Saturday, April 30, 2005
E-Commerce Sites Forced To Adopt Security Standards
Online retailers will be forced to tighten security and improve their handling of customer data under new rules being introduced by the credit card industry to stop identity theft. From June 30, all e-commerce sites with internal systems that process, store or transmit cardholder information will have to comply with the Payment Card Industry (PCI) Data Security Standard or face significant fines. In extreme cases, online merchants could be banned from processing transactions using payment cards.
Security Audit: Backed by MasterCard, Visa, American Express, Diners Club and JCB Cards, the standard requires Internet retailers to carry out a 12-step security audit, which will be certified annually and checked every three months. Introduction of the standard follows a series of security breaches that resulted in the theft of credit card details.
Last week, HSBC North America warned 180,000 customers who use its General Motors-branded MasterCard to cancel their cards, after faulty electronic sales systems at clothes retailer Polo Ralph Lauren accidentally stored their financial details instead of deleting them. Data wholesaler Lexis Nexis has also reported security breaches of customer databases, after hackers gained access to its systems. "If credit card information gets exposed there's a huge cost factor involved for the banks, because there are heavy overheads in terms of replacing them," said Gerhard Eschelbeck, chief technology officer at security software firm Qualys.
Security Steps: To combat the loss of payment card information to hackers, e-commerce sites will have to comply with 12 security requirements to achieve certification.
Here is a list of these procedures:
-Installation and maintenance of a firewall.
-Do not use vendor default passwords on IT products.
-Strong protection of stored data.
-Encryption of cardholder data transmitted over public networks.
-Installation and regular updating of anti-virus software.
-Development and maintenance of secure systems and applications.
-Controls restricting access to data on a need-to-know basis.
-Unique identity authentication assigned to each person accessing computer systems.
-Restrictions on physical access to cardholder data.
-Regular monitoring and tracking of network resources and cardholder data.
-Frequent testing of security systems and processes.
-Maintenance of an information security policy.
Stephen Orfei, senior vice president and head of the MasterCard E-Commerce Centre of Excellence, said: "The standard reflects our commitment to helping customers and online merchants evaluate and improve the security of their Web sites." The PCI Data Security Standard will also help converge the different security standards demanded by Visa, MasterCard and American Express, says Avivah Litan, research director at analyst Gartner .
Costly Compliance: "This will simplify the compliance process, but achieving compliance with these standards can still be very costly for merchants and acquiring banks," she said. "The more the process can be streamlined and automated, the easier it will be for everyone."
To help make the auditing and certification process less expensive for e-commerce firms, MasterCard is appointing a series of vulnerability assessment firms to carry out the approval process. This week the card giant announced the appointment of security software firm Qualys as its first automated compliance tester for the MasterCard Site Data Protection scheme, which uses the standard.
Internet retailers will be able to use QualysGuard software to carry out quarterly network scans and annual assessments, and regularly detect and fix flaws. "Larger firms may already have protected themselves as part of their vulnerability management processes," said Eschelbeck. "But you need to think about all of the small firms that don't have an IT security department."
Small e-commerce firms will be able to buy the basic software for US$495, with a full service costing $2,495.
Credit Card Numbers: The credit card industry hopes the tighter security demanded by the standard will lead to fewer stolen credit card numbers circulating on the Internet. MasterCard's Operation StopIT initiative, aimed at reducing phishing and identity theft, has already detected and removed 34,500 stolen credit card numbers being traded over the Internet. Lloyds TSB has backed plans for a standard to physically authenticate Internet customers. The High Street bank is working with banking industry group the Association for Payment Clearing Services (Apacs) to develop the security standard, which will be available from next month.
The bank's decision follows announcements from HSBC, The Royal Bank of Scotland and Barclaycard that they are looking at introducing physical security devices to combat phishing and other forms of identity theft targeting Internet banking customers. 'When key-logging software first appeared which tried to steal information we introduced new password procedures, and now two-factor authentication is something we're looking at,' said Matthew Timms, Internet channel director at Lloyds TSB.
Standards Pending: But the company stresses that any standards introduced must be compatible across Internet banking and card-not-present transactions. "One of the critical factors will be customer adoption," said Timms. "We need to balance security with the fact that consumers might not want to use it if it's too much of a hassle." The industry also needs to do more to educate online banking customers about the potential risks when using the Internet, says Timms.
