Asking the right questions is obviously critically important to the success of your feedback survey. A feedback survey is really only as good as the questions that it asks. But simply asking the questions that you want answered is really not enough to get the job done.

Your feedback survey should be loaded with questions that are written and conceived in such a fashion that they extract the most amount of information possible, but do so in a quick and user-friendly manner. You want your customers and website users to have a feedback survey in front of them that is purposefully created with a sharp and precise end goal in mind. This goal is learning as much as possible in the fewest number of questions.

Keeping your feedback survey short, but expertly crafted and laser focused, is vital in creating a successful feedback survey. While the experts will create an elegantly designed feedback survey for you, it is important that you think about what you what to know the most from your customers.

Creating a list of the most desirable information that you wish to glean from your clients is an excellent place to start. In this way, you will orient your thinking toward what you wish your targeted feedback survey to accomplish.

Feel free to be probing in your questions. While you might not be able to determine exactly how a given question should be asked or how particular information should be extracted, a savvy and seasoned expert will be able to construct a feedback survey that certainly gets the job done.

In the end, realize that your feedback survey is one of the best tools that your business has. Many companies fail to realize the importance of obtaining this data, and they do so at their own peril. By realizing the importance of the feedback survey, you have taken a step toward improving your business and maximizing your profits.

Everyday more online retailers are adding customer surveys to their checkout process. Without consumer ratings, often merchants find that assessing whether or not customers are pleased is a somewhat of a guessing game. Consumer ratings have many benefits including the fact that merchants can gain valuable feedback about the shopping experience from the customer’s point of view.

Adding customer surveys to your online store can be one of the most effective ways of increasing the loyalty of your shoppers. As a result, this method can be extremely beneficial for growing sales. Not only will your customers be more likely to turn into repeat clients, they may be so pleased with their experience that they recommend your products or services to others.

On the other hand, often when your customers are unhappy with their experience, they won’t say anything. They will just disappear for good. Needless to say, you have lost their repeat business. Often you will find through customer surveys that the issues that your clients have are quite small and can be easily addressed. However, just these issues could have very easily equated to customers choosing another shopping destination for future purchases.

There are a variety of ways to easily add customer surveys into your transaction process. For example, one company called Shopper Approved adds customer surveys that come up right after a customer orders his or her product. This way a client’s initial thoughts can be expressed through the means of this customer survey form.

Through the Shopper Approved software, customers can also opt-in to participate in a longer survey after receiving their purchase. This sort of automation through the means of software allows customer surveys to be a smooth and easy process for your customers. Luckily, computers allow online customer surveys to be a thoroughly automated process. As a result, confusing paperwork and/or mailers are now a thing of the past.

Are you in compliance with the current standards that are set in these times of needed security? You must ask this question daily. You and your business needs to be in charge of security for yourself and your customers.

Why has the PCI Council set forth a series of PCI standards? The answer is pretty clear cut — because identity theft has become one of the most rapidly growing and problematic issues to date. In fact, identity theft is a problem crime that’s growing at astronomical rates worldwide. As such, the development of PCI standards seeks only to protect businesses and consumers from would be ID thieves.

PCI standards vary from merchant to merchant based on specific merchant levels. These merchant levels are derived from a series of criteria that were compiled by the PCI Council. Depending upon which merchant level your business carries, you’re PCI standards may vary from that of a different merchant. However, if you plan to continue in e-commerce or you have aspirations of accepting credit card or debit card payments through your website, you will be required to know and adhere to your specific PCI standards.

Today, there is a wide variety of tools designed to help businesses comply to PCI standards. PCI scanners and PCI vulnerability tools are relatively easy to find and can end up saving merchants lots of money and heartache in the long run. In as much as PCI scanning can protect merchants from these scams, it can also protect and save you and your consumers a substantial amount of time and money over the long haul as well.

Statistics indicate that victims of identity theft spend around 600 hours trying to correct all of the problems caused by the crime. This is an increase of over 2000% in the last three years. With technology becoming more advanced, crime is becoming more advanced as well. As such, in order to stay ahead of the thieves, the PCI standards set forth by the PCI Council are becoming mandatory.

