More security than compliance is needed

More security than compliance is needed

While PCI compliance is necessary for companies to follow, Mary Ursula Hermann, a network security analyst, said on Crain's Cleveland Business that it is not enough for companies when it comes to security. Other tools such as firewalls, antivirus software and SSL certificates from companies such as Thawte and VeriSign should be used to help secure the company and the customers that use the website.

As an example of why compliance isn't enough, she talks about the Heartland breach of 2008. This saw a group of hackers stealing credit card information from a major credit card processor who was certified as PCI DSS compliant. Outside of the certification, there was a weakness in the system guarding important customer information and a hacker dug deep enough to find it. This is why companies need to stretch beyond simply being compliant and move into being secure.

"But that doesn't mean compliance is useless," she said, according to Crain's. "Compliance is a baseline, a tool in your security arsenal. Working towards a certification and achieving it should be, for you and your security team, the accepted minimum standard for your organization's information security program, which should be constantly evolving the same way that threats are constantly evolving.

Noobpreneur said there are many security protocols that eCommerce companies need to follow, with SSL certificates merely being a start. The website said password security, data encryption and safeguards for customer logins are all important parts of security that should be taken very seriously.

Companies looking for better website security should look to get a good jump on it by installing SSL certificates by companies like VeriSign and Thawte. While it is just a start to complete security, it is a very good and much-needed start.