Last week, I was invited to speak at the Twin Cities Web Design and Standards group.  The topic was how to build secure websites so I tailored the content for website designers and programmers who run up against objections from their clients when the topic of security is brought up.

Norm Coleman’s website problems started long before I found his unprotected database.  The programmer who designed the site, did something that made my stomach turn; he stored the full credit card numbers with the expiration date and 3 digit code the back of the card in the database.  The programmer had created a custom CMS (Content Management System) for the Norm Coleman Campaign.  I suspect that at sometime during the planning phase or development, he was asked to store the credit card numbers for “convenience”.  This was what did Norm in.

Often, people see website security as something that can be taken care of “later” after the shiny new site is launched.  Things like PCI security compliance seem complicated and unnecessary.  I’ve heard clients say, “I doubt anyone is going to try and hack our site or our network”.  Visa and Mastercard require than any company doing credit card transactions agree to take certain steps to keep that data safe; that’s known as PCI (Payment Card Industry) or CISP (Cardholder Information Security Program)

I spent time talking about common website attacks hackers used and how to educate your clients.  One of the hardest things in the technology world is getting “buy in” from the people who will actually use the stuff!  Maybe it’s human nature to resist change.

Below you will find the list of the 12 things businesses are expected to do if they accept credit cards.  From an IT person’s perspective, they seem very ordinary and essential…things you would just do because you are in charge of a network.  I see that there often a disconnect between a company’s technical staff and the website development/programmer folks.

Photo Credit: Locks by Leonid Mamchenkov