It’s also notable that the utilization of tools to help businesses adhere to the PCI standards set forth by the PCI Council is also an excellent marketing tool. In fact, many consumers agree that if a company can provide them constant and consistent safe and secure transactions, they will very likely become repeat customers. It stands to reason that protecting your customers is an act of good faith and also helps to instill confidence in the consumer that you are a reputable business owner, who cares about the client’s needs.

It is possible to learn more about PCI standards and what it takes to be PCI compliant. You will find that, especially as a merchant, questions are readily answered in order to help you best serve yourself and your customers. It’s also important to note that even if you are a sole proprietor, any transaction made over the Internet must adhere to PCI standards.

The time is now, and if not today then tomorrow. It is time to be in charge of your security and to be in compliance with the current standards set forth.

The reason why PCI scanning vendors were put into place is to create an additional level of protection for consumers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data.

Wikipedia has this to say about internet fraud of credit cards. “Most internet fraud is done through the use of stolen credit card information which is obtained in many ways, the simplest being copying information from retailers, either online or offline. Despite efforts to improve security for remote purchases using credit cards, systems with security holes are usually the result of poor implementations of card acquisition by merchants. For example, a website that uses SSL to encrypt card numbers from a client may simply email the number from the webserver to someone who manually processes the card details at a card terminal. Naturally, anywhere card details become human-readable before being processed at the acquiring bank, a security risk is created. However, many banks offer systems where encrypted card details captured on a merchant’s webserver can be sent directly to the payment processor.”

In order to apply to be able to do this PCI Scanning a company has to first complete a Self-Assessment Questionnaire on an annual basis. During the Spring of 2008 a new SAQ was launched and was re-designed to make the questions more relevant to what merchants actually do. There are now four parts, and depending on which part best matches what a company does, will determine the number of questions that will need to be answered – and whether or not quarterly vulnerability scanning is required. Companies will also need to make sure they attest to the truthfulness and accuracy of their responses on the SAQ.

Scans help identify vulnerabilities and misconfigurations of websites and IT infrastructures containing externally facing IP addresses. This is very important for your company’s piece of mind.

Who has to comply to PCI scanning? If you are a merchant or service provider and accept credit cards you must validate PCI compliance at least annually.

Even if you are a small business and only take a handful of cards on a daily basis, you still need to comply with the PCI scanning.

The primary goal of vulnerability scanning is to pinpoint and identify any device inside your network, which may be susceptible or vulnerable to threats. It’s important to remember that not all vulnerability scanners are created equally. And for this reason, you should do your homework prior to utilizing any vulnerability scanning vendor.

As of late, it has become increasingly important that online e-commerce retailers utilize vulnerability scanning in order to protect themselves from the many electronic threats lurking in the dark reaches of the Internet. The use of a vulnerability scanner can help protect your network in your system from hackers and other electronic “vulnerabilities”. The use of the vulnerability scanning is considered to be a proactive approach to protecting yourself and your customers during the process of e-commerce.

Running a vulnerability scan can reveal areas in your network that are weak or prone to attack. This can allow you to make necessary changes to your network in order to protect yourself and your customers.
As with anything else, it is important to note that the use of a vulnerability scanning is not foolproof. It is important to combine the use of a scanning with other means of protection in order to ensure security.

As mentioned before, it’s a good idea to do your homework and review some of the available Approved Scanning Vendors on the market today. You will find that researching available vulnerability scanning vendors to online resources is one of the smartest ways, and the most time efficient ways, to locate a high-quality vulnerability scanner. You may find it in a fit to note that most vulnerability scanners are relatively simple to use. A few simple instructions should have you up and running in no time. If you find the use of vulnerability scanning to be too complicated, it is possible to find a professional to perform the service for you.

Remember, the reputation of your online business could be at stake, spending a little time in proactive research of your network could end up saving you lots of effort, time, and even money in the long run. So start your vulnerability scanning today.

• How many vulnerabilities do you scan for?
• Does your company offer Daily Scanning, Quarterly Scanning or both?
• Does your company offer PCI Seals to place on my website to show my customers that they can trust me? (Very Important)
• Is your company an ASV certified scanner or are you partnered up with an ASV Certified vendor?
• How long does the process take?
• Do you offer me PCI Compliance tools such as the Self Assessment Questionnaire (SAQ) and the Compliance Validation Basics information to help me become compliant?
• Does the scanning vendor send you the scanning reports frequently or can you download them?
• Will you support me in becoming PCI compliant?

