The Internet Crime Complaint Center, a federal government backed organization commonly known as IC3, offers a lot of security tips that can help online retailers better meet Payment Card Industry Data Security Standard guidelines, security experts say.
“IC3 guidelines are best practices that help online merchants get ready to meet PCI security levels,” says Andrew Lauter, chief technology officer with Accertify Inc., a provider of provider of technology and services for preventing fraud in card-not-present payment transactions. Payment Card Industry Data Security Standard guidelines, often referred simply as PCI, provides several steps that retailers are expected to follow to prevent the theft of consumer payment account data from their networked databases.
The IC3, located on the web at IC3.gov, operates as a partnership of the Federal Bureau of Investigation, the National White Collar Crime Center of the U.S. Department of Justice, and the Bureau of Justice Assistance, a non-profit organization supported by the Justice Department.
Among the IC3’s guidelines, for example, is to disable procedure calls that can enable criminals to launch successful SQL server attacks, primarily against Microsoft SQL servers. The IC3 specifies that companies should disable procedure calls known as xp_cmdshell, OPENROWSET and OPENDATASOURCE. If a merchant needs to use these procedure calls, which are designed to pull information from databases, they should install special IP filters on their SQL servers, the IC3 says.
Other IC3 guidelines cover the number of characters in web page addresses and steps to secure dynamic web site content.