I, like anyone, am concerned when I type in credit card information online. We’ve all heard of a rash of hacks into online databases such as Target a year ago and Home Depot in September. So it didn’t surprise me to hear about a crackdown on security measures to ensure that your credit data is made safe.
When people purchase Behold, they have to do it through my BuyNow page. Even though the page looks like its part of the rest of my site, if you look at the address bar in your browser, you’ll actually see it is a secure page (https, rather than http) and it is not on my site beholdgenealogy.com, but it is on bluesnap.com. BlueSnap is the payment processing company I use to handle purchases of Behold.
BlueSnap is not a small company. They process purchases for tens of thousands of vendors, some smaller and some larger. They take security seriously. The crackdown on security has led to stronger standards for storage of credit card information. BlueSnap informed all their clients a couple of months ago that we are now required to become PCI DSS compliant. That stands for the Payment Card Industry Data Security Standard, and ensures that the way credit card information is stored and accessed is safe, right down to shredding any paper printouts of the numbers.
Fortunately for me, since I use a third party for processing, I don’t have or even have access to any of the credit card information used to purchase Behold. BlueSnap maintains that data with a staff to ensure security on their servers following the standards.
Even so, there were a number of non-trivial steps necessary for me to become PCI DSS compliant. BlueSnap uses Security Metrics to help them. In the past week, I had two phone calls with Security Metrics, several emails, filled in an online questionnaire, and was called back by them today, Boxing Day, to finish the assessment. They have a toll free number from Canada available 24 hours (except not Christmas Day).
So going through this makes me feel more confident about how BlueSnap treats security. In addition to the Secure BlueSnap, BBB Online, Norton Secured and McAfee Secure icons I show at the bottom of my Buy Now page, I have now added the PCI DSS compliant logo shown earlier in this post, and it links to BlueSnap’s page about security on their website.
So, how safe are your credit cards when you give them to other genealogy vendors. The big ones like Ancestry have a secure payment page, that shows off Thawte, BBB and TRUSTe logos. The BBB logo links not to the BBB assessment of their company as it should, but just to the BBB home page. I don’t know why they don’t include the link since they are rated A+. Maybe its because of the complaints on that page, for instance those about attempting to cancel online. But that’s another matter, not dealing with the safety of your credit card data.
You have to search for it, and if you do you can find that Ancestry is in fact PCI DSS compliant as they state so in Section 3.16 (b) of their Form 8-K from Oct 22, 2012. And that’s good! It does not guarantee that they will never be broken into, but it at least does indicate that they take security seriously and have put in place the standardized measures that are designed to protect you.
With a company as big as Ancestry, they should be cognisant of security, and they are. But as I have found out over the years, security is not a simple thing for smaller companies to manage. I’ve written before about how I code-sign the Behold program and get it Windows certified for the user’s safety. I can vouch for what I do. But I can’t vouch for what everyone else does.
So be careful when supplying your credit card on the Internet. Ensure that you are dealing with a reputable company that shows that it is working to ensure the security of your transaction. Always check before you purchase something online and see if the vendor displays trust logos. Then click on the logos and see if they take you to somewhere official that confirms that the logos are valid. And never provide your credit card on anything other than a secure (https) web page. Non-secure transaction pages are the most obvious indication that safety measures at that particular site are lacking.