Making your website secure
Your e-commerce website is your electronic shop. To make the most of it, you want it to be open 24 hours a day, seven days a week. But you also want people to use it, and the key to that is to give people a sense of security. The truth is, using an e-commerce web site is no more or no less secure than using a telephone, and...
people no longer balk at handing over their credit card details over the phone. However, although it is mainly a matter of educating people to understand that, making everything as secure as possible at all times is a necessity.
People think nothing of giving out their credit card details over the phone, or handing over their cards to a waiter in a restaurant when paying the bill. Both practices are inherently insecure, but people accept the risks. Customers have to take a judgement call on whether the transaction is secure. The risks over the phone or in shops and restaurants is an understood one. However, the relative novelty of the Internet means that many people don't have enough information to make this decision. That's why you have to give them that information.
Key practices for preventing security lapses
It is surprising how many website operators and Internet users fail to implement basic security measures - measures which are business as usual on a standard network. The majority of hackers gain access because the victim has used an obvious password, so steer clear of birthdays, names of family members and company names. For example, so many people use PASSWORD as their password: especially with guest IDs or newly set up IDs. Either use randomly generated passwords, or enforce a password policy which prevents the use of obvious words: making sure that passwords use numbers as well as letters is one easy method. You should also remember to change passwords when an employee leaves your business, especially if they left on bad terms. Also, as a matter of good practice, you should change passwords on a regular basis: once a month is usually adequate for most purposes. Although it rarely happens, passwords shouldn't be written down. It is better to store all passwords in one secure place rather than on pieces of paper or distributed within a number of files.
Such basic security rules lay the groundwork for the rest of your security policy - which is where you will need some help.
1. Consult with experts or your ISP/Web hosting company about your site's security
To begin with, the best sources of introductory security come from those companies with which you trade. It only takes a day or so to make a few telephone calls, read some manuals, or make some email inquiries to cover all the basics. You are looking for any hints or tips on any specific problems that your partners have encountered. If you decide to run your own site, you must install your own security measures. This can be a daunting though necessary task. A good Web consultant can guide you through the basics.
However, this is only the beginning. With the best will in the world, it is always better to get external advice when formulating your security policy. Today, there are many companies that specialise in running security audits against your organisation, pointing out what needs to be done to secure your network or your web site. Running a risk analysis is vitally important: too many companies either forget to do it, or choose not to in order to save money. It is a false economy, and one that far too many companies are currently ruing having realised that their penny-pinching has led to their systems actually being wide open to hackers. A comprehensive risk analysis will indicate what hardware and software you need, where it should be installed, and what security strategies should be undertaken. Some companies will even install the necessary hardware and software for you.
2. Encryption equals protection
Customers of your site will be reassured if they know that any information they enter is encrypted. Encryption allows you to scramble information with a mathematical formula that is nearly impossible to break without the proper formula (known as a "key"). The important word there is "nearly": there are hackers who claim to be able to crack any encryption algorithm that you throw at them. However, most encryption will make your site more secure than a telephone or fax, which should be sufficient to reassure most people. By using encryption to receive and transmit private and sensitive information, you can protect yourself against programs (sniffers) that intercept Internet communications. If messages are encrypted, the programs can sniff all they want but won't be able to decrypt the stolen information. Encryption is implemented by using technologies such as SSL (Secure Sockets Layer) and SHTML (Secure-HTML), with Web forms to protect their transmission to your server. Encryption can also be used in your email package through a technology called S/MIME (Secure/Multipurpose Internet Mail Extensions).
Your server must be equipped to implement encryption. Many Web hosting companies have special servers to allow for secure order forms. If you don't use a hosting company, you must implement Secure Sockets Layer (SSL) and associated certificates on your own. That requires getting a compliant server (most major servers are compliant) and applying to a certificate authority such as VeriSign, distributed by UK distributors. Once again, this is something that a security analyst can advise.
3. Educate customers
This is the key to everything: customers must be educated about how they can best protect themselves. This can be done through installing a "frequently asked security questions" page on your website. Questions include the name of the customer's mother's middle name. You should also include security measures that customers can include within their e-commerce site to ensure privacy.
Ordering a digital certificate isn't difficult. Simply visit the order page of any major certificate authority, choose a server certificate, and follow the instructions. After setting up your site with a digital certificate and a secure SSL server, you will need to develop a system to move information from the site to a form in which you can process it.
Once you have customers who understand what the actual risks are, rather than the preconceived risks, they will be happier using your site.
