Big Ideas for Small Business

I got a question today from Joyce over at Waechter’s Silk Shop asking about security for her MIVA Merchant store. She wanted to know if the host company, Hostasaurus, would notify her if her site was hacked. Since all of my MIVA Merchant clients use Hostasaurus as their hosting company, I thought it might be nice to post their answer here for all to see:

Only if a bug in software on the website was exploited remotely via a script.  If someone obtained their username and password for FTP or the store admin, we wouldn’t know that a particular successful login to the site wasn’t from an authorized person. If they have Encryption turned on in the store admin, the only way the credit card numbers could be obtained via the website would be if that person had the Encryption passphrase, as the card numbers are stored encrypted in the raw store databases.

If there was a PC infected with a virus that was sending keystroke information to a third party, then that party could have also obtained the passphrase and the login information. They should make sure antivirus is up to date and do a full scan of any computers that access the account.

I got an email today from a client running a MIVA Merchant store at http://www.petitepluspatterns.com. She is an independent pattern designer living in BC, Canada. She got two orders she suspected of being fraudulent. Both orders were placed using free web-based email accounts (yahoo and gmail). Most people I know use these free email accounts these days, so simply disallowing orders from free email providers is not proof enough of fraud.

Here’s some tips for identifying and avoiding fraudulent orders:

1. Don’t accept a credit card order unless complete information is provided including full address and phone numbers.
2. Be wary of any order originating from a free, web-based email address. The customer (more…)