So make sure you save these questions or print out this post so that when you go to these PCI Compliance scanning vendors that you can ask these important questions. Lets go over each question in detail at this time to really understand their unique importance.

How many vulnerabilities do you scan for?

The number of vulnerabilities scanned for on you servers and external facing IP addresses is important due to the very fact that hackers are finding different ways all the time to hack into our information. The company that you go with to provide your PCI scanning needs to stay up-to-date on all the vulnerabilities that are out there.

Does your company offer Daily Scanning, Quarterly Scanning or both?

This is really a preference of yours. A lot of people including myself would want daily scanning mainly for the fact that I would want to show my visitors and customers that my site is scanned daily. But to become compliant with the PCI Security Standards Council all that you will need is Quarterly. So really it is up to you. Most companies offer at least quarterly so that should be a minimum requirement.

Does your company offer PCI Seals to place on my website to show my customers that they can trust me?

Placing a seal on your website letting your visitors know that your site is secure is so very important and is a must. Providing trust and confidence to your visitors and customers mean more sales, higher conversion rate and more repeat purchases. Make sure that the company that you are purchasing from has seals for all of their PCI scanning services.

Is your company an ASV certified scanner or are you partnered up with an ASV Certified vendor?

To be in compliance with the PCI Security Standards you must be scanned by an approved ASV certified vendor. So when you are shopping around this is a must. Some companies partner directly with ASV certified companies, so and if you can’t find them listed as an ASV certified scanner, simply ask them who their ASV certified partner is.

How long does the process take?

The actual process of becoming PCI compliant can take some time but to actually get your servers scanned should take that long to implement. So this is a great question to ask, if you are impatient like me.

Do you offer me PCI Compliance tools such as the Self Assessment Questionnaire (SAQ) and the Compliance Validation Basics information to help me become compliant?

Having these tools are essential in becoming PCI compliant and your scanning vendor should have these readily available for you with simple explanations of how to fill them out. Granted you can find it all online but it is nice when the scanning vendor has it ready for you to fill out.

Does the scanning vendor send you the scanning reports frequently or can you download them?

Once you have been scanned your PCI scanning vendor should either send you the scanned reports to you by email or have a secure control panel where you can download them easily. It is that simple.

Will you support me in becoming PCI compliant?

Although the PCI scanning vendor really has nothing to do with you becoming compliant other than scanning your website for vulnerabilities and giving you the reporting required. It is important that they guide you through the process and give you a helping hand.

All of these things need to be answered the way you would like to hear them and if they are then you have found the correct company.

Trust Guard offers a great pci scanning comparison chart that you really need to check out. They compare website verification companies and PCI compliance scanning companies. So learn more about Trust Guard PCI Scanning and also compare McAfee Secure and Control Scan.

So there it is a great checklist of items to help you with your PCI compliance scanning vendor searching. Hope it has helped direct you in the correct path.

The Payment Card Industry Data Security Standard (PCI DSS) is a collaborative effort to achieve a common set of security standards for use by entities that process, and store payment card data. There has been a lot of talk about how effective PCI Compliance is and will it really protect you and your customers. What you need to remember is that PCI Compliance is not the end all of security. Security is a mindset and nobody can ever say that they are perfectly secure. PCI Compliance is the first step to building up your security by following the current security standards and scanning your servers for vulnerabilities.

Here are some great statements by Michael Dahn of PCIAnswers.com about Compliance vs. Validation and Compliance vs. Security:

“There is a difference between ‘compliance’ and ‘validation’. Compliance is a state of being, one that must be maintained at all times. Validation is a point-in-time check on that state of compliance. The example I give is auto insurance. In order to comply with state laws I must maintain auto insurance at all times. When I go to register my car I have to show proof of insurance. I am validating my compliance with the law. What if I decide to cancel my insurance because it costs too much? Am I still compliant? No. Now, I still validated, but remember validation is a point-in-time while compliance is measured day by day.

