Is your online software vendor secure?
With more spring events being canceled, charities are looking to move their auction online.
Mobile bidding and online auction software allows bidders to bid from anywhere, even when a physical event is not going to happen. But when auctions are run online with access over the Internet, security becomes paramount. Certainly, you can agree your guests do not want their private information or credit card information compromised.
So the question to you is this: Is your mobile bidding auction partner secure?
How would you even know? This quick guide will help you determine the security of your provider and also understand the risks of working with them if they fall short of the current standard.
1st - How can you tell if your auction software vendor is secure?
Asking them probably won’t yield a real response. It’s best to evaluate them.
Standards exist that help mobile bidding companies like Handbid determine if they are secure. These standards establish whether a company is doing the things that it “should” do in order to secure its critical and private information. There are a few standards that apply here:
The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card companies (Visa, MasterCard, Amex, Discover).
There are four levels of compliance that range from Level 1 (merchants that process over 6 million transactions per year) down to level 4 (less than 20,000 eCommerce transactions per year). Level 1 does not necessarily mean that the organization is “more secure” than Level 2, but their annual requirements for monitoring and compliance are certainly higher. All levels are required to meet the requirements of their respective level. You just need to make sure your mobile bidding provider is compliant based on their level..
How will you know? Ask them for their 3rd party audit or self-attestation of compliance document
Here is our PCI Compliance document if you care to read it.
Data Security and Privacy of Personal Information
While PCI compliance will help ensure that credit card data is securely transmitted to merchant gateways, there is other data that your mobile bidding provider collects such as people’s names, email addresses, cell phone numbers, mailing addresses, etc. This information is considered to be personally identifiable information (PII) and should be secured. How can we be sure that your mobile bidding provider is properly securing this data?
Review your provider’s security policy
Security policies help an organization like Handbid assess our current capabilities regarding data privacy and security vs. recommended standards and implement processes and controls to ensure that our customer data is adequately protected.
Your mobile bidding provider should have a security policy that they are able to share with you. This policy should give you a good indication of whether they prioritize the security of your data.
What does a security policy cover? It dictates how a company manages security and handles private information like your guest’s PII. Does your provider print out guest lists and leave them around the office or toss them in trash cans? Are your provider’s employees and software developers properly trained on security measures and coding best practices? A security policy will address all of these things and much more.
How will you know? Ask them for their security policy and review it
2nd - So they have a policy and a PCI-DSS compliance document, but are they following it?
Look for common indicators that your provider is not following the rules.
Security compliance is “easier said than done.” Look for indications that your provider is following the rules. Some common areas we see that tell us that many mobile bidding providers are not:
Insecure public interfaces
Check their SSL certificates and look for security issues. We love the SSL Checker from Qualsys Labs. This will evaluate your vendor’s web interface and identify security issues. Your provider should get an “A” if they are following the rules. What do we see with many of the mobile bidding providers out there? A score of B or lower unfortunately. Most score low because they are supporting outdated (insecure) protocols that are in violation of their PCI compliance obligations.
Check out Handbid's score below:
Do they require your bidders to have a password? Do they expire those passwords? Do they have restrictions on the types of passwords that can be used? We all hate passwords just like we hate removing our shoes to go through airport security. But we should respect the need for them. While your guests may prefer an easy registration that requires no password, they certainly won’t appreciate their personal information getting stolen from your mobile bidding provider’s systems. In fact, we know of some mobile bidding providers out there that do not require any password at all, leaving their guest’s personal information available to anyone that goes to the bidding site! Yikes!
Check for clues: Sites that allow insecure protocols, no passwords, etc.
Know this! Handbid Takes Security Seriously!
We go through extra efforts to secure your client’s data and protect your reputation
There is nothing easy (or even fun) about security. It makes things harder to do for us, for you, and for your guests. But in this day and age, it’s necessary to take it seriously. Please know that no company is 100% secure. The government has been hacked as have really well-known online companies. However, most hackers tend to gravitate towards the sites that are a breeze to compromise, just like the thief canvassing a neighborhood would rather break into the house with the unlocked front door. Don’t make it easy for them. They will find somewhere else to go.
Here are the things that we do at Handbid to comply with security guidelines:
- We are PCI compliant and can provide our attestation of compliance. In fact, we adhere to a higher standard of compliance than our merchant provider requires. Why? Because it forces us to be better.
- We have a documented security policy based on the NIST Cybersecurity Framework (CSF). This framework is a well respected tool to help organizations like Handbid understand their current capabilities and prioritize improvements to cover critical gaps.
- We have a documented Business Continuity and Disaster Recovery Plan that has been tested. If your mobile bidding provider’s site has gone down, is there a failover plan to a remote location? Has your vendor tested that?
- We eliminate support for insecure browsers and operating systems. Sure, we got some flack from clients and their guests when we eliminated support for IE 11 and Android 4.x. However, those interfaces are really really old and no longer secure. Interesting that we see some of our competitors still support them.
Here is a Mobile Bidding Provider Security Questionnaire
Send these questions to your mobile bidding provider or online fundraising solution
- Are you PCI compliant? What Level? Please provide a current attestation of compliance.
- Do you have a documented security policy? Is it based on a common framework (e.g. NIST?) Please provide a copy of your policy.
- Do you have a documented Business Continuity and Disaster Recovery Plan that has been tested? Please provide a copy of this plan and an explanation of how your disaster recovery/failover procedures work.
- Do you support TLS 1.0 or TLS 1.1 connections? Please visit QualSys labs SSL test and test the bidding interface our bidders will use. Please let us know what your score is on this test.
- Do you have an incident response plan? Please explain how we will be notified of any security or data breach.
- Do you require your end-users as well as your auction managers to login with a password? Describe your password requirements including expiration, length, password reset, etc.
- Who are your merchant providers? How is credit card information captured and where is it stored? Please provide an indication from your merchant provider that you are in compliance with their standards and policies.