Total Blue System Ecommerce

In our ecommerce site management tool known as the Admin Area of Total Blue System, the "Contacts" section now distinguishes between Customer accounts and Admin accounts, with the organizing tab being renamed "User Accounts". Formerly grouped together as "contacts," they are now managed from separate screens or pages, which reflect deeper changes in how the software functions.

Driven by our compliance to the Payment Card Industry's Data Security Standard (PCI DSS) and timed for the conclusion of our audit of compliance, admin accounts are now managed distinctly and more intensively than customer accounts because admin accounts can grant access to sensitive order payment details.

Here are some notable changes:

• You cannot login to the public side of the website, the customer's My Account area, if you are using an admin account. Only customer logins gain entry to the My Account area now.
• Passwords for your Admin Area account are now encrypted. We cannot know them or help you recover them. Passwords can only be reset if need be to restore access.
• If you forget your Admin Area login details, you've got about 5 chances to enter the correct username and password. After that, you'll be locked out of the Admin Area for a period of time. This helps prevent what's known as brute force or dictionary attacks.
  • If you need further assistance after being locked out of your account, you can contact another Admin Area site manager or E-business Coach's tech support team for assistance unlocking your account. Direct the person helping you to edit your account in the Admin Area and follow the prompt to unlock the account.
• The login URL for the Admin Area has changed slightly. That explanation may help make it easier to login.

There are other significant, sometimes subtle changes going on as we complete our PCI audit. Find out more by reading those posts categorized as ecommerce security.

Total Blue System's ecommerce software includes a full-featured Admin Area, enabling site owners to maintain their site's catalog and content from within a web browser. The login URL to the Admin Area that you ought bookmark is https://www.yourdomain.com/admin/ and that will remain the same after this latest software system update. But there is the potential for confusion when logging in, as the redirect from https://www.yourdomain.com/admin/ to the form where you enter your username and password will change effective 26 February. The changes are part of a number of security enhancements related to our compliance to the Payment Card Industry's Data Security Standard (PCI DSS). Learn more in posts categorized as ecommerce security.

Whether you have a problem logging in will depend much on whether you use a password manager tool (we recommend RoboForm and 1Password),
or rely on your web browser to save and manage your passwords, or you type directly in the form fields.

Here are some tips on how to login if you don't know your password and the software you use to manage your password seems confused by the updated login URL:

• View and edit your password from within the software you use as your password manager. Once you fetch your password, then enter it directly into the form by manually typing it into the fields. As you submit the form to login, you'll be prompted to save this information. Choose to save the login details and this ought update your URL and make it easy to login next time.
  • In the Firefox web browser, for example, you can go to Edit -> Preferences. Then choose Show Passwords and find the URL of your website's admin area. Then enter the password as you see it there into the form fields for the Admin Area login. Try a similar process if you use Microsoft's Internet Explorer.
  • In 1Password, you can edit the URL that's saved. In this case, the old URL may look like https://www.yourdomain.com/admin/signin.php. Instead, change it to just https://www.yourdomain.com/admin/
  • In RoboForm, you can't typically edit the URL. But you can view the password and then manually enter it into the form field. Upon form submission, you can save a new "passcard" to use the next time.
• If at least one person in your company who has Admin Area access does know his or her password, then the others who do not can ask that person to update their passwords from within the Admin Area. Go to "User Accounts" then "View / Edit Admin Accounts". Choose to edit the admin user in question. You can enter a new password in the  so-named field and save your changes.
  • Just remember that communication of the new password need be in person or by phone and never by email. The sensitivity of the password excludes email as a means of communicating it, unless the email message itself is encrypted.
• If none of the above options are working or make sense, then contact our technical support team for assistance. We can reset your password for you if you have an existing account. (We cannot tell you your existing password, as it's encrypted and not available to us.)

Moving into Day 2 of our PCI on-site audit, there's a full schedule ahead. Yesterday's Day 1 proceeded well enough, but the auditor wouldn't be an auditor if he didn't find something to be given more attention or improvement. So as we follow-up on further enhancements itemized in Day 1, here's what we're looking forward to today:

• Analysis of our network and software application topology, which means a map of what data goes where, how.
• The overall transaction flow for payment information will be examined and vetted for integrity. So, too, will be our internal business processes and those of our merchants, insofar as we as the service provider automatically hand off payment details of an order for processing by the merchant.
• More firewall configuration examinations today, as details matter when it comes to who gets in, who doesn't, and who can even observe what exists behind the wall.
• Examination of how, exactly, sensitive payment information is stored after being collected through the shopping cart. Of course, it's encrypted. But this audit actually involves line by line examination of our software's code for doing so, and then some.
• The auditor will assess how our systems monitor access to all parts of the network, and log data about who does what with any sensitive payment or cardholder information. To use an analogy, a hardened wall is insufficient, there are also prying cameras recording what happens on the inside.
• Configuration standards will be given more attention again today. It's fortunate that for what part we rely upon our hosting partner Rackspace, they're well vetted in terms of business process controls and accountability, having been certified to the SAS 70 standard for many years. That's insufficient for the PCI standard and for our own operational processes, but it helps.
• Audit of our anti-virus, spyware, adware systems as a defensive measure from external attacks. As it turns out, this is less of an issue as our ecommerce hosting runs on a hardened Linux operating system, specifically Red Hat Enterprise. And most of our team's personal computers are either Mac's or Linux, which are comparatively less of a target than Windows.

And the march goes on.

As our turn-key ecommerce package includes software and web hosting, Total Blue System bears much responsibility for ensuring merchants can operate it in compliance to data security standards. Obligations for merchants who collect credit cards and other sensitive payment information are defined in the Payment Card Industry's Data Security Standard (PCI DSS). To demonstrate our compliance as a qualified service provider to merchants, we've arranged an audit by a security consulting firm, SecurityMetrics.

Today's the big first day of our on-site audit, where the auditor will personally inspect servers in our data center and much, much more. Visa, Mastercard and American Express require this on-site audit for the largest companies that qualify as a payment gateway, plus anyone who's ever experienced a data compromise event. That "event" is industry lingo for being hacked, cracked, or otherwise had credit card numbers exposed. And that's our sad story, going back to 2005.

Now it's time for a redemption, of sorts. Today's the day our myriad preparations for an incredibly secure ecommerce hosting environment and software application are put to the test. Tests and probes actually started in November, but today's symbolic as the first on-site. On the agenda:

• Examination of our system's firewalls, switches, and overall network configuration.
• Tour of the world-class data center operated by Rackspace that manages our hardware and terrific network, including auditing of access controls and physical security.
• Examination of our security systems, including tests of our intrustion detection system and logging devices.
• Assessment of our system configuration standards and related business processes.

It's not sexy, but it's certainly thorough. We're feeling breathless all the same, either out of exhaustion in getting ready for it all, or in anticipation of being crowned worthy. For our merchants, this gives you the confidence to know our security efforts are validated and your compliance, via our compliance, is going to be certified.