example!)

 

 

 

Passwords should be changed frequently, especially whenever personnel who have password access leave the department or organization. For instructions on how to change your password, visit:

 

http://www.verisign.com/support/payflow/manager/selfHelp/password.html

 

 

NOTE:   If you are using Payflow Pro, the password change will also need to be made to your Payflow Pro application/storefront. You may to coordinate the password change in advance with your software developers.

 

 

Do not use guessable passwords.

 

 

Remember to reset all default passwords! Ensure that your operating systems and applications do NOT use default passwords!

 

 

2. You should protect sensitive information by encrypting the transmission from the consumer browser to your web site by using a Server Certificate (128 SSL Encryption).    This will more likely encorage your customers to make a purchase on your web site.    You can find out more about SSL Encryption at:

 

 

Phone: 91-44-22540863

Web Site: https://www.safescrypt.com/products/

 

 

 

3. Firewalls - passwords, credit card numbers, and other user info must be protected behind properly configured firewalls.

 

 

4. Ensure that all security patches have been applied or installed in your operating system/Web server/ application server/ or database.

 

 

5. Use virus scanning software and make sure your virus definitions are up to date.

 

 

6. Scan your website for network vulnerabilities using Qualys Guard - test drive it at:

 

 

http://www.verisign.com/products/site/index.html.

 

 

7. If possible, implement monitoring limits against potential hackers, i.e:

 

 

Limit number of password attempts allowed by your programming scripts.

 

 

Limit the number and type of characters allowed within your input fields.

 

 

8. Use Payflow IP Address Restriction Function

 

 

VeriSign has a feature which allows you to specify the IP addresses that will be allowed to access VeriSign Manager, and if you are a Payflow Pro customer, the IP addresses that will be allowed to submit Payflow Pro transactions. Taking advantage of this feature will help protect you from unauthorized access or transaction activity on your account. Directions for using this feature include:

 

 

You should identify the computers from which you plan to access Payflow Manager (https://manager.verisign.com). If you use Payflow Pro, you will also need to identify where your Payflow Pro transactions originate from.

 

 

Next, you must identify the IP address of each of these computers by contacting their ISP, or hosting company or administrator. (How you can identify your IP addresses).

 

 

Once you have your list of computer IP addresses, please contact VPS Technical support at 888-883-9770 and have them input your IP address. You will need to fill out the following form:

 

VeriSign IP Address Security Form

 

NOTE: Be sure that if you use Manager and Payflow Pro, you specify ALL IP addresses accessing these services. If you do not, your storefront may not be able to run transactions or you may be unable to access Manager.

 

 

9. Review VeriSign Manager reports at least once a week, located at:    https://manager.verisign.com.

 

 

10. If you or your organization do not have the ability to implement these recommended security safeguards, safescrypt offers training and consulting services. For more information, go to:

 

 

Training: http://www.safescrypt.com/training/index.jsp

 

 

 

 

11. Make sure that the Web Hosting or ISP you are using is CISP compliant.    Here are some questions to ask your ISP/Web Host:

 

 

http://www.usa.visa.com/media/business/self_assess.pdf

 

 

 

Following good security practices can help you benefit from increased revenue and customer satisfaction.  If you have any questions about security, feel free to contact Customer Service at:   support@safescrypt.com .