Another thing to remember is that compliance, even the continuous state of compliance, does not equal security if not done right. If a company focuses on check box compliance and doing the minimum they may be able to complete the baseline audit, but does that mean they are properly managing their risk and protecting payment card data? Let me explain, I’ve asked many people, “can a firewall be used to segment a network?” Everyone agrees YES, but they are wrong. Only a properly configured firewall can segment a network. So if I check the checkbox saying that something is out of scope of the audit because it is segmented off, the question remains: was it properly segmented? Did you really eliminate known attack vectors?”

So ask yourself what your mindset is and where you are with the PCI Compliance and security realms of your business. Becoming compliant and secure takes time and some money, let’s be honest. The amount of money and time you spend will save you in the long run and here is why.

• First of all if you are hacked and something does happen with your customer’s personal and private information you could potentially be liable for the money and information lost. Also imagine the PR nightmare.
• Next think of all the sales that you are missing out on by providing trust and confidence to your visitors because you are not showing them that your site is secure and that they can trust you.

So keep all of this in mind when you are reading and pondering PCI Compliance. A suggestion would be to work with a company that can help start the process to become PCI Compliant like vulnerability scanning. A company that I would suggest is Trust Guard PCI Compliance Scanning.

“Hi, my name is Ward Spangenberg. I’m a Delivery Director with IOActive, in Seattle, Washington. Today, I’m going to talk about PCI and what it means to Europe and how it’s affecting operations in Europe. The first question you might ask is “What is PCI?” PCI stands for Payment Card Industry. That doesn’t mean much. What we’re really talking about are the Data Security Standards, so PCI DSS.

These are twelve standards requirements that are required by companies that process credit cards. We have three different types of companies that do this. We have Level 1, Level 2, and Level 3 merchants.
The merchant is based upon the number of credit card transactions that occur during a year’s span. You have anywhere from anything less than a million cards would be considered a Level 3 merchant. Anything from one million to five million is going to be a Level 2 merchant. Anything beyond five million is going to be a Level 1 merchant.

With Level 1 merchants, those are required to have a third party come in and perform an audit. That’s what I do. I’m the auditor. What happens is I have to understand all twelve of those requirements and sub-points underneath those requirements. We have things like understanding firewalls and the firewall rule sets, to actual compliance regulations. Do you have HR? Are you doing things like background checks on your employees? It’s a comprehensive baseline. This is really important to understand with PCI. It’s not the end-all/be-all of security. It’s the start of a good security program.

Why is this important to you? The big thing is a merchant, a retailer, or anybody who takes credit cards, this is important to you because it allows you to have the baseline, the beginning of a security program. As I said, it’s the requirements. We can talk about the requirements.

Requirement number one is having network diagrams. It’s amazing, today, how many companies don’t know what their networks look like. One of the first requirements is sitting down and documenting, and understanding what your network is all about, understanding what your firewalls are doing, understanding what your rules sets involved in this firewall. Are we protecting credit card data that is coming in and out through our Web applications? Are we segregating databases properly between what’s exposed on the Internet from what’s protected in the background?

You might be asking yourself, “What does this mean if I’m a grocery store or a shoe retailer?” You may not have a Web presence if you’re a grocery store, but you do still process credit cards. You’ve got a couple of hundred stores and you may be processing credit cards. You still have to follow that methodology as to how do you protect those credit cards.

Look at each store as sort of your remote branch. Are you protecting the credit card information locally, at that remote branch, and are you protecting in transit, and “in store” at your corporate headquarters before you do your batch processing?

When we look at PCI, it’s spread. It goes across merchants. If you’re processing credit cards, it’s really recommended that you understand what’s required of it. Now, you may question, “I’m interested in PCI. I think I process credit cards. Do I need to go through the PCI certification process?”

That’s pretty easy. If you’re a Level 1 merchant, then you do. You have to contact a third party. Once a year that third party will send an assessor onsite, or a group of assessors, and they will perform what should be a very exhaustive process. We’ll cover that in a second. They should cover this very exhaustive process and ask questions, and gather evidence, and at the end of that, they will write what’s called a ROC, or Report On Compliance.