"Consumer awareness is still low, and there are people that still fall for phishing scams. We are also seeing more trojans trying to capture passwords," he said. "People need to know firewalls and anti-virus updates are critical."
Brought to you by Guardian eCommerce.
Security Audit: Backed by MasterCard, Visa, American Express, Diners Club and JCB Cards, the standard requires Internet retailers to carry out a 12-step security audit, which will be certified annually and checked every three months. Introduction of the standard follows a series of security breaches that resulted in the theft of credit card details.
Last week, HSBC North America warned 180,000 customers who use its General Motors-branded MasterCard to cancel their cards, after faulty electronic sales systems at clothes retailer Polo Ralph Lauren accidentally stored their financial details instead of deleting them. Data wholesaler Lexis Nexis has also reported security breaches of customer databases, after hackers gained access to its systems. "If credit card information gets exposed there's a huge cost factor involved for the banks, because there are heavy overheads in terms of replacing them," said Gerhard Eschelbeck, chief technology officer at security software firm Qualys.
Security Steps: To combat the loss of payment card information to hackers, e-commerce sites will have to comply with 12 security requirements to achieve certification.
Here is a list of these procedures:
-Installation and maintenance of a firewall.
-Do not use vendor default passwords on IT products.
-Strong protection of stored data.
-Encryption of cardholder data transmitted over public networks.
-Installation and regular updating of anti-virus software.
-Development and maintenance of secure systems and applications.
-Controls restricting access to data on a need-to-know basis.
-Unique identity authentication assigned to each person accessing computer systems.
-Restrictions on physical access to cardholder data.
-Regular monitoring and tracking of network resources and cardholder data.
-Frequent testing of security systems and processes.
-Maintenance of an information security policy.
Stephen Orfei, senior vice president and head of the MasterCard E-Commerce Centre of Excellence, said: "The standard reflects our commitment to helping customers and online merchants evaluate and improve the security of their Web sites." The PCI Data Security Standard will also help converge the different security standards demanded by Visa, MasterCard and American Express, says Avivah Litan, research director at analyst Gartner .
Costly Compliance: "This will simplify the compliance process, but achieving compliance with these standards can still be very costly for merchants and acquiring banks," she said. "The more the process can be streamlined and automated, the easier it will be for everyone."
To help make the auditing and certification process less expensive for e-commerce firms, MasterCard is appointing a series of vulnerability assessment firms to carry out the approval process. This week the card giant announced the appointment of security software firm Qualys as its first automated compliance tester for the MasterCard Site Data Protection scheme, which uses the standard.
Internet retailers will be able to use QualysGuard software to carry out quarterly network scans and annual assessments, and regularly detect and fix flaws. "Larger firms may already have protected themselves as part of their vulnerability management processes," said Eschelbeck. "But you need to think about all of the small firms that don't have an IT security department."
Small e-commerce firms will be able to buy the basic software for US$495, with a full service costing $2,495.
Credit Card Numbers: The credit card industry hopes the tighter security demanded by the standard will lead to fewer stolen credit card numbers circulating on the Internet. MasterCard's Operation StopIT initiative, aimed at reducing phishing and identity theft, has already detected and removed 34,500 stolen credit card numbers being traded over the Internet. Lloyds TSB has backed plans for a standard to physically authenticate Internet customers. The High Street bank is working with banking industry group the Association for Payment Clearing Services (Apacs) to develop the security standard, which will be available from next month.
The bank's decision follows announcements from HSBC, The Royal Bank of Scotland and Barclaycard that they are looking at introducing physical security devices to combat phishing and other forms of identity theft targeting Internet banking customers. 'When key-logging software first appeared which tried to steal information we introduced new password procedures, and now two-factor authentication is something we're looking at,' said Matthew Timms, Internet channel director at Lloyds TSB.
Standards Pending: But the company stresses that any standards introduced must be compatible across Internet banking and card-not-present transactions. "One of the critical factors will be customer adoption," said Timms. "We need to balance security with the fact that consumers might not want to use it if it's too much of a hassle." The industry also needs to do more to educate online banking customers about the potential risks when using the Internet, says Timms.
"Consumer awareness is still low, and there are people that still fall for phishing scams. We are also seeing more trojans trying to capture passwords," he said. "People need to know firewalls and anti-virus updates are critical."
Brought to you by Guardian eCommerce.
