Website Security Tips

     
    All IndieCommerce sites are PCI Compliant, and credit card information is safely encrypted using an SSL Certificate.  All of our credit card data is stored securely by one of the most trusted payment gateways on the web, Authorize.net.
     
    That said, from time to time, stores might unknowingly engage in activity that can endanger their PCI Compliance.  Please find helpful tips below on the do's & don'ts of security for your site.
     
    • Never collect credit card information outside of your secure checkout pages.  Do not ask for credit card information in a webform, or via email, this can lead to severe fines. 
    • Avoid placing outside content on secure pages.  Any time you create a new block, by default it is set not to display on secure pages.  If there is content pulling from outside of your site, customers will encounter a security error on the checkout page.  Most commonly, this has been seen with embedded Facebook or Twitter feeds.
    • Don't use the 'User login' block. Instead use the link login on the secure 'My account' page.  User login can be convenient while developing your site, but once your site goes live, it should be removed.
    • Use separate administrator accounts, and remove access if an employee has left.  Store roles can be added or removed by going to User Management > Store Roles.  For more information click here.
    • Change passwords once every 3 months.
     

    Terminology

    SSL Certificate: SSL, or Secure Sockets Layer, is a protocol designed to enable applications to transmit information back and forth securely. Your SSL Certificate makes sure that all of your customer data, including credit card information, is transmitted securly over the web.
     
    PCI Compliance (PCI DSS): Short for Payment Card Industry (PCI) Data Security Standard (DSS), PCI DSS is a standard that all organizations, including online retailers, must follow when storing, processing, and transmitting their customer's credit card data.
     
    Secure Pages: Pages that are encrypted with an SSL certificate on your site.  Secure pages are listed below:
     
    node/add*
    node/*/edit
    user/*
    admin*
    user
    imce*
    cart/*