The Report On Compliance is then turned in to your credit card processor, your requiring bank. They are the ones that when a credit card is swiped in your store, they’re the ones that give you authorization on that credit card. They are also the ones that move the money into your account after the sale has occurred.
If you are a Level 2, Level 3 or below, you get something kind of fun. It’s call the “Self Assessment Questionnaire”. For those in the SAQ, there are two versions of it. The newest version just came out this year and is sort of the 1.1 version of the Self Assessment Questionnaire.

Because it just came out, companies have the choice of doing compliancy to the 1.0 version or to the 1.1 version. Your first question is “What’s the difference?” The difference is that the 1.1 version is a lot more comprehensive and a lot more reflective of what a Level 1 merchant will go through.

The belief is that as Level 2 merchants grow – the whole idea is to grow our companies. As Level 2 merchants grow, they are going to become Level 1 merchants. The more comprehensive you are about your security the easier it will be, as your corporation grows, to establish yourself as a compliant Level 1 merchant.

Let’s get back to this Level 1 merchant. Once a quarter, they have this auditor come in. The auditor comes in and performs, we hope, a quality, comprehensive assessment of your organization. What does that mean? Again, it’s the twelve requirements with the subsets of those. I believe it’s 256 requirements, total, if you mean everything.

What should happen with an auditor, they should first ask the question, and then once you give them the answer, they should ask for proof. The process could include sitting down with HR and going through with HR and determining whether the process includes background checks on anyone who has access to credit card data. We can sit down with the encryption experts within your company, or your database administrators, and review how credit card information is processed, how it enters into the database, how it is dumped into the batch settlement reports, which are then transmitted to the credit card companies – usually at close of business or midnight, or however the business is transacted to occur.

That’s the comprehensive approach. There are – in the questions I receive when I speak about PCI is “We’ve had what we call check box auditors. Is that good? Is that bad?” It’s all about what risk you’re willing, and your company is willing to except. PCI is really, truthfully a risk mitigation tool. It’s not going to be the end-all/be-all to the security for your organization. It’s also not the stopping point, either. As you’ll see, each year there will be standards and new requirements associated. By having that growth pattern, where at least there is a good baseline to work with, you need to continue to process your security.
That’s some interesting things about your ROC. You’ve passed it. Everybody has signed off. You’re done. What happens? Once a ROC has been submitted and the payment inquirer, your merchant bank, has accepted the ROC as your compliance, some paperwork is exchanged and you get a certificate. You can say, “I’m PCI compliant”. What happens if, after that’s all gone through, someone gets hacked?

The first thing that happens is that you’re told by your merchant bank to contact a forensic investigator. There is a group of certain forensic investigators that are allowed to come in and perform an assessment. The first thing they do is pull that handy-dandy ROC back out and they start looking at it. They look to determine whether compensating controls that were accepted were strong enough, in terms of if the hack was associated to that. These are some important things to think about.

Again, it’s risk mitigation. Are you willing to accept the risk associated with a compensating control? Those are the things. Again, you start off; you have a baseline. You get audited to it and then you work from that. It’s a good place to start. I highly encourage companies that are processing credit cards to try to hold the standards of the PCIDSS 1.1 and to hire an external company to come in and help you determine your compliancy level, and to work with you to achieve those. Eventually, everything will be moving to those levels. The brick and mortar stores will be required to be just as safe as an online company is.
Thank you for your time.”

So there it is PCI Compliance all explained. Now of course there is more to it than that but having a PCI Compliant site will be the best thing you can do for your company and customers.

Here is a quick explanation of each of the words above and this blog will be a constant resource for your PCI Compliance Requirements needs.

PCI – Payment Card Industry is the definition of PCI. The major credit card issuers created PCI (Payment Card Industry) compliance standards to protect personal information and ensure security when transactions are processed using a payment card.

PCI Scanning – the scanning part of PCI requirments is where a ASV certified scanner scans your website, servers, ip addresses for any potential vulnerabilities that would allow hackers to take personal or private information.

PCI Compliance Requirements – Merchants must meet the Payment Card Industry (PCI) requirements of the Visa CISP, MasterCard SDP, American Express^®DSOP, and Discover^®Card DISC standard. The requirements are set up by the PCI Security Standards Council These requirements can be very confusing hense the reason for this blog.

So again this is just a very basic explanation of PCI Compliance, so stay tuned for more great blog posts, tips, and resources on PCI Requirements.