4. Credit card fraud
Credit card fraud is likely to be the most common type of crime that you will encounter. It could either be someone who illegally obtained a credit card number, or a person such as a child using an unauthorised credit card. Avoiding credit card fraud simply takes a bit of know-how and extra effort.
Again, this is a matter of education: this time for you. Credit card fraud over the Internet is no different from credit card fraud in the high street. If in doubt, contact the credit card company for verification.
Using Internet Technology
Secure Sockets Layer (SSL)
This provides sound privacy protection by encrypting the channel between the consumer and the retailer. SSL is sufficient security when doing business with stores you know and trust because the data sent over the channel is secure. To find out if your transaction is secured by SSL, check for the unbroken key or closed lock symbol in the frame of your browser window. Or, check the shop's URL ( it should change from "http" to "https" when processing secure transactions. Both Netscape Navigator and Microsoft Internet Explorer browsers use SSL.
Visa has partnered with other industry players to develop Secure Electronic Transaction, SET. SET is a method for maximum online payment security. In addition to encrypting payment information, SET makes online transactions even safer by using digital certificates to verify that both buyers and sellers are authorised to use and accept Visa cards. It's the electronic equivalent of a consumer looking for a Visa sign in a shop window, and a shop checking the consumer's signature on the back of a Visa card.
SET provides a way for cardholders and retailers to identify each other before a transaction takes place. This reassures both parties that the payment will be handled in the same way as a conventional payment.
This authentication process uses electronic forms of identification known as digital certificates that are issued to cardholders and retailers by Visa's member financial institutions. SET also incorporates the use of public key cryptography to protect the privacy of personal and financial information. As a result, with SET, consumers' payment card information is protected all the way to the financial institution. The seller cannot read this information in the payment transaction.
With SET, cardholders can validate that the Internet retailer is legitimate through the retailer's digital certificate. SET software automatically checks a shop has a valid certificate representing their relationship with their financial institution. This provides consumers with the confidence that their payments will be handled by Visa. While the underlying process for SET transactions is complex, an Internet purchase can be processed, authorised, and completed in a matter of seconds.
SET consists of four main sections:
1. Cardholder "wallet" software:
This software allows cardholders to make secure purchases via an easy point-and-click interface and to communicate with the retailer's SET software automatically to verify the retailer's certificate and relationship with a trusted financial institution. This software also administers and maintains the cardholder's digital certificates. A consumer's digital certificate is an electronic representation of his or her payment card. It saves encrypted information about the cardholder, account, and certificate issuer. SET-enabled digital wallets will be made available through several approved vendors online, in new versions of popular browsers, and may be provided by financial institutions.
2. Cardholders obtain digital certificates.
Cardholders must first contact their financial institution for registration procedures. Visa provides digital certificates to a card-issuing financial institution, which then provides a digital certificate to the cardholder. At the time of the payment transaction, each party's SET software validates both the retailer and cardholder's digital certificate before payment information is exchanged.
3. Cardholders and retailers conduct a shopping dialogue.
When you make a decision to purchase an item online, the retailer sends an order form together with its retailer certificate. You simply select the payment card you want to use, and your software application automatically sends the related certificate when you place your order. Payment instructions are created by the cardholder software and sent to the retailer fully disguised, using public key cryptography, so that the retailer cannot see the payment card information until the retailer's financial institution decrypts it.
Note that it is possible for cardholders to shop securely using SET without digital certificates. While this limits the retailer's ability to authenticate the cardholder, the SET payment transaction will still be completed according to specifications.
4. Authorisation and settlement process.
Once the purchase and payment information has been safely received, the retailer's financial institution requests an authorisation from the cardholder's financial institution, just like retail transactions are handled today. Once authorised, the retailer can confirm the sale to the cardholder. Clearing and settlement take place just as they do for today's payment card transactions.
Even if all of the technical elements of e-commerce transaction security are in place there may still be reluctance to enter into e-commerce. When all the safeguards are in place, rendering any transaction safe from the joint perspectives of both the vendor and the buyer, there must still be a mutual perceived feeling of security or transactions will not be done via the Internet when other, safer feeling, routes are available. The problem for vendors is therefore not only one of technical safety but also perceived safety.
The education of consumers is likely to be as daunting as the technical hurdles and will take the resources of the major banking and credit card institutions as well as the continued efforts of e-vendors to achieve. There is no single solution that renders e-commerce secure but a layered approach and continued vigilance will eventually make e-commerce acceptable to even the most wary buyers.