As we become more and more reliant on the internet for virtually every part of our daily lives, the complexity of maintaining website security becomes even more daunting. But just because it’s daunting doesn’t mean we can simply ignore it or assume that it’s someone else’s responsibility. As a digital product agency, setting up and maintaining a secure environment for our clients’ web properties is an incredibly important part of the work we do.
For those who aren’t experts in web security, conversations about what to do, when to do it and why to do it can be overwhelming, confusing or frankly boring. So what do you really need to know about internet security? Here’s our take.
Why Your Website Security Matters
There are several regulatory and legal compliance standards that organizations are required to uphold when they deal with any kind of user data. A few include PCI/DSS (Payment Card Industry Data Security Standard) for credit card processing, General Data Protection Regulation (GDPR), California Customer Privacy Act (CCPA) and the Children’s Online Privacy Protection Rule (COPPA). These standards protect user data, and organizations that fail to comply can be fined or even criminally prosecuted.
In a nutshell, PCI Compliance is a set of standards that govern how credit cards are accepted, transmitted, processed and stored securely. The Payment Card Industry Security Standards Council (PCI SSC) is an independent body created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB) and failure to comply with PCI standards can cause any one of the major card companies to block you from accepting their cards as a method of payment. The first set of standards was developed in 2006 and as technology evolves, so do the standards.
If you are building or maintaining an eCommerce site or any product that processes transactions, familiarity with PCI Compliance is paramount. Fortunately, there are a lot of companies who specialize in payment processing (like Square, Stripe, PayPal or Shopify) and you can use their products or services to handle the heavy-lifting.
The General Data Protection Regulation (GDPR) was put into effect on May 25, 2018 and though it was passed by the European Union, it has a global impact. The regulation is about 90 pages and not what we would consider a beach read so from our perspective, here’s what you need to know:
- If your website processes personal data of E.U. citizens or residents or if you offer goods or services to those people, GDPR applies to you — even if you aren’t in the E.U.
- Data protection must be baked into your experience “by design and by default”. If you’re creating a new website and you collect email addresses for your newsletter, you must collect, maintain and store those email addresses in a GDPR-compliant manner.
- You can’t just collect and store personal data just for the sake of it and all users must give specific and unambiguous consent to you before you collect any data. If you’ve ever wondered why every website you visit has a popup or banner notification asking you to accept cookies, this is why.
- If someone requests that you delete their data, you must delete their data. This means all users need to have the ability to request that their data is deleted and that request needs to be fulfilled with proof.
GDPR can seem complicated, but compliance is relatively straight-forward to accomplish. We should always be thoughtful about the personal information we ask for and guard it like it’s our own.
The California Consumer Privacy Act of 2018 (CCPA) is very similar to GDPR with specific application to users who reside in California. Like GDPR, since we generally can’t control access to public websites, it’s best to act like CCPA applies to you because it probably does. One interesting nuance of CCPA is that businesses cannot deny goods or services, change their prices or provide a different level or quality of service because a user exercises any of their rights under CCPA.
This can be confusing because we are used to the practice of signing up for an email newsletter in exchange for a discount on a product or service. This exchange is still allowed, but if a user provides you with their email address and receives a discount coupon, they are within their rights to then ask that you delete their email address from your database.
Another important regulation to be mindful of when you’re building or maintaining a website is the Children’s Online Privacy Protection Rule (COPPA). The legislation was passed in the late 1990s as younger people started using the internet and were therefore targeted by online marketing. Like GDPR and CCPA, we can’t generally block websites from being accessed by children (COPPA specifically covers the privacy of children under age 13), so we have to be aware of what COPPA means.
If a site requests personal data from users younger than 13, the site must require verifiable parental consent. We often see this consent take the form of a checkbox or other component on a registration form confirming that a parent or guardian has provided consent, but there are other methods that can be used. Like GDPR and CCPA, it’s important to consider what kind of information we’re requesting from all users, but younger users. If we don’t need the data to create a great and useful experience, we don’t need to ask for it, store it and maintain it.
Yes, Even You Can Ensure Website Security
Website security isn’t purely a development responsibility — you should consider compliance with things like PCI, GDPR, CCPA and COPPA across the entire product experience. If you’re wondering how well your existing digital product stands up to the requirements of digital security, consider doing an audit either internally or with an agency partner like Mediacurrent. We can help you develop a roadmap to ensure that the things you build are compliant, stable and secure.